Cloud Security, Identity Solutions Heat Up The Summer

At Black Hat 2014, the best cloud security experts warned that spoofs, hacks, phishes and bots continue to pose risks for public and private cloud projects. With these threats in mind, IDN showcases companies that are moving to plug these cloud security gaps.

Tags: access, Amazon, API, authentication, Azure, cloud, DaaS, directory, federated, Google, identity, iDaaS, LDAP, management, mobile, security, SSL, SSO, virtualization,

At Black Hat 2014 earlier this month, some of the world’s best cloud security technology experts gathered to discuss a range of vulnerabilities that still lie in wait to put some enterprise cloud projects and mobile at risk. These Black Hat experts warn that spoofs, hacks, phishes and bots are still a risk for major public cloud solutions from Amazon, Google and Microsoft Azure, as well as commercial and open source software and hosted services. 


With these threats in mind, IDN showcases companies that are moving to plug these cloud security gaps – without taking away performance, scalability or elasticity.


Security & Management
Secure, Manage and Automate Enterprise Cloud
September 18

AdaptiveMobile presented the latest edition of its cloud-based MSM (mobile security management) platform, during the Gartner Catalyst conference. It is designed to simplify how enterprise IT provides device management and secures multiple connection points.

AdaptiveMobile’s Enterprise MSM is also designed to simplify threat detection and prevention, secure logon, user authentication, and mobile roaming protection, according to AdaptiveMobile CEO Brian Collins. Trials of AdaptiveMobile’s Enterprise MSM are currently in progress.


The current technology comes as Cloud and big data projects are making current network security models obsolete, Collins noted.


“The burden of securing the enterprise in an age of hyper-connected, always-on mobile devices is stymieing traditional security models and placing undue stress on IT and other enterprise personnel,” Collins said in a statement. So, a new and modern model is needed that can secure all mobile users and devices at a base level, to protect both corporate data and employee privacy, while also easing burdens on IT, he added.


Amazon (AWS), for making virtual desktop use more worry-free, is adding security to its Amazon WorkSpaces DaaS (desktop-as-a-service) that adds new support for multi-factor authentication. Perhaps, ironically, this added level of access security comes thanks to RADIUS (on-premises) servers.


AWS evangelist Jeff Barr explained the security upgrade this way:

Today we are enhancing WorkSpaces with support for multi-factor authentication using an on-premises RADIUS server. In plain English, your WorkSpaces users will now be able to authenticate themselves using the same mechanism that they already use for other forms of remote access to your organization’s resources.  Once this new feature has been enabled and configured, WorkSpaces users will log in by entering their Active Directory user name and password followed by an OTP (one-time passcode) supplied by a hardware or a software token.

Barr added some specific technical details for AWS admins:


WorkSpaces admins can configure this feature for users by entering the connection information (IP addresses, shared secret, protocol, timeout, and retry count) for their RADIUS server fleets in the Directories section of the WorkSpaces console.


Admins can also provision multiple RADIUS servers to increase availability by entering the IP addresses of all servers or enter the same information for a load balancer in front of the fleet. The feature should work with any security provider that supports RADIUS authentication (AWS has verified against the Symantec VIP and Microsoft Radius Server products). AWS currently support the PAP, CHAP, MS-CHAP1, and MS-CHAP2 protocols, along with RADIUS proxies, he added.


Customers will still be able to easily provision and manage cloud-based desktops that can be accessed from laptops, iPads, Kindle Fire, and Android tablets. The multi-factor authentication support is included in the monthly price of WorkSpaces. However, the RADIUS server and tokens are not included.


Good Technology is delivering a new app to ensure secure collaboration across mobile and traditional users. The Good secure mobile collaboration app is optimized to deliver a contextual and personalized user experience.


Good’s latest app secures just about all the ways a mobile user would connect or share with others  -- email, messaging, contacts, calendar, document management and even web browsing.


The UI also means users can easily navigate across enterprise apps and tasks – with no compromise to data security, noted Good CEO Christy Wyatt.  To the user, the app brings together all of a user’s relevant information in one convenient place; it can even provide a personalized UI to give users quick access to frequently used information based on their activities and contacts, such as custom alerts.


As companies move to the cloud, they are looking for a fast, convenient way to adopt business mobility, Wyatt noted.


“We’re setting a new benchmark for the enterprise mobile experience. Businesses of all sizes, industries and requirements want their employees to move faster and make decisions wherever they are The Good Dynamics platform, new Good app and broad partner ecosystem empower organizations to mobilize their business with a best-in-class usability experience, from the cloud or on premise, without compromising security,” Wyatt said in a statement.


Because the Good secure mobile collaboration app is built on the Good Dynamics Secure Mobility Platform, it offers and offers a rich set of other security services, such as secure printing and document archiving.


This latest Good app is shipping now, and can be deployed via cloud, on premise or in a hybrid environment, providing flexible deployment options for organizations.  Good also announced  the GA commercial release of its Good Pro  secure cloud-based messaging app (previewed earlier this year), and announced the Good for Salesforce1 mobile app, a new Trusted Authentication Framework, and an expanded Good-secured partner ecosystem.


HP released a “lean” version of its HP Helion Managed Virtual Private Cloud aimed at enterprises with light workloads and small budgets. That said, HP VPC Lean won’t scrimp on mission-critical IaaS management services, with support for clustering, high-availability, compliance and security. It also comes with high security and auditable certifications (SOC2, ISO27001, IL3, FedRamp) and adds management services from SAP HANA.


The Lean VPC supports a range of tasks across the application lifecycle, including development, collaboration, testing, on-boarding and other operational workloads found in many medium-size companies and enterprise businesses units, said Jim Fanella, vice president, Workload and Cloud, HP Enterprise Services. One enterprise use case would include having a regionalized cloud for data sovereignty, he noted, as HP also offers global data center footprints for data sovereignty and privacy, with low network latency.


Kaseya, a cloud-based ITSM firm, will buy Scorpion Software, a provider of a range of security solutions for on-premises and cloud, including SSSO, authentication, as well as password and identity management,   Kaseya execs said the Scorpion AuthAnvil security portfolio will expand its cloud-based IT management solutions for enterprises, and service providers.


“The acquisition of Scorpion Software, whose proven AuthAnvil products are used by over 500 customers worldwide, enables us to provide our MSP and enterprise customers the most comprehensive and advanced solution to these challenges, tightly integrated with their Kaseya IT management product,” said Kaseya’s president and CEO Yogesh Gupta in a statement. “Identity and access management has exploded in importance as global leaders seek solutions to protect their systems and sensitive data from attacks resulting from identity theft and unauthorized system access.”


He shared this perspective on how to balance the cloud’s opportunities with the new generation of risks. Organizations today are faced with an ever-increasing set of challenges related to secure information access. They must provide their employees secure and easy access to a growing number of applications from any device anywhere. At the same time, credentials are increasingly being stolen or compromised in today’s always-on mobile world, Gupta noted.


“Offering access with the highest levels of security is paramount, while making it easy for organizations and employees to manage their growing set of access credentials is critical to drive efficiencies and compliance with security policies,” he added.


Mocana debuted its enterprise-grade NorthStar secure connectivity solution for Apache web servers at Black Hat 2014. The offerings is a highly secure, drop-in replacement for the vulnerability-prone and widely adopted OpenSSL stack. Mocana Northstar was designed to get enterprise IT “off the security patching treadmill” by providing a high-quality SSL/TLS alternative to OpenSSL that can be installed on Apache servers with a single command in a few minutes, said Mocana CTO James Blaisdell.

“Complexity is the enemy of security, and with 457,000 lines of code that need patching seemingly every week, OpenSSL has kept many IT managers awake at night, waiting to react to the next announced vulnerability. The code for the TLS stack in NorthStar is only a fraction of that size, and has been comprehensively tested,” Blaisdell said in a statement.

NorthStar is Mocana’s first enterprise solution for the secure sockets layer (SSL) and transport layer security (TLS) protocols. It includes all the necessary connecting “glue” needed to provide a simple, drop-in replacement for OpenSSL on Apache web servers. Mocana also offers its NanoSSL solution for developers to provide secure data transport for switches, routers, access points and modems, as well as medical equipment, industrial sensors, smart grid devices, camcorders and many other embedded devices that comprise the Internet of Things, he added. 

Mocana NorthStar provides an SSL implementation based on Mocana’s NanoSSL a comprehensive, standards-based SSL developers' suite, purpose-built for efficiency and high performance with support for TLS 1.2 and TLS certificate management. NanoSSL provides APIs for integration with applications, such as web servers and browsers. It sports a certificate management module to simplify ways to fetch or renew SSL certificates, check the status of SSL certificates (using CRLs) or query a Certificate Authority or certificate chain. NanoSSL's cryptography is fully FIPS 140-2 validated NanoSSL can be used to secure many remote access use cases.


Ping Identity has begun a major rollout of what it calls “Next-Gen Identity” solutions to tackle head-on the challenges of extending traditional security to protect apps and data for cloud, mobile and other outside-the-firewall venues.


"We're reimagining everything as we redefine how identity management can scale to Internet and cloud proportions, serving billions of users, devices, and services over the course of the next decade,” said Ping Identity CEO Andre Durand in a statement


Among the elements on Ping’s “Next-Gen Identity” roadmap are: 

Loren Russon, Ping’s VP of Product Management & Design added insight into the push for Ping’s latest identity initiatives as part of a blog post.


“Many of the cool new features in [Ping’s] Next-Gen Identity platform support the top IT trends we hear about from customers around mobile application security, transition to private cloud and IaaS deployments, Office 365 adoption, and increased business value in ensuring

secure and simple customer and partner portals,” he said.


Among Ping’s product rollouts this summer are:


Mobile Authentication. PingID is a new solution for one-swipe mobile authentication.  It delivers an innovative approach to multi-factor authentication and mobile strong authentication built on Ping’s adaptive framework. With the PingID app, end users swipe their smartphones for authentication as a primary or second factor to access apps and services. PingID can deliver access policies to applications based on geolocation, challenge-response, and/or a unique swipe pattern. It also delivers one secure app to authenticate any employee, partner or customer. 


Federated Access Management. Ping also released updates to PingFederate (v7.2) and PingAccess (v3.0) that provide FAM support to mobile access and cloud apps. FAM provides identity security for enterprises with mobile app development/API projects; as well as Amazon AWS, private and hybrid cloud projects. Companies can easily extend their existing on-premises identity security policies, directory stores, authentication methods and infrastructure across cloud, API, and mobile environments – without coding or WAM retrofitting. 


Thanks to updates for PingFederate and PingAccess, customers can deploy “simple and easy-to-use alternatives to existing access management products for web and API access control,” Russon added. Among those benefits, he listed: (1) Proxy and agent architecture for flexible deployment models; (2) Simple protection scheme for external access to internal applications and services; and (3) Extensive administrative APIs for automating connection and configuration management.


Cloud-based Identity as a Service. Ping also released its summer upgrade to its PingOne Identity-as-a-Service (IdaaS) solution. PingOne Summer sports an application catalog that provides users with personal and business applications from PingOne. It also adds multi-factor authentication support.


Mult-factor Authentication. Many of Ping’s products reflect an approach to multi-factor authentication that provides a no-password option for primary and secondary authentication factors, and what Russon called “a strong alternative to password authentication via a mobile app.”


“Security approaches that target endpoints, networks and email are not equipped to cope with the increasingly mobile and cloud-connected world in which we live. With [these] announcements, Ping is excited to move one step forward in creating a safe and secure world where strong identity takes you anywhere,” Ping CEO Andre Durand said in a statement.


RadiantLogic demonstrated its RadientOne CFS (Cloud Federation Service) at Gartner Catalyst. RadientOne CFS, which provides a multi-tenant “on-premises IdP” for large enterprises, was recently certified as a third-party SSO provider for Microsoft Azure, Office 365 and other Microsoft cloud services.


RadiantOne CFS is a security token service to enable enterprises IT to secure access to cloud-based applications – even when identities are strewn across disparate authentication sources.


“CFS extends access to Azure and Office 365 making it easier for large enterprises dealing with multiple identity sources beyond just Active Directory. Coupled with our virtualization layer, CFS supports the kind of federation today’s organizations need,” said Radiant Logic CEO Michel Prompt in a statement. The use cases arises as many enterprises try to provide SSO to cloud applications even as their end user directories are stored across Sun/Oracle stress or SQL databases, he added.


By turning such disparate, fragmented identity infrastructures into one unified “logical identity provider,” CFS simplifies federation and SSO for secure access to cloud apps. IT can build a secure federated infrastructure that offers a single access point to connect all internal identity and authentication sources.


RadiantOne CFS sports these features:

, a provider of secure enterprise file sync-and-share (EFSS) solutions is prepping Cloud Content Connectors to extend its data-centric protections for files to cloud-based services. WatchDox Cloud Content Connectors enable single point of access and file-level security that will let users protect, share and collaborate on files created or stored in cloud storage repositories. They can share using any authorized device from anywhere, WatchDox execs added.


“Today’s enterprise users create, share and store content across multiple platforms and repositories, but not all services meet enterprise security or productivity needs,” said WatchDox chief product officer, Ryan Kalember, in a statement.


WatchDox Cloud Content Connectors will allow users to send files to any recipients using WatchDox access controls, watermarking and tracking. For secured sharing outside an organization, the Cloud Content Connectors provide full digital rights management and revocation from any device. Moreover, WatchDox Cloud Content Connectors only allow one-way traffic from the cloud into WatchDox.


WatchDox Cloud Content Connector for Google Drive will ship later this year, with connectors for other cloud services planned, according to Kalember. The company plans for the user experience to be simple. Users can see Google Drive as one of their repositories alongside their own WatchDox workspaces, sync folders, SharePoint, file shares and any other connected resource, he added.