Catch me at CSA Congress in Orlando November 7th

I'm going to be speaking at the Cloud Security Alliance (CSA) Congress in Orlando on Nov 7th.  Here is the brochure for the conference:

http://www.misti.com/PDF/174/20920/CSA12%20Bro_S.pdf

The topic is "Enterprise Insecurity...Mobile Devices Collide with the Cloud."  I will be touching on Mobile Application vs. Mobile Device Management (MDM), limitations with the current pure SAML standard when dealing with mobile devices and cloud, preventing side-door access and other timely topics.

If you have some time to stop by and say hi, please do.

How do I Prevent Side-Door Access?

Despite all of the best laid plans of an organization, it seems like lines-of-business and individuals are still going to the internet to leverage services that put the organization at risk.  "This file's too large for email, I'm just going to throw it up on my personal Box account."

That's just the accidental scenario.  There's the more nefarious 'Kinko's run', where the terminated employee heads to the local internet shop to download the contact list from online CRM that hasn't been de-provisioned.   Like most solutions, there's a people/product/process side to making things easier for employees, while keeping employers out of trouble.

From the product side, many cloud identity providers can leverage SAML to prevent side-door access to cloud service providers.  The Service Provider always redirects back to the enterprise for authentication.  Assuming the employee has been removed from Active Directory or whatever mechanism the Identity Provider uses, access is cut off.

For many of the SaaS Service Providers that don't support SAML yet, some cloud identity solutions provide Form POST SSO.  This Form POST can be paired with a provisioning system to prevent side-door access using a technique called 'password cloaking'.    Essentially the user's password at the service provider is unknown to the user.  It is periodically reset by the provisioning tool to ensure that it in sync between the Service and Identity Provider's credential vault used for SSO.

Users authenticate to the Identity Provider with their enterprise credentials and get SSO to the Service Provider without knowing the password to that account.  This approach isn't without its problems.  Reset password wizards at the service provider can be used to circumvent the cloaking mechanism.   This is where the people and process come in.

If users can be provided a better experience in getting access to shared file services like Box through the  enterprise account that is governed by a Cloud Identity solution, most would opt for that approach, knowing that they're being a good citizen and it's easier anyway.   Proper education about available services will get critical mass necessary for adaption.