Is Your IDaaS Vendor Really Securing Your Identity?

One major problem with Identity as a Service

With no huge capital investment, and almost equal operational expenditure, organizations all across the globe are rapidly moving to a cloud based infrastructure.

The benefits of moving to cloud may be plenty, but where sensitive corporate data is involved, adopting cloud leaves the enterprise in a fix. Reason being, that almost all the cloud based applications are in a public domain, and the maximum level of security offered by all of the cloud application providers is a secure channel of communication between the SAAS vendor and the consumer.

In older days, enterprises used to manage security by putting big bad firewalls to keep the data within the premises. If the data was to move outside the firewall, there were VPNs. With cloud, all the data residing with the vendor is in clear text and god forbid if the notorious hacker is to get hold of it.

This inherent problem with cloud SAAS has followed organizations in the identity domain as well. But identity is a different beast altogether and the security aspect must not be overlooked when adopting IAAS (identity as a service).

SAML, the protocol to establish trust between two different identity systems, will be the answer provided by many cloud identity providers, but is SAML really the answer? Not so much! SAML just take cares of the establishing a secure channel for transporting identity, but the actual data residing with identity providers may not be secure. This is the question that really needs be to be answered before adopting a cloud based identity provider. Why? Well digital persona theft exposes the organization to plenty of hazards both monetary and reputation wise.

In older days, the organizations used to get rid of the incompetency in the data breach by making a change in the organizational structure of the team responsible for managing security. With cloud, in case of security risk, moving to a different cloud IAAS vendor is harder to do because the digital personas reside with the provider, and replicating those records along with roles and policies would be a nightmare, both in terms of time and cost.

So what to look for in a cloud IAAS vendor if not SAML? Yes, you got it right! The answer is: what is the IAAS vendor doing to protect sensitive data?

1. Are they putting firewalls?

2. Are they getting security audits done for their infrastructure?

3. Or are they doing real-time encryption?

1 & 2 are the norm and comes by default with IAAS vendors. However, encryption is the trickiest part, because simple encryption is nothing without carefully crafted key management system. IAAS providers for a non-collaborative way of providing SSO, the key management is usually poor. Either the keys reside with data that it is being stored with, or the keys generated are through an algorithm, making the encrypted data exposed to rainbow tables.

The Smart-Key Algorithm developed by SmartSignin and its inferred system architecture make possible a new class of security and trust for cloud based identity and access management. One can think of this as perfect trust because it is based on the principle of mutual distrust of all elements in the system.

By using key splitting, mutual authentication of client and server, and ensuring that an actual encryption key used for entity/password protection is never stored or used on a server (encrypted or otherwise), it gives absolute assurance that even if an attacker was to penetrate that said server they would never have enough information (even if actively stealing data out of memory) to ever reconstitute a key or steal an online identity. By ensuring decryption and use of credentials exclusively on the client it renders cloud servers (which are the single point of security failure and highest risk element in any system) immune to any attacks associated with account compromise.

In summary beyond the Smart-Key Algorithm offering a high level of security with the right implementation, it also offers cloud based security and identity management a significant forward evolution that is very compelling and worthy of broad use and deeper integration (i.e. direct use of the algorithm rather than just encryption of regular passwords) into various web services.

SmartSignin takes security very seriously. With its patent pending Smart-key algorithm & carefully crafted key generation and management architecture, it leads the way and stands apart from all the players in the cloud.

About Mayukh Gon

Mayukh is the Founder/CEO of PerfectCloud Corp. He has over 15 years of experience working in the technology industry, specifically Middle-ware technologies, Software Development, Identity and Access Management. His company PerfectCloud Corp. is an innovative Cloud company which makes products for enterprises to provide them complete security & privacy for their identities, access and data.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: