Guest post from SecureState’s Chief Technology Officer, Steve Ocepek
SecureState is a global management consulting firm specializing in information security. For years, the company has used PortalGuard to authenticate customers to its MyState login portal. With new application development incorporating Amazon Web Services (AWS), SecureState discovered the need to implement a federated login across their existing platform and apps built on AWS. After working though the migration phases, SecureState was able to implement third party logins and continue to use PortalGuard as its method of unifying both legacy and cloud-based offerings under a single set of credentials.
As we continue to see enterprises take part in this mass migration to the cloud, we asked SecureState to consider writing a guest post about the resulting experiences received from the process and to provide any insight regarding how to go about the process without negatively impacting businesses. Steve Ocepek obliged, and his response can be read below.
As a consulting firm, we often assist clients with their efforts to embrace the benefits of cloud computing. We commonly review these projects from a security perspective and work with our clients to ensure that these projects do not negatively impact security. Our own systems are no different: our data must be secured, even as our applications begin to utilize cloud services to assist our own clients better. From a security point of view, it is tempting to reject cloud services altogether, however with technologies such as PortalGuard and data encryption, we can embrace this model securely and continue to meet our clients’ needs.
The PortalGuard tool was chosen by SecureState due to its security and versatility. Indeed the portal itself is one of the most important aspects of secure web application design, and keeping this functionality in a separate program has many benefits. One advantage is that our team is able to fully test PortalGuard separately before integrating with our applications. In addition, this separation is especially valuable when considering other development platforms, such as AWS, since it can provide consistent frontend across both platforms.
The most strategic benefit, however, is that by using a separate, hosted portal, an organization maintains control of its credentials. Using a cloud solution such as AWS brings with it the option to fully outsource account management. Solutions such as Amazon Identity and Access Management offer this ability, and closely align with Amazon’s other offerings in order to provide a seamless experience. But there are hidden costs associated with this level of outsourcing that many firms do not consider.
Whose clients are they, anyway?
In planning for cloud migration, organizations need to consider both user experience and their users’ potential data exposure. Cloud providers are generally focused on availability, which as infrastructure providers is what they’re best at, but only nominally on confidentiality and integrity of data. That is our job as service providers — to be our clients’ advocates and ensure that data is handled correctly, and that it is easy to access. PortalGuard lets us retain control over this aspect of the application by allowing us to keep credentials in a different location than our clients’ data, and use the credentials to enforce strong access control.
While a new application will bring changes to the user experience, the method by which they gain access does not need to change. Clients who switch to cloud providers for authentication often find that they lose more control of these accounts than they originally considered – often relying on third party tech support to solve problems with the solution. PortalGuard gives us the hands-on ability to manage this data and provide support to users as needed. SecureState uses PortalGuard to maintain robust security around our clients’ authentication, and utilizing this methodology enjoys the best of both worlds: secured, encrypted data is stored in the cloud, while keys and credentials are maintained securely on controlled servers.
Fortunately, most cloud providers offer a robust set of technologies that can be leveraged to integrate with third party portals. AWS, through its Security Token Service (STS), allows clients to generate tokens that enforce fine-grained access control over data elements. Using its claims-based interface, PortalGuard provides the information needed to generate a token based on authenticated user, which in turn provides access to AWS resources. This approach provides an application with the ability to implement access control as needed, without the constraints that are often inherent in third party Role Based Access Control (RBAC) solutions.
In cases where an application utilizes a smaller number of users, PortalGuard can also be used to exchange Security Assertion Markup Language (SAML) messages directly with third party services. Again, this flexibility gives an application designer many options when working with the cloud, essentially putting us back in the driver’s seat regarding how we use these services.
Without a doubt, application developers are going to encounter cloud solutions – whether by choice or customer requirement. While hosting data elsewhere can raise security risk, there are technologies available to encrypt and secure access to this data, mitigating these risks and embracing new opportunities. Using PortalGuard to centrally manage authentication and authorization clears many hurdles that stand in the way to secure cloud deployment.