We often get asked if cloud-based directories are secure. Not only is it a good question, but it is also one we have come to expect. But perhaps the better question is, how is your directory service secured whether it is in the cloud or on-premises? The directory service is a core part of any organization’s network infrastructure, housing credentials and what those credentials can access. While a directory service seems like it would be a good target, modern cloud-based directories shouldn’t be overly appealing to hackers. Let us explain why.
Inner Workings of Cloud-Based Directories Security
Whether a cloud-based directory service is secure or not depends on the implementation. Obviously, we cannot speak for other solutions, but we can discuss what constitutes a solid, secure cloud-based directory service. There are a large number of security items that happen behind the scenes with any cloud identity provider. We’ll review what the best solutions should be doing.
One-Way Hashing and Salting of Passwords
Identity providers store credentials and sensitive information. Those passwords should be one-way hashed and salted. They should be unrecoverable. While encryption alone is used by most providers in the space, it’s not acceptable alternative from a security standpoint. Encryption requires a key for decryption, putting it at risk of being compromised. A one-way hash that has been salted cannot be recreated without the exact password as the input. Make sure your cloud identity provider employs this method.
No Storage or Generation of Private Keys
Unified cloud directory services will manage and store SSH keys (at least the most comprehensive ones will). However, they won’t let you store or generate private keys. Private keys should always be generated on a person’s private device that they know has never been compromised. That private key should not be created elsewhere and stored outside the user’s control. Unfortunately, it is routinely done. Some providers offer these services for convenience, but they are a significant security risk. Solutions that store public keys are preferred with private keys stored where they should be – privately.
Multi-Factor Access for Administration
Administration of the service needs to be protected. The best way to do that is to add multi-factor authentication (MFA / 2FA) to the login process for admins. Ideally, the service also offers multi-factor for users and in other places. MFA / 2FA is one of the best ways to step-up security in any user access situation because the second form of authentication is a token that the user has or knows, making it much more difficult to obtain for would-be hackers.
Logging and Event Data
Understanding and having access to the user authentication data is critical for any cloud-based directory service. You need to be able to see who has and who has not been granted access. Data can also give you insight into security risks. If you are seeing a lot of access attempts, you will want to investigate how and why those are happening. An Identity-as-a-Service platform will give you that insight and help you have the identity security visibility you need.
Security Training / Compliance
With any SaaS service, you are entrusting your data to a third-party provider. That provider should have better security training and compliance activities than you. It’s their job and something that they spend all their time working on. The best Directory-as-a-Service® provider has an in-depth training and compliance program.
A cloud-based directory service supports your security and compliance initiatives. It should be a step-up of your overall security. In fact, it should be a relief that you have professionals managing this critical security solution. The best providers have all of these capabilities and more. In fact, they will have a number of other security solutions such as firewalls, access control lists, VPNs, and network segmentation among others.
JumpCloud: Secure Cloud-Based Directories
If you would like to learn more about how JumpCloud’s Directory-as-a-Service platform supports your identity management security initiatives, drop us a note. You can rest assured that our cloud-based directory is based on a foundation of security and trust. We are happy to discuss it with you in detail.