By Rajat Bhargava Posted September 20, 2019
A core part of the challenge when thinking about central identity management platforms is security. There is a prevailing view that on-prem solutions can be more tightly controlled and secured. This viewpoint is largely a vestige of the past. Cloud security has improved significantly in all major areas, including protocols, platforms, and processes. Developers and IT organizations have learned a great deal, and as a result they have become more aggressive about their security architectures, contributing to cloud solutions matching or even surpassing on-prem solutions.
Examining On-Prem Apps & Infrastructure
If we step back, on-prem applications made a number of assumptions. Many of these solutions were written years ago, either before or around the time Microsoft Active Directory® was developed in the late 1990s. At that point in time, the world was all on-prem and all Microsoft Windows. As a result, applications were often built on top of the Windows operating system and hosted internally – whether on a user’s device or in their on-prem server room or data center. The security model relied on the network and physical safeguards. This meant that the expectation was that the customer would implement network security properly, and only allow the right people into their network. The server that hosted the application would likely have some security, but perhaps not at the level servers are secured today. Data was not stored in a highly secure manner because it was believed that the network security components would prevent access to the application and data itself.
For Active Directory, this was the model. AD largely relied on the network to secure the platform. IT admins wouldn’t place the directory services solution on the public internet, but instead put it at the center of their IT infrastructure. Users would need direct network access to authenticate, which meant that AD needed to be local to each user or connected via secure VPN connections. For those organizations that had multiple offices, multiple Active Directory instances were located at each facility. However, those AD servers may or may not be connected together depending upon the organization’s requirements. Then, the AD server itself would run on a Windows server. For the server’s security, most organizations wouldn’t do more than the basic authentication-based security. AD’s model for storing credentials is also relatively weak – because of the view that the credentials would be stored in the central part of an IT organization and less susceptible to compromise. All of these factors from the on-prem application model are built upon the requirement that IT organizations have multiple layers of security.
Examining Cloud Apps & Infrastructure
With cloud-based applications and infrastructure, there is no luxury of assuming that the service will have a moat around it. Most SaaS-based solution are deployed directly on the public Internet. As a result, they need to be built with security in mind from the foundation. This is especially true for directory services, but applies to virtually all web-based solutions. SaaS providers know that they are exposed to greater risk, and as a result ensure that the solution is secured at a number of different layers. These layers include:
- Data layer – most cloud solutions encrypt data at rest to ensure that should a database or storage system be compromised, it is difficult to expose the data. Even more important than encrypting data is one-way hashing and salting of passwords. With this process, the hashing and salting algorithm should be strong enough to make it virtually impossible to reverse the password. Any organization that stores passwords should leverage this method to ensure that a compromise does not expose the passwords.
- Application layer – the application, of course, should be coded securely and checked for vulnerabilities. The most common cloud application vulnerabilities tend to be those at the UI layer with cross site scripting errors. These errors can expose the database or create a hole that allows a hacker to gain control over the application or server. Ensuring that this code has no vulnerabilities is a crucial layer of security.
- Server layer – for cloud solutions, the servers are often hosted by a provider such as AWS, so physical controls are not really a concern. As a result, patching and keeping the server platform current is the most important task. Any extraneous ports or services should be disabled where possible.
- Network layer – the network layer is protected through a secure connection. There are a number of different technologies to help here, including SSL and TLS. No communication between components whether internal or external should be done over an unsecure connection when cloud infrastructure is being leveraged.
- UI layer – access to the application itself should be protected via strong authentication. If possible, the SaaS application should enforce long passwords and also leverage multi-factor authentication.
As you can see, the core difference between cloud security and on-prem security is that on-prem security has traditionally focused heavily on the network layer to secure the solution, whereas cloud security needs to take a more holistic approach.
Cloud vs On-Prem Security: The Verdict?
Even with all of these different layers of security, which generally far outstrip those done with on-prem applications, SaaS providers must continue to verify their security sometimes via penetration and vulnerability testing services. Security training is a constant in the best cloud infrastructure and application providers, with requirements such as antivirus on each device, strong passwords, multi-factor authentication, and full disk encryption also being part of security programs.
Cloud and SaaS providers know that their physical proximity to the Internet and the storage of critical data can make them a target. Accordingly, the best cloud organizations take security seriously and invest in it heavily. The result: cloud solutions are often more secure than those on-prem.
If you have any questions on how cloud security measures up to on-prem security, drop us a note. We would be happy to answer any questions that you may have on the topic, as well as help you to see whether cloud infrastructure could be right for you. To see a glimpse into the stringent measures that JumpCloud takes to protect our cloud directory service, visit our security page.