Credential Management in the Cloud: Spotlight | InfoSec Reviews Blog

By Michael Ginsberg

Single sign-on and encryption policies are putting credential management – and in particular public key infrastructure (PKI) – under closer scrutiny these days. The spotlight has become more intense as we witness the meteoric rise in mobile devices for business usage, as well as the growing reliance on the cloud for application development and delivery.

Recent breaches have shown that password protection is not enough to protect sensitive information in the cloud or on mobile devices. So-called encryption features in mobile devices are local to the device, and do little to protect the data moving between the device and the application. In fact they can be bypassed so easily, it’s tantamount to locking a door and leaving the key under the mat for others to break in.

While PKI represents the ideal end of the security spectrum, deployment costs are typically high, making strong credential management for mobile a significant stumbling block for organizations today. Rather than investing in a full-blown and costly PKI infrastructure however, users can now turn to managed software-as-a-service (SaaS) platforms to address their credential management needs.

By “plugging into” a full PKI infrastructure that operates digital certificates for them, organizations and developers can eliminate the usual high cost associated with credential management and apply the right level of security measures across multiple applications.

This is not as much of a stretch as one might think. IT managers have always been extremely vigilant in ensuring that their data is securely transmitted and secured within the enterprise through measures such as encryption policies and credential management.

Yet the risk increases with the rise of cloud-based applications and mobile devices for business use. The problem is not in the ability to protect data. It is in the willingness – or lack thereof – of enterprises to put in place the extra measures to protect information outside the walls of the enterprise.

Nowhere is this more evident than in the mobile arena, which has become a veritable security frontier. IT managers may have been able to exert significant control over devices tethered to their networks, but mobile is an entirely different animal. Devices are not tied to corporate security systems and policies; users are working with a multitude of different platforms; and for the most part, there is no standardized security solution to manage them.

In addition, a large part of what is required for security control is in the hands of users with no working knowledge of data security practices. In fact, there could be dozens of workers using unaccounted for mobile devices for conducting their day to day business communications needs.

There are some solutions coming to the fore that are attempting to address these concerns. For the most part they are either too complicated or costly to manage, or piecemeal solutions that only address a specific function or operating system.

Some attempts have been made at establishing device lockdown policies, with very limited results, since the risk of human error and devices being used “out of scope” remain high. There has also been a recent influx of Mobile Device Management (MDM) tools and/or services that allow managers to track, monitor and wipe devices clean in the event of a loss or theft. These measures, while effective, still fall short of complete protection for data at risk.

Through a fully managed public key infrastructure (PKI) service however, sophisticated authentication processes can be expanded to the mobile front. This capability represents a significant turning point in organizations’ battles to control mobile content and access to the cloud-based applications.

Fully managed PKI can be very effective in resolving the mobile security challenge, since digital certificates are installed on mobile devices. Businesses can simply use a web interface to manage those certificates on mobile devices (i.e. issuing, suspending or revoking access privileges), and secure sensitive information stored locally and uploaded to data clouds.

There is no question that work needs to be done to address the growing risk associated with mobile and cloud-based applications and their impact on business communications. While credential management and encryption practices are not new to IT managers, they have yet to gain traction in tackling these new frontiers. But with the new breed of managed credential management services, enterprises can expand their security reach efficiently and cost-effectively.

Michael Ginsberg brings 20 years of software experience to his CEO position at Echoworx. A seasoned operator with a proven track record, he has transformed the company’s vision and product offerings, and is leading its strategic direction and growth. Ginsberg is known for his passion for business and software innovation.

Blog Submission from Echoworx (