The present invention generally relates to security in computing systems and, more particularly, to securing services in a cloud computing environment.
End users are able to access services on the cloud from multiple devices. This capability leads to usage scenarios such as: a user starts working on a document from home on their laptop; the same user continues editing the document using their tablet while commuting; and the same user completes the document using their work computer. An extension of this scenario exists in which multiple distinct users with one or more distinct devices may access a same document (e.g., a shared document) through the same or several different cloud services. Such scenarios are enabled by a defining characteristic of the cloud computing model, i.e., always connected interaction and immediate synchronization of data among devices. This is in contrast to the thin client computing model in which all data is always maintained centrally and each device is a thin client that reads/writes data immediately (e.g., within a session).
It is common for a user to have multiple different cloud client applications on a single computer device, cloud client applications being applications that follow the cloud computing model with each application typically connected to a respective cloud service provider. For example, a user's smartphone may include different cloud client applications such as: a file storage and synchronization application with a first cloud service provider; a business social network application with a second cloud service provider; and a note taking, organizing, and archiving app with a third cloud service provider. Unlike apps that use the thin client model, cloud client applications do not require the user to respond to repeated authentication challenges for each session. Instead they rely on stored security profiles including authentication tokens in the device which are created after the first authentication challenge. However, since these cloud client applications do not require a user to authenticate for each session, all of the cloud client applications on a single user device may be subject to a security breach if the user device itself is compromised.