In recent years, an increasing number of providers have begun offering the ability to create computing environments in the cloud. For example, in 2006, Amazon Web Services™ (also known as AWS) launched a service that provides users with the ability to configure an entire environment tailored to an application executed over a cloud platform. In general, such services allow for developing scalable applications in which computing resources are utilized to support efficient execution of the applications.
Organizations and businesses that develop, provide, or otherwise maintain cloud-based applications have become accustomed to relying on these services and implementing various types of environments, from complex websites to applications and services provided as software-as-service (SaaS) delivery models. Such services and applications are collectively referred to as “cloud applications.”
Cloud applications are typically accessed by users using a client device via a web browser. Cloud applications include, among other things, e-commerce applications, social media applications, enterprise applications, gaming applications, media sharing applications, storage applications, software development applications, and so on. Many individual users, businesses, and enterprises turn to cloud applications in lieu of “traditional” software applications that are locally installed and managed. For example, an enterprise can use Office® 365 online services for email accounts, rather than having an Exchange® Server maintained by the enterprise.
As greater reliance is made on cloud applications, securing access to such cloud applications becomes increasingly important. For example, for an e-commerce application executed in a cloud-based platform, any unauthorized access and/or data breach must be prevented to ensure protection of sensitive customer and business information such as, e.g., credit card numbers, names, addresses, and so on.
Providers of cloud computing platforms (e.g., Amazon) offer various security capabilities primary designed to protect their infrastructure against cyber-attacks (e.g., DoS, DDoS, etc.). However, cloud computing platforms are not designed to detect any unauthorized and/or unsecured access to cloud applications hosted therein.
Most, if not all, cloud applications implement a native access control often limited to a username and password (as known as login information). More advanced solutions would require another layer of authentication using, for example, a software certificate and/or two-step authentication. However, the authentication solutions currently available are agnostic to the user's device.
That is, a user can authenticate from any client device using the same credentials and have the same trust level and permission to a cloud application's functions regardless of the client device being utilized to access the application. For example, a user can access an Office® 365 email account both from his/her work computer and from his/her home computer using the same login information, and will have the same degree of access from both computers.
As not all client devices are configured with the same security level, the existing approach for gaining access to cloud applications exposes an enterprise to significant vulnerabilities. Referring to the above example, the work computer may be fully secured, while the home computer may not be installed with anti-malware software. As such, any access from the home computer to sensitive documents (e.g., emails) can be downloaded and distributed by malicious code that may exist in the home computer. More importantly, a hacker can access to contents of a cloud application merely through stealing or revealing the login information of legit users. Such information can easily be revealed or compromised through tracking cookies, snapping to unsecured networks, and the like.
Further, conventional authentication solutions do not distinguish between managed and unmanaged client devices attempting to access a cloud application. A managed device is typically secured by, for example, IT personnel of an organization, while an unmanaged device is not. Referring to the above example, the work computer is a managed device while the home computer is an unmanaged device.
It would therefore be advantageous to provide an efficient solution for detecting unauthorized access attempts to cloud applications.