NorthSec 2021

Authentication challenges in SaaS integration and Cloud transformation
2021-05-21, 12:15–12:45, Main stream

Enterprise companies are using cloud applications at an increasing pace. The Work-from-home (WFH) new normal has turned the Cloud transformation evening more demanding than ever. Software as a Service (SaaS) access model is prevalent for WFH as it enables devices to connect from the internet and the corporate network.

Even though many enterprises today adopted SaaS solutions, a workable integration does not necessarily imply a secure one. Enterprises shall come up with a strategic solution to maintain security standards sustainably.

Managing authentication in the Cloud is a complex problem, more complicated than the traditional, on-premise "Walled Garden" environments. Public Cloud applications reside in a more "open" and "shared" environment and therefore have different attack vectors and vulnerabilities. The conventional ways to handle authentication are not good enough to securely protect Public Cloud resources and SaaS applications from unauthorized access.

In this presentation, I will go through some common SaaS integration security pitfalls, the risk of unmanaged Cloud identities, and explain why adopting an Identity provider (IDP) solution is critical to handle Cloud authentication security. The audience would also look at how a Cloud-based IDP solution tackles the Cloud authentication problems more intelligently than a traditional IDP.


This presentation is suitable for anyone interested in knowing how to tackle the Authentication challenges of Cloud transformation in a complex enterprise environment.


Now more than ever, enterprise companies are using cloud apps at an increasing pace. The pandemic outbreak has accelerated the digital shift. Work-from-home is the new normal, and this trend is unlikely to go away when the pandemic ends. This phenomenon has made the Cloud transformation evening more demanding. The access model of Software as a Service (SaaS) enables devices to connect from the internet and the corporate internal network - a prevalent access model for WFH.

We have seen enterprises rely more on business-critical SaaS applications, such as Google G Suite, Microsoft Office 365, and Salesforce. Some of them even have started to deploy their in-house applications on the Public Cloud Service Provider (CSP) 's platforms / Infrastructure as a Service (IaaS) like Amazon Web Services (AWS) and Azure. Even though many enterprises had adopted SaaS solutions, most are still earlier in the game or recently started their Cloud transformation journey. A workable integration does not necessarily imply a secure SaaS integration. To maintain the security standards with sustainability and scalability, enterprises must develop a strategic roadmap by adopting the industry-standard authentication protocols and moving away from homegrown authentication methodologies.

Managing authentication in the Cloud is a complex problem, more complicated than the traditional, on-premise (on-prem) environment. The conventional ways to handle authentication on-prem are not good enough to securely protect Public Cloud and SaaS applications from unauthorized access.


(1) SaaS integration authentication pitfalls

• The conventional on-prem environment is like a "Walled Garden", where business activities were conducted within the office or network boundaries, guarded by, and monitored under an explicit firewall policy.

• In contrast, Public Cloud / SaaS applications reside in a more "open" and "shared" environment. They are accessible to any user with any endpoint from any location and therefore have different attack vectors and vulnerabilities. An intelligent way to strongly verify a user's identity, a contextual authentication more than Multi-factor authentication (MFA), is critical to secure the Cloud and SaaS endpoints.

• One of the most common SaaS authentication design failures is when a single sign-on (SSO) solution is not adopted or enforced across the board. Each SaaS application has its identity store and password requirements. As a result, users must maintain multiple accounts manually, resulting in creating a gateway for attackers to get unauthorized access to various SaaS applications.

(2) Risk of unmanaged growth in Cloud identities

• Failing to adopt an SSO solution in Cloud migration causes another pressing problem: the rapid creation of SaaS and CSP platforms' cloud identities.

• A typical example of a poor identity lifecycle management is zombie SaaS accounts, where inactive users or former employee SaaS accounts remain active.

• Managing user account provisioning and de-provisioning in multiple-SaaS and CSP require a centralized identity management solution.


(1) Adopt an Identity provider (IDP) solution

• By extending SSO to Cloud applications with a single authentication point through an IDP, users can access cloud / SaaS apps using their corporate identities without sending their credentials externally. The IDP solution dramatically improves the overall user experience and provides secure and uninterrupted services by keeping one credential.

• Enterprise companies that have a long history might also have more legacy applications. Some of the applications handle basic authentication (e.g., username/password) themselves and usually use homegrown authentication methodologies that do not follow the latest industry standards. Adopting an IDP solution enables the enterprise to embrace standard authentication protocols like OpenID Connect, OAuth, and SAML, to integrate with various SaaS and CSP seamlessly. The standardization also reduces vulnerabilities in the overall IT environment and facilitates enterprises to meet compliance and regulatory requirements smoothly.

• It's essential to choose a good IDP solution that enables the security team to standardize the SSO connections to cloud applications and on-premises applications with a centralized policy framework.

(2) Tackle the Cloud authentication problems more intelligently using a Cloud-based IDP solution

• Most of the Cloud-based IDPs enable admin users to create policies that continuously assess risk and enforce policies to mitigate risks when they arise.

• In a Zero Trust Security model principle, the perimeter is no longer at the network level but now at the identity level. Cloud-based IDP leveraging machine learning and contextual-based authentication would help both users and administrators solve the "anywhere, anytime, from any device" access challenge more intelligently. Cloud-based IDP like Azure Active Directory provides services that automate the detection and remediation of identity-based risks.

Workshops only: Would you like to stream the workshop to an additional (passive) audience? – no Have you given this talk/workshop before? If yes, please provide details and/or slides/video.


Evelyn Lam is an Identity and Access Management Lead Security Architect, Vice President at Morgan Stanley. She has over 16 years of IT experience managing enterprise-scale global projects for such industries as Wall Street Investment Banking, Retail Banking, and Big 4 Consultancy. She has nine years of experience in leading security teams, development teams in North America and Asia, and managing client relationships in North America, Europe, and Asia.

Evelyn specializes in strategic and architectural decision-making in authentication, identity management, cloud security, and data masking.

In addition to her Security Architect role, Evelyn has a track record of public speaking, tutoring, and mentoring since 2010. She was a speaker at Grace Hopper Conference 2020, a summer guild instructor in Women in Technology in New York 2019, a speaker and a panelist at security conferences. Evelyn has been an instructor of entry-level and advanced security classes teaching security architecture and threat modeling in her Firm since 2018. She is an active member of campus recruitment teams in North America. She is also a mentor in Rewriting the Code (RTC).

Evelyn is a Certified Information Security Manager with a Master's degree in Computer Science.

This speaker also appears in: