Cloud applications are becoming a real security conundrum for IT security professionals since they can potentially expose businesses to problems ranging from data theft to service interruptions. Lack of control is the real challenge. Cloud-based applications are beyond the controls of the firewall and may involve data traversing a multitude of routers, data centers and hosts.

Further complicating the security issues around cloud services is the fact that mobile employees may be able to access those services from remote locations, completely eschewing corporate policies, data center controls or other security mechanisms – meaning that IT administrators have no visibility into transactions and are powerless to authoritatively protect corporate data in transit.

While the problems with cloud application security are nothing new, IT administrators are starting to see some powerful security technologies come to their aid. New services and products are arriving on an almost daily basis, which aim to serve and protect corporate data traversing the wild west of the cloud.

How SAML Can Help

The key to protecting information purveyed by cloud services comes in the form of SAML (Security Assertion Markup Language), an XML-based open standard data format for exchanging authentication and authorization between multiple parties. With the use of SAML on the rise, a multitude of cloud services vendors such as Concur, Salesforce, SugarCRM and others have implemented support for SAML. However, SAML alone won’t protect much.


The trick is to integrate a few different technologies around SAML, such as SSO (single sign -on), encryption and intrusion detection. These technologies, when combined, give IT administrators control of cloud application security akin to the level of security offered inside the firewall.

That combination of technologies also solves another major challenge for IT administrators, the issues surrounding BYOD, where employees are encouraged to use their personal devices to access corporate data, either inside the data center or out in the cloud.

By enforcing what SAML is all about, administrators can regain control of the corporate traffic, even when it is accessed with BYOD technologies, effectively killing two birds with one stone – the security issues of cloud services and BYOD adoption.

Products that Leverage SAML

However, SAML is not a roll-your-own solution for cloud application security issues. Solving those problems takes a little more than creative coding; it means relying on some type of a proxy to handle the traffic, as well as the authentication. A few vendors have come on the scene to offer exactly that – a case in point is BitGlass, a startup that has just begun to offer services that leverage SAML and provide proxy-based access to some major cloud services providers. This review of its solution discusses how it works.

Bitglass isn’t the only player in town. Other ventures worth a look include Airwatch, IBM Fiberlink and Citrix Zenprise – although these solutions focus more on the BYOD element than on general access to cloud applications. For a focus on security beyond the firewall and BYOD-based concerns, a group of additional vendors tackling cloud application security includes Adallom, CloudLock, Skyhigh Networks, Skyfence, nCrypted Cloud and a few others that are still in stealth mode.

The lesson here is that there is no longer an excuse to leave cloud applications with anything less than enterprise protection. Savvy administrators should research hosted security offerings to solve thorny issues around both hosted applications and BYOD, and they should be asking: "Can I Get SAML with that?"

Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant with over 25 years of experience in the technology arena. He has written for several leading technology publications, including ComputerWorld, TechTarget, PCWorld, ExtremeTech, Tom's Hardware and business publications, including Entrepreneur, Forbes and BNET. Ohlhorst was also the Executive Technology Editor for eWeek and formerly the director of the CRN Test Center.