I'm currently evaluating a SaaS Cloud provider and I would like to get your opinion on a certain topic.
The cloud provider which I'm evaluating provides local user management in the application. Our company has certain requirements regarding the use of multifactor authentication.
Unfortunately the only "second factor" which is currently being provided by the provider, ist the configuration of IP-Address-Whitelisting.
In my opinion this isn't a reliable second factor for authenticating user in the year 2018. Even though the possibility of spoofing public IP-Addresses (in a TCP session) is relatively low, a public IP-Address may be used by multiple companies (e.g. using NAT).
I would like to hear your the opinion of other security professionals on this topic.
Best regards from Germany
PS: I know, this is not "Industry News", but I didn't find any better category.
@EIAKPKP452: SAML is another provided option. The problem is, that not all connected affiliates have an ADFS in place. Local accounts with MFA is our fallback scenario.
@Early_Adopter: I'm sorry, but I signed an NDA with the vendor.
I now think the vendor uses the word "cloud" only for marketing purposes. In fact it is classical hosting and has nothing to do with the cloud principles (scalability, pay-as-you-go, ...). So it isn't surprising anymore that there is no valid MFA solution in place.
As many people have already commented; whilst IP white-listing can be useful, from a security perspective, it is insufficient as an authentication factor.
This sounds like a scenario that I have experienced many times.
The vendor is attempting to proposition their product based upon current industry trends rather than legitimate technical capabilities.
It is very important to study RFP responses, and the technical validity of Sales pitches, to be sure you are getting a good product and working with a technically capable vendor.
You can also mitigate risk by seeking references from the vendor's other customers.
Technology research organisations can provide good independent insight.
I now think the vendor uses the word "cloud" only for marketing purposes. In fact it is classical hosting and has nothing to do with the cloud principles (scalability, pay-as-you-go, ...).
Yes, a good point to make organizationally - "cloud" is a marketing term, not a standard. What is interesting to note, multi-factor authentication is not one of the requisite five attributes that (ISC)2 and Cloud Security Alliance designate (self-service, broad access, resource pooling, elasticity, pay as you go). A lot of this points toward that these services are still pretty cloudy (pun intended) in terms of what they offer and what they are. This can also greatly skew the metrics for measuring cost, benefit and risk.
Pedant's corner... 😛
I would term MFA a control to secure access as opposed to an attribute, I wouldn't expect it to be called out by CSA as such.
On those attributes, I think 'measured service' is preferred to 'pay-as-you-go' and addition of the ISO/IEC 17788 contribution of 'multi-tenancy'.
@deja On the NDA bit, why not refer the vendor to this thread? They can then have a look and a think and then perhaps consider how to enhance the security their service.