From single sign-on to MFA: Effectively securing cloud systems

Moving away from on-premise systems to cloud applications – the system landscape of companies is in a state of transition. This poses immense challenges for processes and IT security. Companies are faced with the task of securing their cloud systems, which are located outside the corporate network. As suitable software solutions, SAP has the SAP Identity Authentication Service (IAS) and the on-premise variant SAP Single Sign-On in its portfolio.

Use existing identity providers for secure authentication

Single Sign-On: Log on once, access many times over

Different login procedures are available for authentication. Single sign-on means that a single authentication is sufficient to gain access to multiple systems and applications. A major advantage is that existing identity providers can continue to be used. Single Sign-On creates a central authentication point and allows the establishment of a standardized procedure for authentication in accordance with the security guidelines applicable in the company. After authentication at the corporate identity provider, the user is also authorized to access other configured applications.

MFA ensures higher security

Multi-factor authentication (MFA) increases security by verifying access authorization using an additional component. Examples include a soft token (generation of a one-time password via a mobile app on the smartphone), sending a passcode via SMS, biometric features such as the fingerprint, or an encrypted USB stick. Not every system requires this increased security standard; it is recommended in particular for security-critical applications.

The solutions from SAP

SAP Identity Authentication Service

SAP Identity Authentication Service (IAS) is a cloud solution on SAP Business Technology Platform. SAP IAS therefore runs outside the corporate network. The benefits of SAP IAS include easy configuration and native integration of cloud applications. Virtually no custom coding is required. Since the service is sourced from the cloud, companies do not have to worry about infrastructure and maintenance. With Embedded MFA, SAP IAS provides a native service to set up multi-factor authentications. Disadvantages include the limited choice of single sign-on technologies and the lack of SAP GUI integration.

SAP Single Sign-On is the on-premise solution for authentication and is based on the NetWeaver stack. Compared to SAP IAS, the software offers more customer-specific options for MFA integration, provided the necessary expertise is available in the company. SAP GUI integration forms the basis for maintaining on-premise systems. However, the setup of SAP Single Sign-On is significantly more complicated and maintenance more complex.

Access control for cloud systems

In the pure on-premise world, the user must be within the company network to access a system. In cloud systems, access control is more complicated. For this reason, there is the so-called risk-based authentication. It serves to secure critical systems and applications in the cloud in the best possible way. This is achieved, for example, by mandatory MFA authentication when a user wants to log in from outside the corporate network, or by defining logging functionalities based on special characteristics. This enables companies to either specifically allow or block access.

Interaction of SAP IAS and Identity Provider

Authentication is a company-specific issue. Each company has its own security policies that must be followed. A common recommendation is to use SAP IAS in conjunction with a corporate identity provider. In this case, all cloud applications are connected with SAP IPS and not directly with Active Directory. In addition to authentication, provisioning plays a role in functioning user management. It is important that the users are also existing in the systems. For this purpose, Active Directory can be used as a source system, so that data can be written to the cloud systems via SAP Identity Provisioning Service (IPS).