Financial services are very interested in cloud computing.
But one of their main worrries, as Phil Wainewright says in his blog is the risk of data being exposed to third parties in a multi-tenant environment.
Secure authentication by SSO or PKI is one way to avoid this.
But what happens when you have a man-in-the-browser-attack?
An MitB is a trojan, infecting a web browser and capable to modify pages, modify transaction content or insert additional transactions,invisible to both user and host application. Mechanisms such as SSL/PKI and/or Two/Three Factor Authentication are useless against it, because it works on transaction level, not authentication level!
Solution? Simple, think out of the browser, by using another channel to verify the transaction process: an automated telephone call.
So, now you have a “three-factor” defense against criminal activities exploiting your SaaS-application.
All three 'factors' have to be tested individually and also as an end-to-end-process/chain to minimize possible defects and risks.
Just a (simplified) scene in which a security tester can find himself while testing a SaaS-application for an online bank for example.