Press Release
Authenticating the Cloud
25 March 2010
While much has been discussed about the security of applications and data in the cloud, there's a blind spot when it comes to authentication. Dave Abraham, CEO at Signify sheds light on the issue.
Cloud Computing was a hot topic last year and without a doubt it will remain high on the IT agenda over the next few years. In fact, Gartner puts it at the top of its Technology Trends list for 2010 and estimates that worldwide cloud services revenue will surge to more than $150 billion in 2013.
While the cost benefits of using applications in the cloud are compelling, many still have major concerns about the security, policy and legal implications of cloud services. In particular, there has been much debate about the protection and governance of sensitive data residing on third-party datacentres and accessed remotely. Yet, despite all of the very public concerns about the security of applications and data in the cloud, there is one major aspect that appears to have been largely overlooked. This blind spot is user identification and authentication.
Over the past five years or so, in the 'traditional' world of IT, there has been a major shift from relying solely on user name and password for allowing user access to applications to strong two-factor authentication (2FA). 2FA is certainly not a new concept and with the increase in remote and home working for greater flexibility, a better work/life balance and cost savings, it s increasingly being used to secure remote access.
Basically 2FA works by requiring the user to present two different factors of identity, typically 'something you know' such as a secret PIN or password combined with 'something you have', like a One Time Passcode (OTP) delivered to a hardware token, smartcard or mobile phone; or 'something you are', such as a fingerprint, iris scan or facial recognition.
The use of one-time passcodes through hardware tokens is still the most popular approach; but more recently there has been an interest in tokenless authentication using passcodes delivered "on demand" to mobile phones or other devices.
However, while token or tokenless 2FA is becoming the de-facto standard for remote access to server-based business applications, most of the existing popular SaaS (Software as a Service) applications such as Salesforce.com and Google Apps are still only providing authentication with static passwords that can be easily compromised.
This does appear to be a security anomaly in the cloud. It is even more difficult to understand that while many industry policies and guidelines, such as PCI DSS, are increasingly specifying 2FA for remote access, it seems that many organisations do not realise that these compliance requirements must also include access to their SaaS applications.
But while most SaaS application vendors and cloud service providers are still only supporting user name and password, there are ways to fill this gap with the addition of third party services. An example of this is Signify's new SaaS Login component that integrates our token or tokenless hosted 2FA services with SaaS applications.
Another problem that faces cloud service providers and users is the issue of single sign-on. Currently, every time a user logs on to another cloud application they have to re-authenticate themselves with a separate set of credentials that they have to remember.
Solutions to log in once to multiple applications are common-place at the intranet level using networking protocols and directory services such as Kerberos that provides a centralised authentication system that can be utilised by other network applications. Extending these solutions to the cloud has been problematic. However, the SAML (Security Assertion Mark-up Language) authentication protocol developed by the Organization for the Advancement of Structured Information Standards (OASIS) group, is emerging as the enterprise standard underlying many browser-based authentication solutions.
SAML assumes that a user has enrolled with at least one identity provider who is expected to provide local authentication services. At the user's request, the identity provider passes a SAML assertion to a new service or application provider to provide access.
SAML attempts to remove the problems of handling multiple credentials by delivering a federated identity and authentication solution. For example, using Signify's SaaS Login based on SAML, enables users to log in using their existing 2FA credentials and then have easy 'one click' sign-on to each cloud or SaaS application that supports SAML, without requiring further authentication.
Allowing users to identify and authenticate themselves just once for access to all their network or cloud-based applications using a single set of two-factor authentication credentials increases the level of protection and avoids costly helpdesk calls because users have forgotten their passwords.
With more SaaS applications appearing every week and software vendors jumping on to the cloud, it is clear that there is an urgent need to embrace strong two-factor-authentication with a solution that eliminates the need to log on separately to every application. Certainly, the ability to obtain state-of-the-art information software services with little or no development costs or capital expenditure and benefit from ongoing flexibility and cost savings is a tempting proposition. But these benefits must not blind users to considerable risks they face if they fail to address the need for better authentication in the cloud.
