Published on February 17, 2014
Securing the Cloud Authentication Perspective
Moving to the Cloud is like........ Moving your data from your own personal safe, to a safety deposit box in a bank. Access to you safety-deposit box is controlled by the bank, not you. In most cases all you need to supply is the right name and the right “password”
The Cloud • Is a very public place • Everyone knows where your front door is • Everyone knows what your username is • Just one password away from access! In “The Cloud”, all access is Remote Access (remote from the application at least)
It is not Rocket science • I know that Dell use Salesforce CRM • (source: Salesforce.com) • I know that Michael Dell is CEO • (source: Wikipedia) • I know the format of Dell emails is email@example.com • (source: my inbox) • Just one password away from access ?????
Passwords and “The Cloud” • Passwords in public places are not safe • How many different strong passwords can a user safely remember ? • NOT ENOUGH! • Recent straw poll users accessed at least 20 different password protected services!
Strong Passwords ??? Analysis of the 32 million passwords exposed in Jan 2010 in the breach of social media application developer RockYou - who's applications can be used on Facebook and Myspace -revealed the top 10 most commonly used passwords were: 1st :123456 6th :princess 1st :123456 6th :princess 2nd :12345 7th :rockyou 2nd :12345 7th :rockyou 3rd :123456789 8th :1234567 3rd :123456789 8th :1234567 4th :password 9th :12345678 4th :password 9th :12345678 5th :iloveyou 10th :abc123 5th :iloveyou 10th :abc123 (source: www.cxo.eu.com) Don’t forget for many attacks the strength of the password is no defence
Password Reuse • Password Reuse is inevitable • Cloud breaches (PSN, Sega, Facebook etc) have knock-on impacts • Your corporate data may only be as secure as the least secure Cloud service being used by your employees • Can we rely on people separating their corporate and social identities • No!
“…Sega explained that it had reset all passwords and urged customers to change their log-on details on other services and websites where they used the same credentials…” (Source: http://www.bbc.co.uk/news/technology-13829690)
Authentication and the Cloud • Using Cloud services can mean • You delegate authentication policies to the Cloud provider • You create multiple control points for user access • If you use multiple Cloud services • If you use a mix of Cloud and non-Cloud services • Forgetting to remove access from ex-employees is a common cause of loss of commercial data. • You rely on username/password
Authentication and the Cloud • The need for strong authentication for (eg VPN) remote access is well understood. • Customers purchase Remote Access solutions and an Authentication solution. • The same authentication solution is ideally used across all remote access services.
Approach • Separate Authentication from the Cloud Service • Use a single Authentication service for all services • Cloud and non-Cloud • Keep control over you access policies • Apply appropriate authentication • If I have access rights to data because I am an employee of an organisation, then that organisation should control my access
New Authentication Model • Not a new idea, but now becoming possible Check Credentials Request Access User-name Credentials Redirect Traditional Traditional Approach Approach Create/Delete Accounts Enterprise Enterprise User-name Credentials Configure Service Federated Federated Approach Approach Enterprise Enterprise “If anyone wants to access my data, send them to me!”
“Phone Home” Model • Enterprise owns the identity • Single point of control • Cloud Applications Cloud services do not store credentials • Cloud services do not set authentication policies • Multi-factor where required • Risk-based authentication • User needs one set of credentials Core Authentication Platform VPN Access Intranet
The “phone home model” is like.. When a user wants to access your safety deposit box, the bank sends them to you. The person confirms their identity to YOU in the manner you decide. You tell the bank that they can access the data
Swivel and Office 365 ADFS ADFS Proxy Proxy Internet Internet Active Active Directory Directory filter ADFS Request Response System can be configured so users already on the LAN need not authenticate again to Office 365. Developments will allow the same for other SAML-based cloud services. ADFS ADFS Server Server
Swivel and Office 365
Swivel and Office 365 (Demo) Forms Based Authentication Customisable Additional Credential only required if user as a PINsafe account (optional) Some users could have 2FA Mandatory
7 VMware white paper Security Best Practices in the Cloud Like any technology, best practices exist to ensure the secure processing and storage ofdata.
Securing the Cloud. Published: October 15, 2010. Author: Mary Landesman - Microsoft MVP, Consumer Security. Security challenges faced by modern ...
"Securing the Cloud" is a book aimed at anyone who is considering using, building or securing a cloud implementation, but can also come in hand to ...
Securing your data in the cloud. Enterprises looking to use public cloud computing services should take a multilayered approach to security, reports Hamish ...
The Massachusetts Open Cloud (MOC), a one-of-a-kind marketplace model for customizable public cloud offerings now being built a team of researchers from BU ...
Amazon Securing the Cloud: Cloud Computer Security Techniques and Tactics
Homomorphic encryption is one of the most exciting new research topics in cryptography, which promises to make cloud computing perfectly secure.
Securing the Cloud Cloud Computer Security Techniques and Tactics. Author(s): Vic (J.R.) Winkler ISBN: 978-1-59749-592-9
Crypteron creates next generation cloud security solutions that allow organizations to utilize the cloud while satisfying regulatory compliance standards.
To protect and secure data in the cloud, ensure its confidentiality, integrity, availability and compliance with physical location regulations.