It looks like cloud computing is more than a passing trend and is here to stay. Gartner estimates that worldwide cloud services revenue will surge to more than $150 billion in 2013. For many organisations the cloud offers a very flexible and more cost-effective means of delivering IT services and applications.
There are lots of different flavours of the cloud, with public, private, hybrid and community deployment models. There are also a range of different service models. Infrastructure as a Service (IaaS) is ideal for raw storage and computing power, whereas Platform as a Service (PaaS) is used for traditional email and database server applications. But the most mature and prevalent cloud service is Software as a Service (SaaS) – with the likes of Google Apps and Salesforce.com, plus a whole host of new niche apps.
While the cloud can mean different things to different people, one thing in common is concern about security, policy and legal implications. In particular, there has been much debate about the protection and governance of sensitive data residing on third-party datacentres and accessed remotely.
With IaaS, the focus is on firewalls, encryption and data security, while with PaaS we have to think seriously about application vulnerabilities. Once these issues are taken care of in the underlying cloud layers and by the time we get to SaaS, all we’re left with in terms of security is user authentication and authorisation.
Surprisingly, this, for a long time, appeared to be a blind spot that was overlooked by SaaS providers.
But Google’s recent announcement that it is providing two-factor authentication (2FA) for Google Apps reflects a move away from simple password access to stronger authentication for cloud-based applications. And it’s about time; over the past five to 10 years the ‘traditional’ world of IT has already seen a major shift from relying solely on user name and password to strong two-factor authentication.
The use of one-time passcodes through hardware tokens is still the most popular and reliable approach. But more recently there has been a growth in software tokens that, in effect, turn a mobile phone into a token; as well as tokenless authentication where passcodes are delivered on demand to mobile devices. This was the solution chosen for Google Apps.
Some of this shift can be attributed to the need to comply with industry policies and guidelines, such as PCI DSS, that are increasingly specifying 2FA for remote access. What is less well known is that these compliance requirements also include access to any SaaS applications.
So, if you are using a range of SaaS applications, then the chances are that some will use 2FA, while most will still only support user name and password. This makes policy enforcement difficult to manage and identity and access management challenging for users, with multiple accounts, passwords and 2FA credentials. Every time a user logs on to another cloud application they have to re-authenticate themselves with a separate set of credentials – maybe with a mobile phone or physical token. And for the support desk, handling password resets and lost tokens or phones is expensive and time consuming.
Solutions to log-in once to multiple applications are common-place at the intranet level using networking protocols and directory services, such as Kerberos, which provides a centralised authentication system that can be utilised by other network applications.
Extending these solutions to the cloud has been problematic. However, the SAML (Security Assertion Mark-up Language) authentication protocol developed by the Organization for the Advancement of Structured Information Standards (OASIS) group, is emerging as the enterprise standard underlying many browser-based authentication solutions.
SAML assumes that a user has enrolled with at least one identity provider that is expected to provide local authentication services. At the user’s request, the identity provider passes a SAML assertion to a new service or application provider to provide access.
SAML attempts to remove the problems of handling multiple credentials by delivering a federated identity and authentication solution. Many firms are now filling the gap with third-party 2FA hosted services that not only integrate token or tokenless authentication for SaaS applications, but also deliver a federated identity.
For example, using a SaaS login service based on SAML enables users to log in using their existing 2FA credentials and then have easy ‘one click’ sign-on to each cloud or SaaS application that supports SAML, without requiring further authentication.
Google has been a strong supporter of SAML, and the fact that it has now made 2FA available for Google Apps is a strong endorsement. But it’s not a corporate digital identity, it’s a Google digital identity, and it isn’t portable. A digital identity used to access enterprise applications needs to be owned by that enterprise.
It is important to allow users to identify and authenticate themselves just once for access to all their network or cloud-based applications using a single set of 2FA credentials. This is not only easier for the user, but it increases the level of protection and avoids costly helpdesk calls as a result of forgotten passwords.
With more SaaS applications appearing every week and software vendors jumping on to the cloud, it is clear that there is an urgent need to embrace strong two-factor authentication with a solution that eliminates the need to log on separately to every application.
The ability to obtain state-of-the-art information software services with little or no development costs or capital expenditure sounds attractive. Add to that the ongoing flexibility and cost savings, and it’s an extremely tempting proposition. But these benefits must not blind users to the considerable risks they face if they fail to address the need for better authentication in the cloud.
Dave Abraham is CEO and co-founder of Cambridge-based Signify, a secure authentication provider of two-factor authentication as a hosted service. Prior to co-founding Signify, Abraham ran consulting firm IS Online, helping companies add web interfaces to existing corporate databases in the late nineties. He also helped start the web division of a London-based marketing consultancy, The Words Group, in the early days of the web, where he was also IT manager. Abraham has a degree in applied computing from the University of East Anglia in Norwich.