Cloud computing is changing the way we interact with devices, software, data and processes. But some things never change, and one thing that remains true across the old and new computing paradigms is the importance of authentication to confirm the identity of the user and/or system with which we’re communicating.

Identity management and authentication form the basis for security whether in the cloud or on the local network. Managing identities has been enough of a challenge within the corporate network, and became more so as businesses formed federations for the purpose of sharing resources across organizational lines. Private, public and hybrid clouds are adding yet another layer of complexity.

Users want security to be seamless and transparent. Users’ top priority is access – the ability to get the information they need to get their work done, as quickly and conveniently as possible. The problem is that security and convenience will always occupy opposite ends of a continuum; the more you have of one, the less you have of the other.

In a private cloud, to which users log on via a virtual private network, authentication can work effectively the same as on a local corporate network. Public clouds may be a different story, since it’s all dependent on how the cloud vendor has implemented security.

Single Sign-On (SSO) is the holy grail of authentication. The good news is that federated identities are capable of bridging the gap and allowing users to log onto a public cloud service (for example, SalesForce.com) using the same username and password that serve as their corporate credentials. The bad news is that only some public cloud services offer this convenience.

For the most part, both IT professionals and end users are still struggling with authentication, which translates in the latter case to the need to remember multiple passwords and user names for multiple cloud services, and in the former case to supporting all those users who inevitably forget some of those passwords.

Then there’s the whole problem with passwords, which is that they’re crackable through brute force attacks and social engineering, or can be exposed through security breaches targeting major cloud sites and providers. Many users just recently went through the experience of having to change many of their passwords for fear they could have been accessed by exploits of the Heartbleed vulnerability.

Multi-factor authentication provides significantly more security but is being implemented slowly, even within local corporate networks, much less in the cloud. Biometric authentication has the potential to be the most secure form of single sign-on once the kinks are worked out, and solves some of the problems inherent in other forms of two-factor authentication. Users don’t “forget” their fingerprints, lose them, or go off and leave them at home. And Hollywood fantasies aside, cases of the bad guys severing a finger or removing an eyeball to use it to gain unauthorized access are likely to be few and far between. However, a number of obstacles to adoption still exist, which include cost of biometric scanning equipment and users’ fears of invasion of privacy.

Meanwhile, the dream of cloud-based biometric authentication has been moving forward, albeit in baby steps. In 2012, NIST developed protocols for using web services to implement biometric authentication. A crucial factor in making any form of single sign-on for the cloud work is standardization, and what better organization to set those standards than the National Institute of Standards and Technology?

Authentication isn’t the only area in which standards are needed to enable dependable and interoperable cloud deployments, though. Check out Ricky and Monique Magalhaes’ article on Standards and Good Cloud Practice
over on CloudComputingAdmin.com for a discussion of how standards relate to good cloud function.

Want to learn more?? The InfoSec Institute CISSP Training course trains and prepares you to pass the premier security certification, the CISSP. Professionals that hold the CISSP have demonstrated that they have deep knowledge of all 10 Common Body of Knowledge Domains, and have the necessary skills to provide leadership in the creation and operational duties of enterprise wide information security programs.

InfoSec Institute's proprietary CISSP certification courseware materials are always up to date and synchronized with the latest ISC2 exam objectives. Our industry leading course curriculum combined with our award-winning CISSP training provided by expert instructors delivers the platform you need in order to pass the CISSP exam with flying colors. You will leave the InfoSec Institute CISSP Boot Camp with the knowledge and domain expertise to successfully pass the CISSP exam the first time you take it. Some benefits of the CISSP Boot Camp are:

  • Dual Certification - CISSP and ISSEP/ISSMP/ISSAP
  • We have cultivated a strong reputation for getting at the secrets of the CISSP certification exam
  • Our materials are always updated with the latest information on the exam objectives: This is NOT a Common Body of Knowledge review-it is intense, successful preparation for CISSP certification.
  • We focus on preparing you for the CISSP certification exam through drill sessions, review of the entire Common Body of Knowledge, and practical question and answer scenarios, all following a high-energy seminar approach.