Cloud security

Authentication in the Cloud

August 13, 2014 by Debra Littlejohn Shinder

Cloud computing is changing the way we interact with devices, software, data and processes. But some things never change, and one thing that remains true across the old and new computing paradigms is the importance of authentication to confirm the identity of the user and/or system with which we’re communicating.

Identity management and authentication form the basis for security whether in the cloud or on the local network. Managing identities has been enough of a challenge within the corporate network, and became more so as businesses formed federations for the purpose of sharing resources across organizational lines. Private, public and hybrid clouds are adding yet another layer of complexity.

Users want security to be seamless and transparent. Users’ top priority is access – the ability to get the information they need to get their work done, as quickly and conveniently as possible. The problem is that security and convenience will always occupy opposite ends of a continuum; the more you have of one, the less you have of the other.

In a private cloud, to which users log on via a virtual private network, authentication can work effectively the same as on a local corporate network. Public clouds may be a different story, since it’s all dependent on how the cloud vendor has implemented security.

Single Sign-On (SSO) is the holy grail of authentication. The good news is that federated identities are capable of bridging the gap and allowing users to log onto a public cloud service (for example, using the same username and password that serve as their corporate credentials. The bad news is that only some public cloud services offer this convenience.

For the most part, both IT/cloud professionals and end users are still struggling with authentication, which translates in the latter case to the need to remember multiple passwords and user names for multiple cloud services, and in the former case to supporting all those users who inevitably forget some of those passwords.

Then there’s the whole problem with passwords, which is that they’re crackable through brute force attacks and social engineering, or can be exposed through security breaches targeting major cloud sites and providers. Many users just recently went through the experience of having to change many of their passwords for fear they could have been accessed by exploits of the Heartbleed vulnerability.

Multi-factor authentication provides significantly more security but is being implemented slowly, even within local corporate networks, much less in the cloud. Biometric authentication has the potential to be the most secure form of single sign-on once the kinks are worked out, and solves some of the problems inherent in other forms of two-factor authentication. Users don’t “forget” their fingerprints, lose them, or go off and leave them at home. And Hollywood fantasies aside, cases of the bad guys severing a finger or removing an eyeball to use it to gain unauthorized access are likely to be few and far between. However, a number of obstacles to adoption still exist, which include cost of biometric scanning equipment and users’ fears of invasion of privacy.

Meanwhile, the dream of cloud-based biometric authentication has been moving forward, albeit in baby steps. In 2012, NIST developed protocols for using web services to implement biometric authentication. A crucial factor in making any form of single sign-on for the cloud work is standardization, and what better organization to set those standards than the National Institute of Standards and Technology?

Authentication isn’t the only area in which standards are needed to enable dependable and interoperable cloud deployments, though. Check out Ricky and Monique Magalhaes’ article on Standards and Good Cloud Practice
over on for a discussion of how standards relate to good cloud function.

Posted: August 13, 2014
Debra Littlejohn Shinder
View Profile

Debra Littlejohn Shinder, MCSE, MVP (Security) is a technology consultant, trainer and writer who has authored a number of books on computer operating systems, networking, and security. She is also a tech editor, developmental editor and contributor to over 20 additional books. Her articles are regularly published on TechRepublic's TechProGuild Web site and, and has appeared in print magazines such as Windows IT Pro (formerly Windows & .NET) Magazine. She has authored training material, corporate whitepapers, marketing material, and product documentation for Microsoft Corporation, Hewlett-Packard, DigitalThink, GFI Software, Sunbelt Software, CNET andother technology companies.