IT Jobs
Lack of single sign-on could hamper cloud security
Microsoft admits that Azure does not yet support FIM
By Ian Murphy | Techworld
Published: 13:25 GMT, 16 September 09
Hackers could in for one of the biggest security bonanza since UK Government stopped using paper and started dropping CDs, DVDs and USB sticks. There have been many concerns about cloud security, indeed it's often seen a big barrier to adoption, but the thorny question of user credentials could make the cloud in even less attractive for users.
Microsoft is one company that has been expressing concern about this. At TEC09 in Berlin the company has been showing some of the capabilities of Forefront Identity Manager (FIM) 2010 and cross platform security. All well and good but the concern from Microsoft is that users will start to leak their security credentials outside of the enterprise In other words, rather than use separate usernames and passwords for cloud services, they will use the same username and password as they do for enterprise access.
This represents a serious and generally unacknowledged barrier to cloud adoption. Enterprises have no control over how cloud vendors store and manage security. With many cloud vendors growing out of the ISP market where there are regular hacks against their customer databases the risk of having live credentials stored outside of the enterprise is almost the same as the yellow sticky on the wall.
With FIM 2010 Microsoft is pushing hard for the use of claims based security where you use a token to authenticate to services. In effect this is similar to chip and pin with your credit card. When you attempt to connect to a service it takes what you offer, passes that information to a Security Token Server who will validate you and then pass back a token allowing you to connect to the service.
We have already seen Microsoft and others try and drive this kind of solution before. CardSpace is a Microsoft product that allows users to have lots of identities managed on their computer. Each identity would give them access to different systems but instead of constantly entering data, they could just present their CardSpace ID. This is analogous to credit cards with chip and pin. You present your card to the merchant and enter your pin and all the rest of the information about the transaction is passed in the background.
For users moving between cloud services and the enterprise, this would provide them with a single sign-on service that would ensure that usernames, passwords and other credentials are kept secure. But for this to work cloud vendors and security vendors need to work together. A few months ago the Burton Group carried out a very large test of different vendors systems against 21 endpoints. The endpoints included many of the large cloud service providers to see how well this worked. Their reports will be released soon.
More recently, the Liberty Alliance tested a number of vendors and will release their report on 17 September. Of those vendors who attended, only Microsoft has talked about it and only then to say that they felt it went very well but couldn't comment until the report's release.
If this does work then users will be able to move from the enterprise to the cloud and back again using a credential based system to replace usernames and passwords. This will make it a seamless approach for the organisation and solve the risk of credential loss.
.gif)
Add your commentComments