Securing the Cloud

Securing the CloudAuthentication Perspective

Moving to the Cloud is like........

Moving your data from your own personal safe, to a safety deposit box in a bank.

Access to you safety-deposit box is controlled by the bank, not you.

In most cases all you need to supply is the right name and the right “password”

The Cloud

• Is a very public place

• Everyone knows where your front door is

• Everyone knows what your username is

• Just one password away from access!

In “The Cloud”, all access is Remote Access(remote from the application at least)

It is not Rocket science

• I know that Dell use Salesforce CRM• (source: Salesforce.com)

• I know that Michael Dell is CEO• (source: Wikipedia)

• I know the format of Dell emails is firstname.lastname@dell.com

• (source: my inbox)

• Just one password away from access ?????

• Passwords in public places are not safe

• How many different strong passwords can a user safely remember ?

• NOT ENOUGH!

• Recent straw poll users accessed at least 20 different password protected services!

Passwords and “The Cloud”

1st :123456 6th :princess 2nd :12345 7th :rockyou 3rd :123456789 8th :1234567 4th :password 9th :12345678 5th :iloveyou10th :abc123

Analysis of the 32 million passwords exposed in Jan 2010 in the breach of social media application developer RockYou - who's applications can be used on Facebook and Myspace -revealed the top 10 most commonly used passwords were:

(source: www.cxo.eu.com)

Strong Passwords ???

Don’t forget for many attacks the strength of the password is no defence

Password Reuse

• Password Reuse is inevitable

• Cloud breaches (PSN, Sega, Facebook etc) have knock-on impacts

• Your corporate data may only be as secure as the least secure Cloud service being used by your employees

• Can we rely on people separating their corporate and social identities

• No!

“…Sega explained that it had reset all passwords and urged customers to change their log-on details on other services and websites where they used the same credentials…”

(Source: http://www.bbc.co.uk/news/technology-13829690)

Authentication and the Cloud

• Using Cloud services can mean

• You delegate authentication policies to the Cloud provider

• You create multiple control points for user access• If you use multiple Cloud services• If you use a mix of Cloud and non-Cloud services• Forgetting to remove access from ex-employees is a common cause of loss of

commercial data.

• You rely on username/password

Authentication and the Cloud

• The need for strong authentication for (eg VPN) remote access is well understood.

• Customers purchase Remote Access solutions and an Authentication solution.

• The same authentication solution is ideally used across all remote access services.

Approach

• Separate Authentication from the Cloud Service

• Use a single Authentication service for all services• Cloud and non-Cloud

• Keep control over you access policies• Apply appropriate authentication

• If I have access rights to data because I am an employee of an organisation, then that organisation should control my access

New Authentication Model

• Not a new idea, but now becoming possible

Enterprise

Create/DeleteAccounts

User-nameCredentials

Check Credentials

Configure Service

Request Access

Redirect

User-nameCredentials

“If anyone wants to access my data, send them to me!”

TraditionalApproach

FederatedApproach

Enterprise

“Phone Home” Model• Enterprise owns the identity

• Single point of control

• Cloud services do not store credentials

• Cloud services do not set authentication policies

• Multi-factor where required• Risk-based authentication

• User needs one set of credentials

Cloud Applications

VPNAccess

Intranet

CoreAuthenticationPlatform

The “phone home model” is like..

When a user wants to access your safety deposit box, the bank sends them to you.

The person confirms their identity to YOU in the manner you decide.

You tell the bank that they can access the data

Internet

ADFSProxy

Swivel and Office 365

ActiveDirectory

ADFSServer

filterADFS Request

Response

System can be configured so users already on the LAN need not authenticate again to Office 365.

Developments will allow the same for other SAML-based cloud services.

Swivel and Office 365

Swivel and Office 365 (Demo)

Forms Based Authentication

Customisable

Additional Credential only required if user as a PINsafe account (optional)

Some users could have 2FA Mandatory

Questions