The issues of cloud/SaaS security have been on my mind since the late 90s when I was working on my first global intranet/extranet project. Personally, I've never been terribly concerned with the more lower-level technical details of network architecture, transport protocols or with tedious policy writing; you need good security experts to cover these areas properly. I've always been drawn to the more forgivably human downsides to the whole SaaS/Cloud concept like this one: How on earth do you prevent password sharing?
I've been thinking that the solution may be so obvious, so ubiquitous, that it's just difficult to see past our own fears: What if we could improve the security of our cloud-based applications by handing over our authentication processes to the social media networks?
Steve Henty is an experienced IT Project Manager who has specialized in Web technologies since 1996. He lives in Madrid and is currently working for Toshiba. He can be contacted at email@example.com or on Twitter or at http://www.henty.es.
You see them everywhere. Those claims that XYZ Web application is 100% secure because it's as secure as banking online and uses SSL and allows IP restrictions and uses LDAP authentication and etc. All these security features are useful but at the end of the day we're still faced with the daunting challenge of convincing users not to give out their passwords either intentionally (e.g. by lending to "friends") or unintentionally (e.g. written notes lying around).
As soon as one person in your organisation has divulged his or her account details the entire system is compromised and all the company information is open to whoever gets hold of the password. What's worse, there's no real way of know if or when this has happened - even our careless user may be unaware that someone else is using the same account. I sometimes see references to this problem on the Web but I haven't seen any serious solutions.
It tends to get passed off as irrelevant, as if password security has nothing to do with cloud security. But unfortunately its inevitable effect on adoption blows a big hole in the whole cloud computing concept. So currently the industry doesn't want to talk about this elephant in the room because it might affect uptake, and consequently businesses are not getting the full picture.
With 50% of companies in the UK currently thinking about moving to the cloud this year, we're going to see an increase in security concerns - that is, as soon as these companies realise they've had the wool pulled over their eyes.
When Strong Isn't Strong
Let's take a quick look at the ways cloud computing services are currently attempting to deal with the issues of cloud security and examine how they might fall short.
SSL: A common claim you hear is that XYZ app is as secure as online banking because it uses the same technology: SSL. While I agree that it's important to encrypt communication, this claim is borderline fraudulent. People are inherently motivated to keep their online banking account details a secret whereas an employee may actually become motivated to do the complete opposite.
IP Restrictions: Some apps let you restrict access from certain IP addresses. This might work if you're prepared to forego the benefits of device independence, but to my mind this is one of the great advantages of working in the cloud.
LDAP Integration: Some apps allow integration with directories such as the Active Directory. This is great - one less directory to manage. However, in addition to the network security headaches this can bring it doesn't guarantee that the person using the password is actually the person you hope it is.
Enterprise Security: Two-factor authentication with security tokens or a sophisticated PKI implementation work nicely if you have the time and resources. If you have any high-profile users you'll be wanting this level of security to avoid breaches like the one Twitter faced a few months ago. However, these solutions can be so expensive and time-consuming that even a large enterprise would baulk at the cost of rolling this out to 100% of employees. So for most companies it's just not a feasible option.
On The Radar: In the not-so-distant future we may be using mobile phone SIMs, Electronic IDs or government-issued browser certificates to authenticate. But how about right now? Is there anything else we can be doing now, in 2010, to improve the security of our cloud-based apps?
The Solution: Social Media Integration?
Solutions often seem counterintuitive at first. What if we could increase security by giving up some control? What if we were to relax our grip a little on the whole identity management and authentication process and let the employee share some of the responsibility?
Most employees have a personal online identity already, a personal brand that they are inherently motivated to protect. The have a personal email addresses, blogs, Facebook accounts, LinkedIn accounts - public or semi-public profiles all over the Web. What if we were to allow these social media accounts to connect to our company cloud-based apps and perform the authentication process?
This could mean, for example, that an employee would be able to access a company CRM application simply by logging into a Facebook or LinkedIn account. A breach in our application's security would then only come at the expense of a breach in the security of a user's personal account. This way the responsibility for maintaining security would be would be shared.
Now that our users have a vested interest preventing unauthorised access to company data they might actually start taking to heart all the guidelines about strong passwords we've been banging on about for so long.
It could also be argued that by spreading the accounts over a number of different social media sites, thereby decentralising the authentication process, potential hackers might be deterred from casual password guessing and brute force attacks.
Okay, the idea needs to be developed further and it's far from perfect. There are certainly issues that need to be addressed regarding adoption, privacy and appropriate checks and controls. However, the technology already exists in the form of APIs, Facebook Connect, OAuth and OpenID and others, and the big social media players now have the critical mass of users you'd need in order to pull off something like this. Even attitudes towards privacy appear to be relaxing, so the timing could be perfect. If my assumptions are right, the missing piece in the cloud security puzzle might be right under our noses, and we'd be able to alleviate some of the fear of cloud computing simply by relinquishing some of our need to control.
I'd be very interested in your views on the subject - especially if you know of anyone has already had some experience of implementing this in a production environment or has decided against doing it.Photo credit: Joshua Davis.