Cloud services have proven to be a popular and effective option for enterprises. However, the more popular they...
become, the more they are targeted by hackers.
In most instances, cloud providers -- like other services -- rely on username and password combinations to authenticate users. The problem with this method is that it's easy to target unsuspecting users with phishing attacks. When conducting phishing tests in my professional career, I've found around half of targeted employees follow the instructions in the phishing email and unwittingly give up their usernames and passwords. Of course, it only takes one to cause immense damage -- especially if that user has access to a cloud management console.
To improve the security of user authentication in the cloud, cloud providers are advocating the use of open cloud authentication standards such as Fast ID Online (FIDO), Security Assertion Markup Language (SAML) and OpenID. These standards don't rely solely on passwords, but instead use passwordless authentication (such as biometrics) or a second factor (such as a USB dongle connected to the computer).
These days, hardly a week goes by where there isn't a major hack that either takes advantage of weak passwords for the initial compromise or publishes the contents of the password database on the Internet. For cloud security, ensuring the vast amounts of user data is secure is of paramount importance, and these new open authentication schemes can be a huge help.
An inside look at open standards for authentication in the cloud
FIDO is purely concerned with authentication; its most significant advantage is that it takes advantage of public-key cryptography. This means that at no point are users' authentication details stored by the application, nor are they transmitted in the same way that a password would be sent to the server for authentication; biometric data stays on the device and is not stored on the server. This advantage should not be underestimated, as it stops significant attacks that target passwords -- such as hacking in and dumping them from server databases -- dead in their tracks.
SAML is a different system that uses XML for communication. This gives it the advantage that it can be configured to work with any other system. SAML uses a centralized storage system for credentials, which reduces the opportunity for hackers to obtain access to them, and allows easier single sign-on capability. OpenID, meanwhile, is a centralized standard that allows users to register on a central system, then authenticate to any number of websites that support OpenID. The advantage of this is ease of use and it has led to a relatively high adoption. It also means that websites do not need to write their own (often weaker) authentication mechanism.
Open standards versus proprietary systems for authentication in the cloud
For any new authentication method to be successful, the support and adoption of the technology by large companies is essential, especially in the cloud. FIDO, at the moment, is actively backed by Microsoft and Google. Amazon has yet to join the party, but it seems logical that it will at some point. Similarly, OpenID is backed by the OpenID Foundation, which has members from key industry players, including Microsoft, Google and Symantec. SAML is also backed by major players in the cloud industry, including Amazon and Dropbox.
With the backing of major providers, it is likely that open authentication standards will become more and more prevalent in cloud environments. What's the benefit? Open standards provide much greater scope for collaboration on the development of the standards, and also allow websites and app developers to only need to develop for a specific open standard, rather than needing to support several different propriety systems.
However, there are a few downsides to open authentication standards. The code is available to all, which means it's also available to hackers to study in great detail to find vulnerabilities. When compared to proprietary systems, this allows an attacker a much greater insight into how the system works. Open systems are also reliant on community support for maintenance and security fixes; as was demonstrated with TrueCrypt, this could disappear at any time and leave companies with an unsupported system. Another key downside is that users need to learn a new system; although the aim is to make the systems simple, it has been traditionally very difficult to move users away from password-based systems.
Open standards: Paving the way for secure authentication in the cloud
Overall, open standards will provide an excellent opportunity for cloud providers to lead the way on secure authentication in the cloud. They will also take a significant step in preventing some of the easiest and most prevalent attacks used against organizations and individuals to date.
Password authentication should have had its day many years ago. While these new open standards won't do away with passwords completely, they take a significant step toward a more secure authentication mechanism. We can only hope cloud providers continue to collaborate and lead the way.
About the author:
Rob Shapland is a penetration tester at First Base Technologies, where he specializes in Web application security. He has used his skills to test the websites of companies that range from large corporations to small businesses using a wide variety of Web technologies. Shapland is a firm believer that all penetration testing should have manual techniques at their core, using automated tools to support these skills. He is also involved in network testing and social engineering.