Securing the Cloud
•Download as PPS, PDF•
0 likes•301 views
Moving your data from your own personal safe, to a safety deposit box in a bank. Access to you safety-deposit box is controlled by the bank, not you. In most cases all you need to supply is the right name and the right “password”
Recommended
More Related Content
Similar to Securing the Cloud
Similar to Securing the Cloud (20)
More from Icomm Technologies
More from Icomm Technologies (20)
Recently uploaded
Recently uploaded (20)
Securing the Cloud
- 1. Securing the Cloud Authentication Perspective
- 2. Moving to the Cloud is like........ Moving your data from your own personal safe, to a safety deposit box in a bank. Access to you safety-deposit box is controlled by the bank, not you. In most cases all you need to supply is the right name and the right “password”
- 3. The Cloud • Is a very public place • Everyone knows where your front door is • Everyone knows what your username is • Just one password away from access! In “The Cloud”, all access is Remote Access (remote from the application at least)
- 4. It is not Rocket science • I know that Dell use Salesforce CRM • (source: Salesforce.com) • I know that Michael Dell is CEO • (source: Wikipedia) • I know the format of Dell emails is firstname.lastname@dell.com • (source: my inbox) • Just one password away from access ?????
- 5. Passwords and “The Cloud” • Passwords in public places are not safe • How many different strong passwords can a user safely remember ? • NOT ENOUGH! • Recent straw poll users accessed at least 20 different password protected services!
- 6. Strong Passwords ??? Analysis of the 32 million passwords exposed in Jan 2010 in the breach of social media application developer RockYou - who's applications can be used on Facebook and Myspace -revealed the top 10 most commonly used passwords were: 1st :123456 6th :princess 1st :123456 6th :princess 2nd :12345 7th :rockyou 2nd :12345 7th :rockyou 3rd :123456789 8th :1234567 3rd :123456789 8th :1234567 4th :password 9th :12345678 4th :password 9th :12345678 5th :iloveyou 10th :abc123 5th :iloveyou 10th :abc123 (source: www.cxo.eu.com) Don’t forget for many attacks the strength of the password is no defence
- 7. Password Reuse • Password Reuse is inevitable • Cloud breaches (PSN, Sega, Facebook etc) have knock-on impacts • Your corporate data may only be as secure as the least secure Cloud service being used by your employees • Can we rely on people separating their corporate and social identities • No!
- 8. “…Sega explained that it had reset all passwords and urged customers to change their log-on details on other services and websites where they used the same credentials…” (Source: http://www.bbc.co.uk/news/technology-13829690)
- 9. Authentication and the Cloud • Using Cloud services can mean • You delegate authentication policies to the Cloud provider • You create multiple control points for user access • If you use multiple Cloud services • If you use a mix of Cloud and non-Cloud services • Forgetting to remove access from ex-employees is a common cause of loss of commercial data. • You rely on username/password
- 10. Authentication and the Cloud • The need for strong authentication for (eg VPN) remote access is well understood. • Customers purchase Remote Access solutions and an Authentication solution. • The same authentication solution is ideally used across all remote access services.
- 11. Approach • Separate Authentication from the Cloud Service • Use a single Authentication service for all services • Cloud and non-Cloud • Keep control over you access policies • Apply appropriate authentication • If I have access rights to data because I am an employee of an organisation, then that organisation should control my access
- 12. New Authentication Model • Not a new idea, but now becoming possible Check Credentials Request Access User-name Credentials Redirect Traditional Traditional Approach Approach Create/Delete Accounts Enterprise Enterprise User-name Credentials Configure Service Federated Federated Approach Approach Enterprise Enterprise “If anyone wants to access my data, send them to me!”
- 13. “Phone Home” Model • Enterprise owns the identity • Single point of control • Cloud Applications Cloud services do not store credentials • Cloud services do not set authentication policies • Multi-factor where required • Risk-based authentication • User needs one set of credentials Core Authentication Platform VPN Access Intranet
- 14. The “phone home model” is like.. When a user wants to access your safety deposit box, the bank sends them to you. The person confirms their identity to YOU in the manner you decide. You tell the bank that they can access the data
- 15. Swivel and Office 365 ADFS ADFS Proxy Proxy Internet Internet Active Active Directory Directory filter ADFS Request Response System can be configured so users already on the LAN need not authenticate again to Office 365. Developments will allow the same for other SAML-based cloud services. ADFS ADFS Server Server
- 16. Swivel and Office 365
- 17. Swivel and Office 365 (Demo) Forms Based Authentication Customisable Additional Credential only required if user as a PINsafe account (optional) Some users could have 2FA Mandatory
- 18. Questions
Editor's Notes
- The cloud is a public place. Everyone’s experience of cloud applications is pretty much the same. If I know how to access my account, chances are I know how to access yours.
- The cloud is a public place. Everyone’s experience of cloud applications is pretty much the same. If I know how to access my account, chances are I know how to access yours.
- Just an example. But all three facts are true. Whether Dell use email address for salesforce and whether Micheal Dell has an account or not is not clear. But the principle is the same, as we just one password away from Dells entire CRM data ? Of course this is another element of the public nature of the cloud. Cloud applications such as facebook, twitter, etc mean there is much more information available about people “in the cloud”
- Of course we all use the cloud in some way, if not in our corporate life then in our personal life. Password reuse becomes inevitable
- Weakness of passwords is well documented. But the point is that these passwords were obtained from a cloud service
- So if you use cloud services for your corporate data Chances are your corporate users will also reuse credentials Therefore their credentials are potentially only as safe as the weakest link in the chain
- The SEGA breach was perhaps the first acknowledgement from a cloud service provider that the fact that they lost your credentials not only affected you SEGA data but many other potential accounts as well. When you trust a cloud service with your username and password, you are not only trusting them with your data in relation to that service but possibly others as well.
- `A key issue is that using cloud services means you delegate the service and access control to the cloud provider as well as the service itself. You are trusting the cloud service with more than just the service. This creates multiple control points It means authentication policy is defined by the cloud provider.
- `A key issue is that using cloud services means you delegate the service and access control to the cloud provider as well as the service itself. You are trusting the cloud service with more than just the service. This creates multiple control points It means authentication policy is defined by the cloud provider.
- Reclaim or retain control over access.
- “Traditionally authentication was done at the back-end” Within the DMZ. User submits credentials and are checked “behind the scenes”. New standards are enabling new models. Whereby authentication is done “in front” The standards are not new in themsleves but what is new is that fact that service providers are implementing them. Which means vendors like ourselves can build solutions around them. Federation is another overloaded term. But I want to highlight a specific meaning
- This federation model means that to access data that you have rights to because you are an employee of a company then the service must verify your identity and rights with that company, This means cloud service is not longer responsible for Authentication Storing Credentials And same credential and authentication service can be used for internal and cloud access
- The cloud is a public place. Everyone’s experience of cloud applications is pretty much the same. If I know how to access my account, chances are I know how to access yours.