The Importance of a Cloud Security Strategy: Authentication

Categories: Cloud Security, Security

Overview

Cloud Infrastructure providers have evolved rapidly and while there is no doubt that their infrastructure teams have top-notch security measures a lot of the responsibility falls in the hands of those operating the cloud applications.

A recurring term in this context is the Shared Responsibility Model that AWS has made popular.

It clearly delineates the responsibilities for the cloud provider and the customer. The core components customers are responsible for in a security context are 1) Customer Data 2) Applications and 3) Access management.

Who the customer of the cloud provider is can vary:

  • SaaS Providers: Where the end-user expects the service provider to abide by any security and data privacy requirements.
  • Firms & Individuals: Where those same firms need to ensure the right protocols are in place.

Technical Debt Complexities

With Cloud computing technical debt is not a thing of the past. The utilization of convenient tools by the infrastructure provider requires proper configuration. Furthermore, firms will and should use multiple cloud providers:

  • Workload Types: An organization may use a cloud provider to host their suite-like utilities such as email and collaboration applications such as G-Suite or Office 365. However what they use to host these suites is independent of internally developed and additional vendor application hosting including AWS, Azure, Google Cloud, and others.
  • Avoiding Vendor Lock-In: Organizations may decide to make their infrastructure cloud-neutral to avoid vendor lock-in. While new architectures like container technology allow for building a code base once and re-using it, specific aspects of the architecture need to be considered.

Cloud Architecture Complexities for Authentication

Requirements and workload type usage across multiple providers drives nuances of the cloud architecture specifically as it relates to access management.

On Premise & Cloud Interfaces

In some deployments, parts of the application are kept on-premise while other services are hosted on the cloud. In these cases, special consideration is needed to secure the interfaces.

Provider Specific Decisions

Additional authentication types are allowed that go beyond simple credentials. These include keys for APIs, Certificates, usage of Multi-Factor Authentication, and more. The following are examples of the authentication types by provider:

Azure

  • Password Hash Synchronization: An on-premise service synchronizes credentials to the cloud instance.
  • Pass-Through Authentication: The credentials are kept on-premise where a service or agent validates requests coming from the cloud instance.
  • Active Directory Federation Services: Credentials are stored on-premise but a federated trust is configured between the on-premise and cloud instances where both have to validate.
  • Certificate-Based Authentication: Typically relate to certificates used for client authentication for an API or service.
  • Long-term Access Tokens: OAuth Tokens used for validation on the cloud instance. Poses limitations because these tokens can be used by multiple endpoints.

AWS

Provides two types of access:

  • Programmatic Access: Creates an access key and a secret access key for the AWS API, CLI, SDK, and other tools.
  • AWS Management Console Access: Enables a password that allows users to sign-in to the AWS Management Console.

Google

  • Access Tokens: Short term access for service accounts
  • JSON Key Files: Long term keys
  • Federated Credentials

Securing Cloud Assets

Data breaches continue to be a problem for companies offering SaaS like services. Data exposed via open Object Storage containers such as AWS S3 have been reported in the news. One of the most critical aspects of the cloud strategy should focus on the continuous review of object storage to ensure appropriate permissions are configured and that the data is not set to be public by default.

Summary

Cloud security is not just another checkbox, it should be a key driver for technology strategy as customer data, application security and access management are at the center of customer trust and long term strategic relationships.