Security in the Cloud

As more information and applications are moving to the cloud, it is necessary to secure all of these against unintended or malicious access. How you choose to protect that information depends on the value of the information to your business. This post looks at a couple of means for protecting your business property that resides in the cloud - standard web access security, username/password authentication, two-factor access, and encoding.

Standard web-access security is a weak means for protecting data. This is typically done in a couple of different manners. Both require entering a username and password. In one means, the browser passes the credentials to the server on every request. This is done "under the hood", so it is not seen by normal web usage, but is quite easily visible using one of the many tools for inspecting web traffic. It works well, but is only useful for protecting non-sensitive information. If the transmission is not encrypted (e.g., https://...), then the username and password are visible throughout the transmission chain, including all computers in between.

The second means for web-access is again using a username and password. The server creates a persistence between the user's browser session and the server. This is usually called a session and a reference to the session is passed back and forth between the server and the browser. This means only passes the user's credentials once - from the browser to the server. After that the session reference is passed. By itself, the session reference does not contain any sensitive information. It is more like a key - it gives access to the information. The initial communication from the browser to the server needs to be encrypted to prevent others from seeing the user's credentials. Once the session is established, the user has continued access to the information on the server. This method depends on the server and browser software to prevent attacks on getting an active session reference. It is secure when everything works exactly as intended; but can fall prey to bugs in the browser software.

Two-factor authentication improves the reliability of identification of the requesting user. Web-standard authentication uses public information (username) and private information (password). The private information is something you know; and in most policies, something only you know. However, people have a lot of passwords and they tend to get written down or otherwise made available to others. This allows someone else to "impersonate" you to the server. Two-factor authentication requires two pieces of information, and they must be in a different physical forms. Usually one is a password (something you know). The other information is something you possess. It can be biometric information (e.g., thumbprint) or a dynamic PIN card. Either way, you need to provide both pieces of information to gain access. It is standard for the information to be encrypted when going from the browser to the server. Once access is determined, either of the methods described above can be used.

Encoding provides another means for controlling access to the server. In this method a local (company controlled and maintained) server maintains the access database. A user logs into the local server using either a username and password or a two-factor authentication. The local server establishes a connection of the cloud server and sends a one-time key to the cloud server to validates the particular user. This method keeps all authentication local to the company and keeps usernames and passwords off of the cloud server.

Securing your cloud environment is very important and differs depending on your particular environment and the sensitivity of the information to be protected. This post describes four means for providing authentication for your cloud data and applications.