When transitioning to the cloud, a lot of factors change which can have an impact on the security of the systems that you're moving to the cloud. Migrating to the cloud is acknowledging what the boundaries are of the cloud and where your own security measures come into place. When data and applications move to the cloud, user access —by default— takes place remotely, with weak, static passwords serving as the only security mechanism to protect against unauthorized access.
Respecting basic guidelines could bring a higher degree of security to your cloud solutions. This article will try to summarize authentication mechanisms and provide some use cases.
A first approach is the use of static passwords. When users need access to the cloud application the administrator could issue a static credential pair. Usually this consists of a username and a static password. To decrease the chance of brute-forcing the password, one should choose a password with a lot of entropy. The more randomness is used, the better.
A second approach is the use of multi-factor authentication. This method is based on the assumption that a credential pair like username and password is easily sniffed or socially engineered. Providing the correct credential pair is considered to be the first factor. To increase security a second factor is added to the authentication process. Several factors can be considered as second authentication factor:
factors indicating knowledge: things only the user could possibly know;
factors indicating possession: things only the user could possess: i.e. smartcards, hardware tokens, ...
factors indicating that the user is who he's trying to authenticate: i.e. fingerprints, retina scan, ...
Multi-factor authentication is gaining attention on modern cloud solutions. A lot of cloud providers are providing this authentication method to their customers.
A last method embraces the use of multi-factor authentication but packages it as a service. It's called Authentication-as-a-Service (AaaS) and provides a means of enabling strong authentication for several access points. In order to use this you will have to check the supported cloud solutions, which is specific for every AaaS provider.
We will now consider several cloud service providers and elaborate more on how they choose to implement or support multi-factor authentication.
Amazon Web Services (AWS)
AWS supports, besides the standard authentication using a username and password credential pair, multi-factor authentication. It uses the possession factor to achieve this and to implement a two-factor authentication mechanism. When the user wants to authenticate he will be prompted for his username and password, additionally to this credential pair he will also be asked to provide an authentication code delivered by an AWS supported MFA device. AWS supports the use of three different MFA devices, which are based on the possession factor:
- Virtual MFA Device: An application running on your smartphone and acts as a secure authentication code generator. This is the free solution.
- Hardware Keyfob MFA Device: A tamper resistant hardware device capable of generating authentication codes.
- Hardware Display Card MFA Device: A tamper resistant hardware device in the form of a smartcard, capable of generating authentication codes.
More information on the MFA when using AWS can be found here: https://aws.amazon.com/iam/details/mfa/
IBM Cloud Security
IBM Cloud also supports, besides the standard authentication, a multi-factor authentication mechanism. It achieves this by using their IBM Security Access Manager for Web and Tivoli Federated Identity Manager. This system is capable of providing knowledge as well as possession factors as second factor for the authentication proces. It provides several methods to deliver the One-Time-Password (OTP) such as SMS or e-mail. Because of security issues the OTP should not be delivered to the device that the user uses to perform the authentication process. In the case that there's no other option, and we are obligated to use the same device, we use the knowledge factor to make the transaction more secure. This is achieved by asking the user to append a personal PIN to the OTP when performing the authentication. This PIN is obviously also known by the server which the user is authenticating against. If the latter is the case we are talking about three-factor authentication: username-password credential pair + OTP (possession) + Personal PIN (knowledge).
More information on the MFA when using IBM Cloud can be found in this whitepaper.