As cloud computing is spreading its significant impact worldwide, day is not far when every organization will tap this opportunity. But at the same time security concerns also become multifold, as we talk about cloud computing. Author has discussed here a new direction, Password-Less user authentication & IDM solution, which according to him, makes unauthorized access of online service or data virtually impossible.

When the word identity crosses my mind, I recollect the visit to the passport office for renewing my passport and the procedure that one has to go through to get it right. It also made me recollect the visit to the society registrar’s office for getting my property documents registered and where I was asked for my fingerprint impression.

These are some examples of real world identities being created to identify and enable certain processes. The passport identifies you to travel overseas for example. As we cross over from the real world to the online world, we find similar identities. The identities being issued in the online world may not seem as serious as in the real world and yet they are increasingly becoming a part of our lives.  An Email Address or a FaceBook account for example is our online identity that we share or use to communicate with others.
Most of us have scores of other online identities that we struggle to manage and at times forget the keys. That is the password. The identity issuers or websites know that people tend to forget their passwords and have devised novel ways to assist people in recovering their passwords.

More than a billion people are online today and the numbers only keep growing as more and more people get access to a computer and the Internet. A lot many of these people are serious users of the Internet and they just could not afford to lose their online identities or be a victim of identity theft.
A person’s email account today contains not only the messages received from friends, colleagues or family but also important registration information of the online banking account, payment services such as PayPal, credit card statements, etc. All of this important information is protected by the password to your email account stored on the email provider’s server and entered by you at the time of sign-in. Every year, world over, tens of billions or dollars are lost due to online crimes with identity theft being a major contributor.

Coming back to the real world, when we lose our Passport, we have to inform the nearest police station about the misplacement so that the document cannot be misused. But in case of your online identity; the opportunity to report comes quite late in the day when you actually become a victim and not before. When you find that your savings account has been debited a certain online transaction by accessing your Net Banking account. Till such a thing happens, you are merrily assuming your identity is safe and secured.

A primer on Cloud Computing

Enter Cloud computing and the gravity of this issue is multiplied many times.
Though Cloud computing is for the enterprise, the end user is always the person who uses the enterprise or public service. Cloud computing is a nebulous offering of application and services which literally do not have a fixed location. This feature offers a great deal of flexibility to the service provider as they do not have to spend time and effort in upgrading their infrastructure to meet higher demand which can be instantaneous in certain cases.

For example a newly launched website may have a few thousand visitors in the first few months. As the website becomes popular courtesy of search engines or direct marketing efforts; the number of visitors could rise 5 fold or even 10 fold bring down the website. It could take days to get the website up and running once again. This could be lost business.

By using cloud computing, the website need not worry about increasing visitors as the cloud service provider manages the entire bandwidth requirement and efficiently assigns resources to meet demand as it arises.

Google has been using cloud computing for ages now and it is one of the biggest proponents of this technology and the hype surrounding it.  That is because it is proposing an online delivery platform as compared to the offline client based platform being offered by Microsoft. 
In fact, Google is proposing cloud computing for even deploying Government services and there have been many criticism of that lately; mainly due the security aspects of cloud computing.

Security of the Cloud

Unlike in the fixed client server computing environment where the service provider has a control over all things related to their services and data, the cloud computing model is vague on most aspects of the ownership and the identity management aspect.

For example, if you plan to use Google Docs to create and store all your documents, they would be most probably located in a cloud storage environment. Meaning, though you access your Google Doc account to create and edit the documents, the actual physical storage of your documents may not be under your control.

Which means it could be located on a server over which the end user has no identity control. With the online industry still being not able to tackle the current security issues related to online identity and access management, new security and identity issues because of cloud computing will only add to it leading to greater challenges.

Identity and the cloud

Today, our online identity is limited to accessing online services from a particular provider such as the Bank offering NetBanking services or says an email service provider for accessing our email.

The concept of accessing a Net Banking account using your email id would sound as crazy as asking the Passport Office to consider using your office ID card as proof of identity.

Yet, we are finding that increasingly there are social networking websites that offer a way to recognizing your identity and allowing you to access other websites or their content using the same identity. For example, OpenID, VeriSign PIP, MyOpenID to name a few.

As the cloud comes out of hype and becomes a practical reality, there will be dire need to have a universal identity that can cross the boundaries of services and solutions and yet be in full control by the identity owner. Which means, the user can create a universal identity on the cloud and once verified by a certifying authority, use the identity to access any or all the services being offered in the cloud.

It will then become easer for cloud service provides to control the access of sensitive user data based on this universal identity and the roles each service has been assigned.

For example, a bank could allow a user to access its net banking services using a universal identity such as OpenID so long as the certification and authentication service is on the cloud and verifiable.

The day is not far when we really do not require having multiple identities for different services and using a common identity to access all or most of the online services becomes the norm.
Thanks to the cloud.

Current Identity Authentication and Access Management

Though it is clear that a universal identity is the way forward to connecting to the cloud and the various online services being offered therein; it is not still clear how the user and application access identity will be managed.
Clearly, industry is struggling to find a solution and this is a sure bottleneck in the mass adoption of cloud computing.

There has been ample criticism of Google for example for not doing enough in providing security solutions for its identity management. This had been clearly brought out in the recent case of Twitter Data being hacked by using Google’s identity recovery services.

The centerpiece of current identity management is the account information provided to the user such as the user id and password. The user id is getting replaced by the email id but the password remains.
As users tend to define simple passwords, there is a chance of getting through accounts with little effort. And as users tend to forget their passwords, the password recovery solution being offered by most online service providers is actually being used as a tool by hackers to get access to the accounts of users; as also sensitive user information such as place of birth, favorite author, etc. This information can then be used to access other important accounts like a bank account.

It is becoming increasingly clear that the password based system for authentication is the problem and not the solution. And companies are offering solutions such as password managers, digital signatures, and security tokens to enhance or replace the password.

With the cloud and a universal identity, the password based system will simply be a big security issue as one identity could open the locks of many accounts and safeguarding this universal identity would be a big challenge. Likewise, accessing online services today is as simple as entering your sign-in information and then accessing the service from anywhere. That is great so long as the service is FREE.
However, when it comes to paid or subscribed services, this flexibility of accessing a service from anywhere is losing money for the service provider in many cases. That is because; a paid subscriber’s identity information once compromised can be user by other users from anywhere and with or without the knowledge of the original account holder.

Not only the original account holder is at serious risk of his payment information being compromised but the service provider is also inadvertently providing a paid service for free to all the other illegal users of its service.

Password-Less User Authentication and IDM

A Password-less User Authentication model is not the same as a zero password model such as the case of digital signatures being used to provide access to online services. This concept originally proposed by IBM in the late 1980s, actually offers the automatic generation of the password and this auto-generated password is then used to authenticate the user.

Such a solution kills two birds with one stone.

For one, the user does not require defining or remembering passwords (as the system generates the password dynamically) and the service provider does not need to store the password on their server to aid recovery of the password by the user.

By not having the user enter a password to access an online service and with the service provider not having to store a password to authenticate the user; enhances the security of the user and the service manifold.

The password for the user’s identity could be generated by the solution provider by uniquely identifying the user’s computing device and then generating a password for the service using this unique identity. This service specific password can then be used to encrypt the user’s sensitive information stored in the online database.

As the password for the identity is being generated on the fly, it need not be stored anywhere and thus making the identity highly secured and device locked. This means the identity can be used only from the computing device from which it was registered.

This means no one can access the user’s online data and information from a different device using the same or a different service. This makes unauthorized access of online service or data virtually impossible.
This solution could be very important specifically for services operating in the cloud as now though the user data and information is stored in a virtual environment, the key to unlock the data or information is not stored in the cloud.

This does not mean the user is restricted and there could be option of offering portability as well as security by tagging the identity to a portable computing device thus offering mobility of access.
Already many online security and IAM solution providers have started offering solutions based on this concept but most of them have been expensive for the end user or impractical for mass deployment and certainly not for the cloud.

—By: Gurudatt Shenoy, Founder EasySecured.com. The author of this article is inventor and founder of EasySecured™ which offers a Password-Less User Authentication and Identity Management solution using the user’s existing computer or computing device.

References:
http://googleonlinesecurity.blogspot.com/2009/07/password-strength-and-account-recovery.html

http://www.infoworld.com/d/security-central/gartner-seven-cloud-computing-security-risks-853

http://www.eweekeurope.co.uk/comment/twitter-s-google-docs-hack---a-warning-for-cloud-app-users-1423

http://www.computerworld.com/s/article/9138179/Will_security_concerns_darken_Google_s_government_cloud_