Hackers could in for one of the biggest security bonanza since UK Government stopped using paper and started dropping CDs, DVDs and USB sticks. There have been many concerns about cloud security, indeed it's often seen a big barrier to adoption, but the thorny question of user credentials could make the cloud in even less attractive for users.
Microsoft is one company that has been expressing concern about this. At TEC09 in Berlin the company has been showing some of the capabilities of Forefront Identity Manager (FIM) 2010 and cross platform security. All well and good but the concern from Microsoft is that users will start to leak their security credentials outside of the enterprise In other words, rather than use separate usernames and passwords for cloud services, they will use the same username and password as they do for enterprise access.
This represents a serious and generally unacknowledged barrier to cloud adoption. Enterprises have no control over how cloud vendors store and manage security. With many cloud vendors growing out of the ISP market where there are regular hacks against their customer databases the risk of having live credentials stored outside of the enterprise is almost the same as the yellow sticky on the wall.
With FIM 2010 Microsoft is pushing hard for the use of claims based security where you use a token to authenticate to services. In effect this is similar to chip and pin with your credit card. When you attempt to connect to a service it takes what you offer, passes that information to a Security Token Server who will validate you and then pass back a token allowing you to connect to the service.
We have already seen Microsoft and others try and drive this kind of solution before. CardSpace is a Microsoft product that allows users to have lots of identities managed on their computer. Each identity would give them access to different systems but instead of constantly entering data, they could just present their CardSpace ID. This is analogous to credit cards with chip and pin. You present your card to the merchant and enter your pin and all the rest of the information about the transaction is passed in the background.
For users moving between cloud services and the enterprise, this would provide them with a single sign-on service that would ensure that usernames, passwords and other credentials are kept secure. But for this to work cloud vendors and security vendors need to work together. A few months ago the Burton Group carried out a very large test of different vendors systems against 21 endpoints. The endpoints included many of the large cloud service providers to see how well this worked. Their reports will be released soon.
More recently, the Liberty Alliance tested a number of vendors and will release their report on 17 September. Of those vendors who attended, only Microsoft has talked about it and only then to say that they felt it went very well but couldn't comment until the report's release.
If this does work then users will be able to move from the enterprise to the cloud and back again using a credential based system to replace usernames and passwords. This will make it a seamless approach for the organisation and solve the risk of credential loss.
However, the current tests do not mean everyone is going to support such a solution. For example, the Microsoft Azure team are apparently talking to the FIM 2010 team but have not yet committed to supporting credential security. This would be a significant blow for large Microsoft shops and for Microsoft's plans for Azure as it would, bizarrely, make it more secure to work with SalesForce than Azure.
On the flip side, the next release of SharePoint Server will be capable of doing this and the Microsoft online services teams are already looking at what they need for deployment and implementation. However, it is the only server product to make that commitment. SQL Server, Exchange and Dynamics are conspicuous by their failure to announce that they will move to credential based security. Strangely the same is true of the Microsoft online service offerings some of which will be using SharePoint.
The most important thing of all is that this whole approach is based on standards and technology that already exists. It does not mean taking on new, untested security for the enterprise. On the downside, a decade ago, the banks wanted to do a similar thing and be the trusted credential owner. That didn't happen because no-one trusted the banks.
This time round the emphasis is on the Enterprise setting itself up to control the credential passing of its users. But if this is going to really take off in the cloud we do need to see some third party enter the discussion and there you have a major sticking point. An Enterprise has a vested interest in understanding who you are and issuing you with access based o that knowledge.
How would a third party establish just who you are? There are systems under trial by various governments but it would require that they are both secure and likely to be trusted by individuals and business alike. That is something that will take time to achieve, especially as like the banks, governments were talking about this over a decade ago.
Perhaps one saviour of all of this is the professional body. Accountants, doctors, lawyers even journalists are all members of professional bodies. They all issue credentials to their members today and this could just be an opportunity for them to take that step into the cloud by providing a secure identity for their membership to anyone who wants to deal with that membership. Of course, they would still have to validate business partners but they could end up being trusted third parties with less baggage than the banks and governments.
Whatever happens, if you allow your users to move between the cloud and the enterprise without being able to stop them replicating their enterprise logon details you do so at your own peril.