January 26, 2010 1 Comment
Security remains a huge concern for cloud computing as-well-as for the entire IT industry. While scanning the day’s headlines, I was struck by the following:
- Who cares about disk encryption when a thief can just walk-off with 57 hard drives? (Source: Tennessee NewsChannel 5)
- Who cares about strong passwords when “123456” is the most popular password? (Source: Imperva)
Have we become so dependent on technology that we have forgotten the basic principles of physical security? Have users become so defiant to passwords and administrators become so tired of user complaints about strong/expiring passwords that we allow weak passwords to exist?
For this article, let’s concentrate on exploring the password problem. In the beginning, it was easy to remember a single username/password to the VAX/VMS system. Today, you must remember 10s, 20s, or 100s of combinations of username/passwords across both work and home applications. It has gotten so complex that we mindlessly store our “cloud” passwords within the browser, use the same combination over-and-over-again, “sticky-note” everything, or utilize a 3rd party password management program. In fact, I’d love to see statistics of the usage of “click here if you forgot your username or password” links on websites.
In a world where we can barely remember a telephone number, how are we expected to create and remember strong passwords? Are we really still debating the merits of Single Factor (SF) vs. Two-Factor (2FA) vs. Multi-factor (MFA) authentication? SF is simply a username and password combination, 2FA requires the use of a pin and a synchronized number/word that displays on a key-fob, phone, software, voice, or text message and is single use, MFA requires SF or 2FA plus another layer of security such as a set of questions, another login or pin, or more.
The solution to this problem may lie somewhere between all three combined with a universal repository for identity management? OpenID and Facebook Connect look promising but who do you trust? What are the legal implications of turning to such a service? Of a breach? For the enterprise we have Aveksa, Novell, CA, Microsoft, and more but these systems must be purchased and implemented within individual companies. How well do they work within the world of public/private cloud computing? Does anyone else remember the promises of SAML (Security Assertion Markup Language)?
In the end, passwords are the keys to unlock the doors of the cloud computing revolution. Without new approaches and solutions to this familiar problem, innovation may be slowed based on the fears and frustrations of users, corporations, and Governments.