Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Register for CSA’s free Virtual Cloud Trust Summit to tackle enterprise challenges in cloud assurance.

Cloud Security: The Identity Factor

Home
Industry Insights
Cloud Security: The Identity Factor

Blog Article Published: 03/10/2011

The Problem with Passwords

by Patrick Harding, CTO, Ping Identity

The average enterprise employee uses 12 userid/password pairs for accessing the many applications required to perform his or her job (Osterman Research 2009). It is unreasonable to expect anyone to create, regularly change (also a prudent security practice) and memorize a dozen passwords, but is considered today to be a common practice. Users are forced to take short-cuts, such as using the same userid and password for all applications, or writing down their many strong passwords on Post-It notes or, even worse, in a file on their desktop or smartphone.

Even if most users could memorize several strong passwords, there remains risk to the enterprise when passwords are used to access cloud services (such as Google Apps or Salesforce.com) where they can be phished, intercepted or otherwise stolen.

The underlying problem with passwords is that they work well only in “small” spaces; that is, in environments that have other means to mitigate risk. Consider as an analogy the bank vault. Its combination is the equivalent of a strong password, and is capable of adequately protecting the vault’s contents if, and only if, there are other layers of security at the bank.

Such other layers of security also exist within the enterprise in the form of locked doors, receptionists, ID badges, security guards, video surveillance, etc. These layers of security explain why losing a laptop PC in a public place can be a real problem (and why vaults are never located outside of banks!).

Ideally, these same layers of internal security could also be put to use securing access to cloud services. Also ideally, users could then be asked to remember only one strong password (like the bank vault combination), or use just one method of multi-factor authentication. And ideally, the IT department could administer user access controls for cloud services centrally via a common directory (and no longer be burdened by constant calls to the Help Desk from users trying to recall so many different passwords).

One innovation in cloud security makes this ideal a practical reality: federated identity.

Federated Identity Secures the Cloud

Parsing “federated identity” into its two constituent words reveals the power behind this approach to securing the cloud. The identity is of an individual user, which is the basis for both authentication (the credentials for establishing the user is who he/she claims to be) and authorization (the cloud services permitted for use by specific users). Federation involves a set of standards that allows identity-related information to be shared securely between parties, in this case: the enterprise and cloud-based service providers.

The major advantage of federated identity is that it enables the enterprise to maintain full and centralized control over access to all applications, whether internal or external. Further, federated single sign-on (SSO) allows a user to login once then access all authorized cloud services via a portal or other convenient means of navigation. The IT department essentially controls how users authenticate; including whatever credentials may be required. A related advantage is that, with all access control provisions fully centralized, “on-boarding” (adding new employees) and “off-boarding” (terminating employees) become at once more secure and substantially easier to perform.

Security Tokens

Identity-related information is shared between the enterprise and cloud-based service providers through security tokens; not the physical kind, but as cryptographically signed documents (e.g. XML-based SAML tokens) that contain data about a user. Under this trust model, the good guys have good documents (security tokens) issued from a trusted source; the bad guys never do. For this reason, both the enterprise and the service providers are protected. These security tokens essentially replace the use of a password at each cloud service.

When enabling a federated relationship with different cloud services, there are always two parties: the Identity Provider (IdP) and the Relying Party (RP)[PD1] . The Identity Provider (the enterprise) is the authoritative source of the identity information contained in the security tokens. The Relying Parties (the cloud service providers) establish relationships with one or more Identity Providers and verifies and trusts the security tokens containing the assertions needed to govern access control.

The authoritative nature of and the structured relationship between the two parties are fundamental to federated identity. Based on the trust established between the Enterprise and the cloud service the Relying Parties have full confidence in the security tokens they receive. [PH2]

Conclusion

As the popularity of cloud-based services continues to grow, IT departments will increasingly turn to federated identity as the preferred means for managing access control. With federated identity, users and the IT staff both benefit from greater security but also from greater convenience and productivity. Users log in only once, remembering only one strong password, to access all authorized cloud services.

To learn more about Identity’s role in Cloud Security, visit Ping Identity www.pingidentity.com.

Patrick Harding, CTO, Ping Identity

Harding brings more than 20 years of experience in software development, networking infrastructure and information security to the role of Chief Technology Officer for Ping Identity. Previously, Harding was a vice president and security architect at Fidelity Investments where he was responsible for aligning identity management and security technologies with the strategic goals of the business. An active leader in the Identity Security space, Harding is a Founding Board Member for the Information Card Foundation, a member of the Cloud Security Alliance Board of Advisors, on the steering committee for OASIS and actively involved in the Kantara Initiative and Project Concordia. He is a regular speaker at RSA, Digital ID World, SaaS Summit, Catalyst and other conferences. Harding holds a BS Degree in Computer Science from the University of New South Wales in Sydney, Australia.

[PD1] Service Provider is used above
[PH2] I would suggest that this paragraph be deleted as a lot of the terms and concepts have not been introduced or explained.

Share this content on your favorite social network today!

Latest from CSA
Join AT&T Cybersecurity in Chicago
The State of AI and Security Survey Report
CSA's STAR: The Key to Cloud Security & Compliance
Trending This Week
#1 The 5 SOC 2 Trust Services Criteria Explained
#2 What You Need to Know About the Daixin Team Ransomware Group
#3 Mitigating Security Risks in Retrieval Augmented Generation (RAG) LLM Applications
#4 Cybersecurity 101: 10 Types of Cyber Attacks to Know
#5 Detecting and Mitigating NTLM Relay Attacks Targeting Microsoft Domain Controllers
Enhance your cloud security skills with CSA's online training options.