Once an organisation gets over the "trust issue" of working with a cloud computing provider the next step is to explore the ways to a smooth on-boarding of its employees and end users.
For instance, how does your existing corporate password get re-used to login to a newly-minted cloud service? One of the biggest stumbling blocks is creating that bridge over troubled waters between your enterprise credentials and a third-party.
Your company’s security policy will likely prohibit anyone from logging in over the Internet because the IT organisation is weary of sharing common passwords outside its four-walls.
There is a tried and true work around.
Lets first go to the movies. You purchase a ticket to ‘Batman 2020’ and pay using your credit card. You will (or should) be asked to identify yourself. A government issued driver’s license will do the job.
You may also whip out your old college ID for an attempt at a student discount. After your payment is complete, you get handed a printed movie ticket, and you are free to roam anywhere in the theatre. Even slip into other shows.
What's going on:
- You are holding in your wallet a variety of credentials (drivers license, student ID) to prove your identity
- You are issued recognisable credentials by different authorities (government agency, college)
The scheme to check your identity in a cloud setting will rely on these same concepts of credentials and trusted authorities.
For example, when you browse to a web application that is hosted by a third-party, instead of presenting your corporate credentials directly to them, you will be re-directed to your own IT organisation’s login screen.
You will enter your corporate password, and get authenticated by your IT department. Your corporate password will never be shared outside the four-walls of your company. Instead, you are handed a ticket (in your browser’s virtual ‘wallet’) that will then be presented to the cloud service provider.
That ticket will say "you are who you say you are". More importantly the ticket (also known as a token) is a genuine credential, that is issued by your organisation and recognised by the cloud service provider as authentic. You can use that token anywhere on the third party's property.
If you've ever logged into your corporate portal and found yourself at your health-provider site, you are likely using a token to identify yourself without you realising.
In world of mobile, internal and external cloud services it will be these readable and very portable credentials that will make it much simpler to get things done.
Walid Negm is Director Cloud and Cyber Security Offerings, Accenture