As we extend our reliance on cloud-based platforms that can be accessed over the internet, the need for security is ever more important. One of the most vital areas is in ensuring that only authorised users get access to their accounts and for this reason, authentication remains at the forefront of cloud security.
What is cloud authentication?
In essence, authentication is the process of proving that the person logging in is who they claim to be. In other words, it’s a way of trying to guarantee the authenticity of the user. This is usually done by cross-referencing information held on the server with information held by the user, such as username, password, account numbers and secret questions.
At times we also want to grant non-human access to cloud-based systems, for example, for online backups, patching and remote system monitoring. Again, it’s is important that only authorised programs are given access and not hacking apps, and this can be achieved in a similar way through the use of API codes or digital certificates.
If the information provided by the user matches that held on the server then, usually, authentication is seen to be proved and authorisation is then given to access the system.
Authentication shouldn’t be confused with authorisation. The latter is concerned with the authority of the user to do certain tasks. For example, with website administration, some users are given different access privileges: administrators have full control of the website, whilst subscribers may only be able to make changes to their own account areas.
The Importance of authentication
Controlling access to cloud-based systems using authentication is absolutely vital. For businesses that are hacked, the potential consequences are enormous: large fines, reputational damage, customer lawsuits, operational disaster, intellectual property theft, exploitation, ransom, the list goes on. For private individuals, similar calamity faces the account holder who can be fleeced out of their life savings or have their personal information posted all over the internet.
And these are nothing compared to the prospect of state-backed cyber-terrorists inflicting damage on cloud-based defence, government and infrastructure networks.
Without bulletproof authentication, everything in the cloud is vulnerable and with the increasing growth of the Internet of Things our need to find the best solution is becoming more and more urgent.
Authentication vs ease of use
One of the major problems facing cloud-based systems is the need to balance security with ease of use. Users want robustly secure accounts, but the more stringent we make the authentication, for example, two-factor authentication, the less convenient it is for them to access to their accounts.
There is a range of authentication processes available but not all of them are suitable for all networks. Here are the main ones.
Users wanting access to private and public cloud networks usually go through authentication by logging in with usernames and passwords. There is the assumption that the user has kept the password private and is the only one with access to it, so that when it is used access is given.
However, there are weaknesses with this method. Firstly, users frequently use the same username and password for a variety of accounts, so if a hacker finds the login credentials of someone’s Facebook account, they might then be able to use them on their bank account too.
Secondly, the usernames and passwords are not that difficult to crack. The majority of usernames are some kind of mix of a person’s real name, occasionally suffixed with a birth year and the bulk of passwords can be cracked by sophisticated hacking software relatively quickly. Even strong passwords can be stolen, accidentally revealed or forgotten.
For these reasons, simple password and username authentication is not considered strong enough for many organisations.
Two factor and multifactor authentication
To increase the robustness of password authentication, many organisations require additional information during a login, known as two-factor and multifactor authentication. Two-factor requires one additional authentication method besides username and password, whilst multifactor requires up to four more methods.
There are basically four types of authentication factor that can be used and combined in multifactor authentication:
- Knowledge factor: a user is required to provide information such as a PIN, date of birth, or the answer to a secret question.
- Possession factors: often used by banks, a user needs to provide a security token given to them through something they have in their possession, such as a card reader device or mobile phone.
- Biometric factors: the user needs to provide biometric data such as a fingerprint or retina scan.
- Location factor: GPS data from phones and a computer’s MAC address can help verify the location of the user.
Strong authentication is the term used when the method of verifying identity is considered robust enough guarantee the security of the system. However, different organisations have different views on what is considered strong.
For many organisations, two-factor authentication is considered adequate whilst others demand multifactor authentication because it requires information from two or more of the four authentication factors listed above.
Some other organisations allow a slightly less stringent approach to multifactor authentication; accepting two answers in response to a single authentication factor, e.g. two separate digits from a PIN or two different secret question answers.
For cloud-based systems that have very high-security requirements, for example, banks or healthcare organisations, multifactor authentication is becoming the norm in order to prevent highly confidential information being accessed by unauthorised users.
Perhaps the most important point raised here is that these higher levels of security are available on cloud networks, and this includes public, private and hybrid systems. For organisations wanting to keep their systems and data secure, it is helpful to know that two-factor and multifactor authentication can be put in place.
If you are considering migrating your system to the cloud, Web Hosting UK offers a range of cloud options for both Windows and Linux based systems using VMware and Hyper-V cloud servers. We offer free set up, 100% uptime SLA and 24/7 support as well as a host of other features. For more information, check out our Cloud Hosting page.
If you have any questions regarding security or need help making your system more secure, call our team on 0800 8620890.