Proving Identity in the Cloud

Unlike last year where there were many virtualization security vendors existed at RSA Conference, there was a noticeable lack of them within booths, yet all of them were here to talk to existing and potential customers. However, there were  many vendors offering identity management in the cloud for these I asked the identity management product owners the following question:

How can you prove identity in the cloud?

Proving identity in the cloud is like trying to find out how you got the flu when you were in a crowded room. It may not be possible, however there are some interesting attempts:

Verizon has the VZID that integrates with specific SaaS Apps so that you can prove at least that the Verizon phone or device is allowed to access the data, but is it very hard to prove that the phone is not in the hands of the proper person. The phone ends up being ‘what you have’ and the password is ‘what you know’. So two factors of authentication, but the phone is the weakest link as is the possibility of a weak password on the phone.

RSA introduces the Trust Cloud that is a SaaS to provide identity management, but unlike Verizon, is not tied to a phone or Verizon device but to any of the factors of authentication. In essence, the Trust Cloud sits between the user and the cloud service to provide multifactor authentication and strong single-sign on capability via TriCipher and other RSA technologies.

However, Trust Cloud would need to be adopted by all the other clouds out there to make it useful. If for example, Google does not adopt Trust Cloud then the functionality is seriously hampered and would not be able to prove identity within the Google Cloud. Trust cloud is backed by the Cloud Security Alliance which will be a big boost for the technology.

Identity in the cloud is the next big issue to solve, as it will be increasing important to know beyond  a shadow of a doubt that a particular person was the last person to edit a Google doc (for example). As more and more companies move to using google docs know who or even what editing a document is extremely important. At the moment, this is just like determining who gave you the flu in a crowded room.

Posted in SDDC & Hybrid Cloud, SecurityTagged , , ,