Spread-out organisations using cloud constructs may have to share information across continents, and this need for sharing creates security imperatives of its own. The identity of the persons sharing information needs to be captured, validated, and the organisation needs to satisfy itself that the sharing entities meet, at least, the minimum authentication requirements before allowing them to access or share the information. Where data is considered, mission-critical additional layers of authentication may be implemented to gain a greater degree of confidence in the identity of the entities accessing the information.
There are some best practices that are generally followed in the development of a layered authentication system for cloud computing. The components generally used for authentication are often described as: what you know, what you have, or what you are. When two factors are used, the authentication system is called a “two-factor” authentication, and when all three factors are used, the system is known as “multi-factor” authentication.
What You Know
“What you know” is the user name and password. The type of user name and password used may be dictated by the policy of the organisation. The user name may be required to be of a specified length—say eight or ten characters. The password may have to include numbers, symbols, upper and lower case characters that total up to a specified length. The password cannot be a dictionary word or same as the user id. Some organisations may enforce expiry of the password within a specified period of 60 or 90 days. Users cannot use the same password twice. The password will not be displayed to the user when it is entered.
What You Have
“What you have” may be a token or smart card issued by the organisation to the individual employee. The token or smart card may contain network information, user information, positive device identification, user profiling or challenge or response questions that identify the user. This type of second level authentication is very dynamic and allows the organisation the leeway to use a variety of mechanisms in accordance with the needs of the organisation or the level of the personnel being authenticated.
What You Are
“What the user is” is a biometric authentication. The user’s fingerprint or iris scan is pre-loaded into the authentication database. The user fingerprint or Iris scan will be matched with the data already available in the system before the user is authenticated and permitted access.