Cloud services offer ready-to-use solutions for many things, including for authentication. It can be quite expensive and time-consuming for organizations to purchase and manage authentication and management systems. Authentication as a Service is both a simpler and more economical solution for identity management. This article will be useful for developers who are considering implementing AaaS as well as for those who are working on their own AaaS solution.
Authentication is the weakest part of cloud security. The largest number of attacks targeting cloud services are performed by compromising user credentials. Fortunately, single sign-on solutions for the cloud, known as Authentication as a Service, bring the benefits of SaaS to authentication management.
Authentication as a Service (AaaS) provides authentication services like multi-factor authentication, single sign-on, and password management in the cloud. With Authentication as a Service, organizations can control access to their applications and servers from various devices and networks. AaaS enables organizations to track password usage, comply with strict password requirements, and provide employees with a secure way to log in to resources. AaaS ensures a high level of security as it’s based on security standards including OAuth, WS-Federation, and Security Assertion Markup Language (SAML). Due to this, AaaS can protect from different attacks on authentication procedures, such as man-in-the-middle, denial of service (DoS), and brute force. Let’s look closer at how AaaS improves the authentication process. AaaS is also sometimes referred to as Identity as a Service or Directory as a Service.
AaaS providers and their customers are both concerned about a high level of security. Different AaaS providers try to develop their own unique solutions for cloud service authentication. Though the architecture may vary depending on the presence of different security features, the key aspects of Authentication as a Service remain the same across providers. A typical AaaS architecture consists of the following components:
- Identity Management (IdM) — This includes mechanisms for managing user accounts within the system. IdM is designed to create user accounts, control access to cloud services, and de-provision accounts when users leave cloud services. Identity management is necessary to simplify the user provisioning process, collect user sessions, and ensure access to cloud services.
- Authentication strategy — Each AaaS provider can choose a different authentication mechanism for their solution, but the main goal is to confirm the identity of the user.
- Authorization and access control — After the user confirms their identity, an AaaS provider uses authorization and access control to determine what the user is authorized to do. Access control can also limit the number of cloud resources and services that the user is authorized to access. This is especially important for enterprise environments where employees have different duties and responsibilities. An authorization service is designed to evaluate an authorization query, collect data about the user and the resources, and determine if access should be granted or denied.
- Security policy management — This includes such important security components as the service-level agreement (SLA), password policy, auditing, and monitoring of the device. AaaS providers record all security operations based on the user identity in order to properly audit service access or data management. The SLA is agreed between customers and service providers in order to define the basis for interoperable authentication or identity management solutions.
- Key and certificate management — AaaS providers offer encryption keys and certificates in order to protect access to cloud services. However, there’s a major concern about the safety of the location where credentials are stored. If a provider offers to use the cloud service for storing encryption keys, the data owner who deposits the key should be aware of how that key can be retrieved. AaaS providers try to establish the necessary key protection to prevent any unauthorized access to keys. Centralized management of keys and certificates is designed to store any security object, prevent unauthorized access to critical data and systems, and enforce policies on retrieval or relocation of encryption keys and certificates.
- Fraud and anomaly detection — AaaS providers collect information about a user’s actions in the cloud in order to establish a baseline user profile. This includes historical data such as information about past user transactions, device authentication, and IP addresses, which is further used by the system to detect anomalies in user behavior. Fraud detection services are based on customized rules and can detect patterns associated with crimes in real time.
AaaS is based on single sign-on (SSO) that’s adapted for the cloud. SSO is an authentication process that requires the user to enter a username and password that’s stored on a dedicated SSO policy server. User authentication in an SSO system provides access to other applications and systems. Thus, if hackers crack the database of the SSO server, they can get access to multiple cloud services and applications.
To ensure a secure authentication in the cloud, AaaS providers implement different authentication methods. Authentication is mainly based on three principles:
- What the user knows
- What the user has
- Who the user is
Taking into consideration these principles, AaaS providers use one or two methods listed below in their authentication strategies:
- Single-factor authentication is based on a username and password that is known only to the user and the cloud provider. To access cloud services and data with this authentication method, a cloud user must enter their username and password. This authentication method is now considered the weakest as a user’s credentials can easily be stolen, leading to data breaches.
- Two-factor authentication uses two means of authentication such as a physical token and a security code.
- Graphical authentication requires the user to select an image in the graphical user interface.
- Public-key infrastructure (PKI) uses a pair of keys for encrypting and decrypting the content. While the public key is available to everyone, the private key is known only to the user, who uses it to confirm their identity. PKI is mainly used with security protocols such as SSL/TLS and SSH.
- A trusted computing group consists of a set of properties to measure, store, and report software and hardware comprehensiveness via a Mobile Trusted Module (MTM) or Trusted Platform Module (TPM).
- Social authentication uses login information for a social network service to sign in to a cloud-based application instead of creating a new login account.
- One-time authentication uses a password that’s valid only for one login session in the cloud. It’s usually applied as one method in two-factor authentication and requires access to something that a user has, like a mobile phone or a smart card.
- Biometric authentication is a way of confirming identity that is based on something that a user knows or some characteristic of the user. Thus, there can be both physical and behavioral biometric data.
Physical biometrics are physical characteristics of a user that are unique for each person. There are several physical biometric authentication techniques that can be used in AaaS:
- Fingerprint scanning
- Hand scanning
- Retina and iris scanning
- Voice authentication
- Facial scanning
Behavioral biometrics refers to user behavior. This authentication method identifies cloud users according to their actions in previous sessions as well as their location, devices, profiles, and so on. Two important types of behavioral biometrics are keystroke patterns and signatures.
AaaS systems should ensure the privacy of sensitive and private data as well as the confidentiality of cloud users. Confidentiality in the cloud is achieved by applying different cryptographic algorithms along with encryption and decryption procedures, certificates, hashing, digital signatures, and key exchange management. Only all these measures in combination can ensure confidentiality in a cloud environment. Below, we discuss protocols and encryption algorithms that are used in AaaS for authentication and authorization.
The following protocols can be applied for user authentication in the cloud:
- LDAP authentication — The Lightweight Directory Access Protocol (LDAP) is the most widely used directory services protocol for cloud and web applications. This protocol provides a mechanism necessary for connecting to, searching, and modifying web directories. The LDAP directory service is based on a client-server model. While most organizations store their sensitive data on an LDAP server, AaaS providers delegate authentication to an existing directory so that an organization can retain control over users.
- SSH authentication — The SSH protocol provides organizations with an opportunity to control authentication on Linux-based servers. When AWS and Google Compute Engine utilizes as an organization’s infrastructure, it’s critical for organizations to have control over user access to corporate devices.
- SAML-based authentication — The Security Assertion Markup Language (SAML) protocol is also commonly used for web-based applications. SAML-based authentication is used by AaaS providers for allowing users to access multiple applications, services, or websites from a single login process. Identity and authentication levels are shared across different systems and services using the SAML protocol to request, receive, and format data.
- REST APIs — The REST protocol is used to deliver authentication for internally developed applications. It eliminates an organization’s need to develop their own user store, as IT teams and developers can leverage a third-party service to manage both internal and external users of an application.
- Extensible Authentication Protocol — EAP is implemented for user authentication in the cloud. It’s used to transport user credentials for various authentication methods to the authentication server.
- Kerberos protocol —This is a network authentication protocol that uses tickets to allow network computers to securely communicate over a non-secure network to confirm a user’s identity. Each ticket is time stamped and encrypted by a key distribution center. Kerberos is based on a client-server model and lets the user and the server verify each other’s identity.
An authentication algorithm should include different cryptography techniques to ensure the security of data in the cloud system. In AaaS systems, the following algorithms are used for encryption:
- The RSA algorithm is used in PKI to provide a pair of keys for securing communication between the user and the server. While logging in, the system sends a password request to the user that’s encrypted with the user’s public key. To decrypt the request, the user applies their private key. Similarly, when the system receives an encrypted file from the user, it can decrypt it using its private key.
- The AES algorithm & MD5 hashing algorithm are used for encrypting files with randomly generated keys. These keys are also used for decrypting users’ files. One key is used for encrypting and decrypting only one file. After file decryption, the key isn’t used further. Each key is stored in the server’s database along with the user’s account name. An MD5 hashing algorithm is used for encrypting the user’s account name before it’s added to the database.
- An OTP password algorithm is used to provide the user with a one-time password (OTP). The user can authenticate in the system using this password only once. The password is sent to an authorized email address or texted to a phone number so that only an authorized user will be able to connect to the cloud.
- A Data Encryption Standard (DES) algorithm is a type of algorithm that uses symmetric key encryption. This means that only a single key is used for encryption and decryption. The algorithm uses a dynamic key generator in order to create unique keys at high speed and with reduced logical complexity.
- A Rijndael encryption algorithm is also a form of symmetric key encryption that’s used to save sensitive data in the cloud. It was designed to replace the aging DES algorithm. Like DES, Rijndael uses an iterated block cipher that encrypts and decrypts data with a number of transformation rounds.
The market of AaaS providers is rapidly increasing, but we want to show you the most successful AaaS solutions:
- Google Cloud Identity is a user management platform for Google Apps that also offers single sign-on for certain websites and integration with other cloud-based and on-premise directories.
- IBM Cloud Identity Verify includes Authentication as a Service, which allows users to enroll in various forms of secondary authentication factors. Application developers can use the service’s exposed interfaces to challenge users to perform two-factor authentication.
- Azure Active Directory is Microsoft’s cloud-based directory and identity management service. It provides a single sign-on option for developers to deliver access control to their applications based on a centralized policy and rules. Azure Active Directory unites application access management, main directory services, and identity protection into a single solution.
- Amazon AWS SSO is a cloud-based single sign-on service that’s designed to centrally manage SSO access to all of a user’s AWS accounts and cloud business applications that support Security Assertion Markup Language (SAML) 2.0. It also provides a user portal where users can find and access all of their assigned accounts and applications from one place using their existing corporate credentials.
- Microsoft Active Directory (MAD) is a collection of services to manage user access to Windows devices and applications. Active Directory allows IT admins to control permissions to services and user actions. In addition, Active Directory enables single sign-on to internal Windows-based resources. When a user logs on to a device that’s connected to the network, it provides users with access to network resources. For authorization, Active Directory uses LDAP, Kerberos, and DNS.
Authentication as a Service is a new approach to identity and access management that leverages cloud computing resources. Saving an organization’s time and money, AaaS solutions bring the benefits of SaaS to authentication management. To ensure secure authentication in the cloud, AaaS providers use various authentication methods along with encryption algorithms and protocols. The Apriorit team has vast experience in developing various authentication methods, so we can share our expertise to help you implement or develop your own AaaS solution.