This article originally appeared in the Dec. 2011 issue of INTERNET TELEPHONY.

A recent survey reported that 70 percent of CIOs consider security a critical component of  any reliable cloud deployment. That same survey, however, also stated that almost 26 percent of the same respondents are moving some amount of their corporate data into the cloud today.

Those are interesting numbers, and it is possible that those two data points are mutually exclusive. Maybe those 70 percent who are concerned with security aren’t moving any data into the cloud, and maybe the 26 percent who are moving data aren’t concerned with cloud security at all. I highly doubt that the market is that black and white, however, and there’s probably a fair amount of overlap between those people who are concerned with security and those who are moving forward regardless.

It’s a bit ambiguous to throw a generic term out like cloud security and then begin to make market assumptions based on such an open term. Much like enterprise security throughout the data center, cloud security is made of many layers, unique challenges, and is heavily based on a wide spectrum of attack vectors. Enterprise IT still has to be concerned with data theft, application attacks, and DDoS attacks targeted at the network and the application layers in the cloud. But in our current market maturity level for cloud computing, cloud security typically only involves a few threats very specific to off-premises computing: how to authenticate and manage user access to cloud-based applications and how to ensure data privacy of applications and cloud storage. This month I would like to tackle user authentication.

When software-as-a-service first exploded in IT as a viable alternative to managing local applications, one of the first issues most IT organizations ran into was managing user authentication. Who owns and manages the user access database, and who manages it for updates? Very quickly the larger SaaS (News - Alert) providers began offering federated authentication, allowing IT to authenticate a user locally and then pass some type of token to the SaaS platform granting access to the application for that user. This immediately took the SaaS vendors out of the user management space and gave control back to the enterprise.

Federated authentication works extremely well for SaaS platforms because the user is accessing only one destination. Users who accesses e-mail as part of a SaaS deployment stops when they authenticate and reach their e-mail service, and likewise for IT; IT can set up federated authentication to one SaaS provider and then move onto the next one. That’s not true for most cloud computing solutions (as we think of cloud solutions today) because the cloud involves infrastructure; it’s an extension of our existing on-premises data centers. Authenticating a user to a cloud-based resource is analogous to authenticating users when they bring their laptop into the office and connect to internal resources. The difference, of course, is physical proximity: Users and their laptops in the office are physically connected to the same network providing internal resources. The off-premises cloud model breaks that proximity authentication scheme.

That’s not to say that cloud-based users can’t be authenticated and handled just like internal users, and even that physical security can’t also be extended and applied to resources in cloud. Federated authentication at the cloud infrastructure level is becoming a more prevalent option from cloud providers, but unfortunately it tends to be a bit more complicated. Many, if not most, provider-based federated authentication solutions typically either come as proprietary solutions or are tied to very sophisticated (read: confusing and hard to manage) cloud bridging solutions – technologies that transparently connect cloud resources to the on-premises data center. And this is where it gets a bit convoluted. Cloud connection and/or bridging solutions, including those provide by third-party vendors, are excellent for what they are and used when they’re needed, but they’re probably not best suited for solving every user authentication management issue. Relying on – and even requiring – the network to be re-architected just for user management is like bringing a machine gun to a wrestling match: It’s typically overkill.

A better solution is to look at the federated authentication model provide by SaaS vendors: use tools that are destination-based and focused at the application layer, rather than the network, to manage user access and authorization to cloud resources. It’s true that adding a token-based (or similar), application-focused federated authentication solution to your cloud platform may add more work, but at least it’s work that directly solves the problem and can be leveraged again and again between multiple cloud providers and even multiple data centers. There’s a time and a place for network- and infrastructure-level authentication, but it’s not always the best solution. Application-level federated authentication can help IT keep control over internal user assets without re-architecting the network for the cloud while retaining flexibility and control.

Alan Murphy is technical marketing manager of management and virtualization solutions with F5 Networks (News - Alert) (www.f5.com).