This is a talk by Karen Lu, a Gemalto scientist. She has shown that the number of API’s available for building cloud apps is growing exponentially, with over 7000 APIs available today. Since APIs are the way to access cloud resources, they must be aquately protected. When a client uses an API, it has to authenticate on every access, using a variety of means, usually based on a secret and some cryptography.
The next question is: how does a cloud user get a secret? Typically, the secret comes from the cloud provider’s management console, where the key can be copy-pasted into the customer’s computer. However, this key is linked to billing, and it is of course the customer’s responbsibility to protect this key. Managing this key is a challenge for cloud users, because there is a difficult trade-off to find between usability and protection of these keys.
Of course, smart cards and other secure elements can be a solution. At least, smart cards are a really nice way to store the key securely when it is not used. However, it does not address the full trade-off situation.
Karen proposes a way for end users to use a secure element that will sign all requests on behalf of an application before to send them to the cloud. This technique works perfectly to secure console access, making sure that a cloud application provider can protect its resources from attackers.
What about end users? They are not going to ge smart cards. In that case, they could use a Cloud Access Security Broker, sitting between the end users/devices and the cloud. For instance, Amazon offers a service in which end users authenticate to Amazon Web Services with strong authentication, and are then issued a temporary key for accessing resources. This key still needs to be protected, but less.
Not sure I understand how this works in the case where a single Amazon user wants to use wapplications from several application providers. Do they get several temporary keys? I didn’t have the opportunity to ask the question live, but I’ll try to get an update,
Whatever, we get the same issue as in the panel: the technical answers cover very small parts of cloud security. The interesting part of cloud security is the hard problems of privacy and data protection, but the solutions are often about authentication. Authentication is useful to defend application providers against attacks (one side of security), but not very good at protecting users against rogue application providers (the hard side of cloud security).