Tuesday, January 05, 2010

Does Cloud = Claims?

Laura Hunter (Microsoft), Pam Dingle (Ping) and Patrick Harding (Ping) have been talking about synchronizing passwords to the cloud. Laura’s post, "Syncing Passwords to the Cloud: Sign of the Apocalypse?" was kicked off by Patrick’s “Grounding Enterprise Passwords” and Pam’s “Kick Me for Cloud” posts. As Patrick states:
We are hoping that we can convince everyone that pushing Enterprise passwords into the cloud is a bad idea and in our opinion is certainly not a security ‘best practice’

I agree. Definitely not a best practice but since when has best practice ever had anything to do with they way software is developed? Entropy is in charge out there and whatever is the easiest way to do something will, in many (most?) cases, result in the easiest route through the compiler. Syncing passwords versus using a claims-based model is simply bound to happen. Hmmm, doesn't Microsoft's own BPOS require a separate, non-claims-based, password for access? Yes, I realize they are fixing that in BPOS next but just the same some kind of business necessity pushed them to throw claims to the wayside. Why doesn’t ADP or Fidelity require access to occur versus claims? Why doesn’t my company (Quest Software) want to use claims to access these services for their employees? Entropy, plain and simple – it’s “easier”.

I suspect that there will be claims-based and non-claims-based methods of accessing cloud apps – unfortunately. Either way, I sure hope that companies consider stronger authentication (two-factor, one-time password, etc.) to protect those claims and passwords!

No comments: