Securing the Cloud

Identity management (IdM) is the complex and constantly evolving practice of identifying individuals and controlling their access to a network and connected resources. IdM research focuses primarily on making systems secure while the quality of the user experience is largely ignored. This article explores reasons why creating a user-centric IdM paradigm has become necessary, discusses existing efforts to make IdM more user centric, and presents one possible implementation of user-centric IdM that, in theory, could leverage mobile devices. A Future Vision for IdM However, computer users have bigger worries. Password theft plays a less significant role in identity theft than phishing and keylogging [3], and viruses, worms, malware, and other malicious software continue to increase [4]. Aspiring thieves who do not have the technical skills to perform attacks themselves can buy malware that others have created [4, 5]. And the Stuxnet worm has shown that cyber-attacks can be powerful enough to be used as weapons of international espionage or even war [6, 7]. Despite lack of expertise in security and IdM, users are often the first (and sometimes the only) line of defense against ever more dangerous forms of attack, such as: • Wifi hacking [8, 9] • Compromised personal devices and infrastructure systems [10, 11] • Social engineering [2, 3, 12] • Cookie sniffing [13, 14] • Timing attacks [15] • Man-in-the-middle (MITM) attacks [16, 17] • Insecure websites [2] • Broken encryption attributed to GPU (graphics processing unit) [18] and quantum computing attacks [19] Most users find these problems too complex to manage [17]. As a result, many ignore security advice or engage in poor practices such as using simplistic passwords or writing passwords on pieces of paper near their computers [20, 21]. While the security community belittles users for these approaches [14], some security experts state that this behavior is not only predictable but also rational, given the overwhelming amount of security advice that users receive [3, 10, 22, 23]. Clearly, average users lack the knowledge and skills needed to manage their own security. To resolve this dilemma, a radical shift must take place in IdM research. New directions in IdM research must meet the challenge for improved security by addressing a growing number of threats while reducing security demands on the user. The user-centric IdM model proposed in this article provides a potential solution. Changing the Game with User Centricity Because many users lack sufficient knowledge to manage their own online identity, any viable IdM strategy has three goals: 1. Improved Threat Resilience: Increase the capability of users to resist threats. 2. Improved Credential Management: Improve the capabil ity of users to manage an arbitrary number of credentials. 3. Reduced User Load: Decrease the knowledge and effort required of users to resist threats. Unfortunately, these goals tend to be contradictory. The typical approach to improving the security of a system addresses threats individually, which tends to increase system complexity and restrictions on user access and require more skills and knowledge of the user to ensure safe behaviors. Moreover, each system addresses problems in different ways, which leads to unique IdM requirements for each system with which a user interacts. Thus, the goal of increasing threat resilience overrides the user-based goals of improving credential management and reducing user load. User-Centric Identity Management