There was a big turnout for the session on cloud security on the opening day of the RSA Europe 2011 conference held in London this week. The subject is clearly on a lot of people’s minds.
One of the biggest challenges in the cloud is strong authentication of users, a subject that has long preoccupied one of the panellists, Paul Simmonds, a founding member of the Jericho Forum, and a former CISO at ICI and Astra Zeneca. He began by issuing a question to the audience, “How many of you use SAML assertions?”

Just two hesitant hands rose up from the large crowd.

“Who knows what SAML assertions are?”  A couple more hands  went up.

SAML - the Security Assertion Markup Language - is a basic building block of single sign-on, and a means of allowing a user to sign on to multiple systems without needing to remember a load of different passwords. And Simmonds is a very strong advocate of the standard, and is keen to promote it to cloud service providers.

The prime reason is that we are already drowning in passwords. As he says,  whether collaborating in the cloud or directly with third parties, companies need to be able rely on strong identities. And SAML assertions provide a standard approach to making it happen.

His advice to all was to start by using SAML for internal systems to provide users with SSO. “Astra Zeneca was one of the most well integrated of organisations I know for SSO, but we still had a lot of corporate systems that required different IDs,” he said. “If you can’t manage this issue internally, you won’t manage it out in the cloud.”

So his big message for all the audience, when they returned to their offices, was to ask why they were not using SAML already. By adopting the standard internally, corporate systems would work more securely, he said, and companies will also be better prepared to move systems out to the cloud.

“If cloud suppliers have a groundswell of demand for SAML support, they will provide it, and it will help deliver a single strong identity,” Simmonds said.  Salesforce offers it now, and so do Google Apps, so there seems to be a momentum building that will continue if customers demand it.

Other tips from the session:

* Avoid vendor lock-in. Check you can get your data out if you hit problems with the cloud service supplier. ” The first rule of outsourcing is to have an exit strategy,” said Simmonds.

* Check the Cloud Security Alliance’s new Security, Trust & Assurance Registry (STAR). The CSA is building a global registry of vendors to gather basic infomration about them. This will allow customers to check what they do. Panellist Chris Hoff, chief architect at Juniper Networks, said it was a pragmatic approach to the problem. “We are trying to get them all to sign up, and it means that customers can demand to see their STAR registry listing,” he said.