Administrators charged with the task of deploying Virtual Private Networks (VPNs) for their organizations must select appropriate authentication mechanisms to support the VPN connections. The connections must listen to incoming user requests, authenticate the users, and create a secure session for user interaction over the network.  If the number of VPN connections is minimal, a software based authentication protocol may suffice. However, if the connections are large, there may be a requirement for both hardware and software based authentication.

Having said all this, user authentication for the Cloud is not very different from the authentication requirements for other kinds of VPN. The only difference is that the network in use is the Internet and hence security requirements are perceived to be more critical. The network may also be forced to handle more simultaneous requests and the servers will have to have the ability to handle multiple concurrent users. Both, hardware and software protocols may have to be used to ensure higher levels of security.

As a result, the use of multiple level authentication protocol is becoming fairly common for customized Cloud access. The authentication practice relies on three major factors—“What you know, what you are, and what you have”. A two factor authentication will involve the use of a user-id and password authentication (What you know) with alternate forms of verification such as biometric verification (what you are) or USB based smart card or token verification (what you have).

User IDs / Passwords are pre-defined, based on enterprise policies and have specified strength requirements. This type of authentication may suffice if data is accessed only from within the enterprise and no external devices can be connected to the enterprise servers.  By default, the administrator may set the password to be the same as the user ID. However, this will have to be changed by the user.

Enterprises that encourage its employees to bring their own devices or access the enterprise databases from external devices may resort to a two factor authentication.  Users may have to insert the smart card device issued to them into the system, offer their thumbprint or subject themselves to an IRIS scan or use a token to access the database after entering the user ID and password.  If the second level of authentication fails, the user will be barred from an access to the database.

However, introducing authentication protocols in the enterprise is not an easy task. Biometric authentication may be perceived as intrusive by employees and device based authentication suffers from problems of theft or loss of the device. Perhaps, the nature and type of authentication will have to be determined on the basis of the criticality of the data that is being accessed by the employee.