The increasing deployment of software applications to service based environments, such as Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and cloud computing environments, places a greater burden on application owners and service providers to ensure applications comply with compliance requirements and to demonstrate such compliance. Compliance requirements can be many and varied and can originate from, inter alia, legal or regulatory requirements, application owner requirements, technical requirements, compatibility requirements, and service level agreement requirements.
In particular, authentication—also known as identity checking—as part of access control for restricted resources associated with cloud computing services is increasingly complex due to a number of factors affecting the implementation, acceptability, reuse, configuration and policy compliance of authentication mechanisms. Consequently, cloud computing services define comprehensive authentication schemes specifying authentication requirements for users seeking access to cloud computing resources. For example, financial services cloud computing resources can be secured by a multi-factor authentication scheme, such as a two-factor scheme requiring a hardware token identifier coupled with a shared secret. Further, compliance requirements for authentication can vary depending on user context. For example, users accessing a cloud computing resource from a fixed terminal over a secure connection require authentication with a first level of assurance, while users accessing the resource from a mobile terminal, such as a mobile telephone, can require authentication with a second level of assurance.
Context based authentication is known. US Patent Publication No. 2007/0079136A1 describes methods and systems for performing authentication based at least in part on the context of a transaction. Further, European Patent Publication No. EP1603003A1 describes a method of authorizing a user in communication with a workstation using different methods for authorization in dependence on combinations of user data and workstation data, such as a geographic location of the workstation.
However, a mechanism for providing such context-sensitive authentication in an environment where authentication facilities are shared, such as a cloud computing environment, is not known from the art. In a cloud computing environment it is not possible to configure an authentication facility in a “one size fits all” manner. Similarly, it is not possible to apply the context-sensitive approaches of the prior art to such environments.
The complexity of the concerns affecting authentication in cloud computing environments increases across multiple services (potentially delivered on behalf of disparate and possibly competing organizations), with multiple authentication and security compliance requirements, with multiple authentication contexts.
Thus it would be advantageous to provide for compliant authentication of users requesting access to restricted resources of services executing in cloud computing environments with shared authentication facilities.