Reality check with MFA in Cloud

Cloud is a great thing to have, an endless source of computing power at anyone’s finger tips, a

Cloud is a great thing to have, an endless source of computing power at anyone’s finger tips, a relentless work horse on which to offload nearly any task, at any time and from anywhere. But as it goes with basically anything in IT landscape, cloud is not a silver bullet for everything and your corporate identity might be one such, what the recent Azure MFA downtime demonstrates.

One’s corporate identity is not a task, operation or a process, the least its something that intuitively would need to be offloaded or made accessible from anywhere on the globe. On the contrary, one’s identity is a claim of something thats in one’s own possession (or the company’s possession), under one’s own consent and one might like to assure that claim remains relatively put and in one place. As old-school as it can sound in this era of cloud computing.

Azure hiccup was not a breach, none of impacted identities leaked out, but the path to what happened was the same as if there had been a breach: claims on one’s identity were not in one’s own possession, but offloaded to a third party, in this case Microsoft. The provider simply got congested. That said, Microsoft is a trustworthy provider, but what the downtime demonstrated was that offloading your identities, despite how convenient that is, is still equivalent to that you’ve trusted your company employee keys to your corporate janitor or receptionist. With trust the arrangement will work great, until the day the receptionist or janitor gets stuck in a bus, in congested traffic. How old-school of a problem that then sounds.