Moving Kerberos to the Cloud?
Thomas Hardjono
hardjono at MIT.EDU
Thu Dec 8 09:38:05 EST 2011
> -----Original Message-----
> From: kerberos-bounces at MIT.EDU [mailto:kerberos-bounces at MIT.EDU] On
> Behalf Of Russ Allbery
> Sent: Wednesday, December 07, 2011 8:05 PM
> To: kerberos at mit.edu
> Subject: Re: Moving Kerberos to the Cloud?
>
> tareq.alrashid at case.edu writes:
>
> > The higher ups asked: Feasibility of moving the University’s MIT
> > Kerberos authentication critical service infrastructures to the
> Cloud?
>
> > Has any of the Higher-Education institutions out there done or
> thought
> > about doing this, and how feasible was it.
>
> It's completely feasible in the sense that a shotgun will successfully
> blow your foot off with very little extra effort.
>
> Your authentication service, when compromised, provides unfettered
> access to absolutely everything you run. We won't even virtualize it,
> let alone move it into the cloud. It needs to be run in the most
> secure environment that you can possibly find and as isolated as
> possible from everything else.
>
> --
> Russ Allbery (rra at stanford.edu)
> <http://www.eyrie.org/~eagle/>
Russ is absolutely correct. This is also the reason why many Enterprises do not wish to run their mail-servers in the cloud. The legal situation regarding third parties (ie. cloud providers) and their responsibilities/liabilities in handling their customer's infra & data, remains un-tested and unclear.
ps. Yes technically running your KDCs in the cloud (either as a SaaS or PaaS) is definitely feasible.
/thomas/
More information about the Kerberos
mailing list