Two-factor authentication key to securing cloud
05 September, 2014
category: Corporate, Digital ID, Government, Health, Library
By Thomas Flynn, Vice President of Gemalto Identity and Access in North America
It’s been six years since the notable cloud service breach at Salesforce.com, when an employee surrendered a password in a phishing attack against the company. As a result, hackers were able to obtain the details of thousands of Salesforce customers, and then target them with a series of phishing emails that appeared to be from the company. At the time, Salesforce told its customers to “consider using two-factor authentication.”
Fast forward to today and cloud security issues continue to persist. Last October, hackers managed to get past the security of Adobe’s Creative Cloud and its Revel photo sharing service to obtain Adobe customer IDs and encrypted passwords. If Adobe customers were using two-factor authentication, they would have been safe because the compromised passwords would have been useless without the second authenticator.
Whether you are providing and/or accessing a public, private or hybrid cloud, two-factor authentication is critical. Yet today, the majority of enterprises using multiple cloud services still choose convenience over security. This is primarily due to an outdated perception that implementing strong authentication is complicated, costly, hard to get management approval for, difficult to deploy and inconvenient for users.
Today, the evolution of cloud services has toppled many of these barriers. Security has become a C-level issue as the high costs of data breaches and the potentially higher cost of damaged brand reputations has been highly publicized. Recent advances in networking software architectures and administrative tools have lowered cost, time and expertise required to implement strong authentication to control access to cloud services.
Strong, Affordable Solutions for two-factor authentication
Cloud Service Providers that want to get on the fast track to strong authentication should start by considering one-time password access controls. One-time password solutions increase the security of the login process by ensuring the person accessing the network is in possession of two factors of identity verification – something they have, the OTP device, and something they know, a username and potentially a password.
OTP generators come in different form factors, such as handheld hardware tokens, display cards, SMS and mobile applications. All are effective ways to implement two-factor authentication, and they exemplify how different solutions can serve different needs. An OTP token can easily be attached to a lanyard or keychain and a display card can be carried in a wallet. Both provide a cost effective second layer of authentication without being cumbersome.
Mobile text messaging and mobile apps are even less expensive ways to provide OTPs, especially with Bring Your Own Device becoming the norm. Today’s business associate is typically never without a mobile device, be it a smart phone or tablet. Using these mobile devices as the OTP token saves money and reduces complexity.
There are two ways to use mobile devices for OTP authentication:
SMS. This enables the user to request an OTP when logging in to a specific resource. The user receives a text message from the network based on the mobile number on file with the company. This provides the same level of strong authentication but without the need to deploy any additional hardware.
Smartphone App. With the explosion of app stores, OTP apps have been introduced that work on all leading smart phone operating systems. When a user is required to enter an OTP for strong authentication, they simply launch the app which generates an OTP. This, again, eliminates the need for an additional hardware device, making this method both user-friendly and cost effective.
Another important advantage of using the mobile device as your OTP token is the ability to download and self-provision the application. Enterprises can outsource the operation of the authentication server to a solution provider or bring the technology in house via on-premise hosting. Organizations can deploy across a variety of handsets and mobile operating environments.
For companies researching OTP solutions, it is important to consider choosing a solution that complies with the current Open Authentication Organization (OATH) standards. These industry-wide standards for authentication can help reduce costs and bypass the inconveniences of propriety solutions.
Cloud computing is not a passing trend. Forrester forecasts the global market for cloud computing will grow to more than $241 billion in 2020, and CDW’s 2013 “State of the Cloud Report” said 75% of business reported using some type of cloud platform. Both the cloud and the smart mobile device have brought enterprises into a new era for productivity, efficiency and convenience – but sometimes at the expense of security.
If they are to fully realize the potential of the cloud, Cloud Service Providers must offer stronger methods of authentication. It is easier and more cost effective than ever before, and can be as simple as utilizing the devices we all know and carry – our smart phones – as the something “we have” when logging into a cloud service.
