The Need for 2 Factor Authentication in Cloud Computing – Defcon and ISACA
Greg Conti, an Assistant Professor of Computer Science at the US Military Academy in West Point, gave a talk at Defcon last week about the dangers of cloud computing. “The information we are all giving to online companies is massive and dangerous and [security's] going to get worse before it gets better.” This has spurred renewed debate in the security industry about strong authentication on the Internet as more and more critical services move into the cloud.
One example was a blog posting of mine earlier this weekwhere where Wells Fargo passwords for using a credit reporting server were somehow stolen, and identity thieves used those access codes to get onto the MicroBilt credit reporting site and mine the personal data, social security numbers, etc of over 7,000 people.
Had this cloud service required the use of authentication tokens or digital certificates in addition to a username and password, this type of breach would not have been possible.
Think about all of the critical data and IT systems that are moving into the cloud these days. Consumer credit reporting, enterprise CRM and sales force automation, customer support systems, banking and stock trading, foreign exchange, DNS management, email security… the list goes on and on, and it is only going to accelerate. Imagine if any one of the above services that you or your company uses were accessed by a hacker or competitor.
The Information Systems Audit and Control Association has released a statement that two-factor authentication systems connected to encrypted communications can secure Internet connections to cloud computing-based services.
“our belief is that, with the right technology, the new generation of cloud computing system can be made as secure — if not more secure — than existing server-based office systems” said Sarb Sembhi, president of the ISACA London Chapter.
My personal belief is that all Internet services that have personal or business information should offer strong 2-factor authentication to their users and customers.
August 21st, 2008 at 9:45 pm
I’m sold on the need. Suppose I’m putting up a new web application in the cloud. The primary exchange over the wire will be Ajax calls from the browser client to the server backend in the cloud. What is the “best practice” that you recommend? What protocols do you propose people should follow? Be exact and specific.
August 22nd, 2008 at 11:07 am
Certainly, two factor authentication would help. It would help in cases where IT departments do stupid things, like when TJX, *AFTER* settling their huge identity theft lawsuit, *REMOVED* the passwords from their servers. It might have helped in my case against TD Ameritrade, where the attackers had ongoing access to social security numbers for two *YEARS*.
There needs to be a good housekeeping seal of approval for organizations that follow responsible security best practices.
August 25th, 2008 at 5:49 pm
Glenn,
You can either use a One Time Password device such as an RSA token along with a username and password. Or you can use a digital certificate on the user’s computer. The digital certificate is used by the user’s browser to do an SSL client-authentication with the server when an HTTPS connection is established. The beauty of using a certificate is that the user doesn’t have to know anything about One Time Passwords, etc. It’s also more secure, as it cannot be attacked by a man-in-the-middle (a One Time Password can be captured by a phishing site and re-used quickly to gain access to the site).
The challenge with digital certificates has historically been in the provisioning of them to end users. IronKey gets around this issue because every Personal and Enterprise IronKey device is provisioned with digital certificates. if a user uses the on-board FireFox to browse a site, the site’s web server can request an SSL-Client-AUTH in the SSL handshake, and can verify that it really is the user.
I can send you a document with specific details on how to do this if you’d like,
Dave
October 25th, 2009 at 9:43 pm
Hi,
I am highly interested in the document you are talking about.
Thank you.