Authentication Holds the Key to Cloud Success

Guest blog by: Mark Stanislav, Security Evangelist, Duo Security

The process of authentication is as old as mankind’s need to trust one another. Whether by way of a secret handshake or perhaps a codeword, the avenues by which individuals defend a claim about who they are can range from simplistic to complex. Consider the story of how an impromptu challenge coin was utilized during World War I that allowed a downed airman to establish his allegiance to French allies after escaping from enemy capture[1]. While these types of authentication may be a bit impractical for the digital age, they do represent an established need that has only increased as physical contact has shrunk into streams of binary.

The transition from human to digital means of authentication has been tenuous at best. As computing use increased, so did the need to adequately validate users so that appropriate privilege and access could be provided. If you take the sum of daily passwords you are charged with maintaining across systems — both for personal and professional use — you’ll note some password strength requirements are certainly better than others. In fact, many financial institutions even restrict the ability to create strong passwords[2], likely due to constraints of technical debt they have accrued across infrastructure over the years.

The early decades of authentication security mostly represented two methods: passwords and tokens. The livelihood for hardware tokens was heavily weighed in the favor of large enterprises due to cost and maintenance requirements to allow for successful deployments. This isn’t to say that the value wasn’t worth the cost or efforts, but simply that for smaller organizations that had similar needs but dissimilar room for security investment, the practicality was unfortunately not there.

Despite the long history of authentication and subsequent innovations in security controls, the usage of various types of user validation still remains at the top of the list for most computing security, especially as organizations make the move to cloud service models. Regardless of who is maintaining your email, or where your customer data is stored, the security of those accounts and their data hinges on authentication.

A 2012 Intel cloud computing report noted that, “the number-one concern of IT professionals is a lack of controls to enable them to effectively limit access to data and services to authorized users.”[3] This is of course deeply concerning due to how long authentication has existed, how many ways we have to do it, and the functional demand that such services require these days. Combine that viewpoint with the conclusion from Mandiant in 2012 that, “100% of breaches utilize stolen credentials”[4] and the dire reality of insufficient strong authentication becomes clear.

There are two primary issues at play that solving for en masse will allow organizations to have a fighting chance against the elevating threats towards their computing resources. First, the availability of strong authentication that is built with the end-user experience in mind will allow for broader adoption with less push back from users and an easier job for implementation teams. Second, the availability of the aforementioned solution at an affordable price-point that doesn’t necessarily require the massive hardware investments or physical tokens of older solutions can facilitate implementation. These realizations aren’t that shocking if you consider other technological trends that follow similar uptake models once a product becomes easier to use and more affordable.

The industry is at a crossroads where the move to cloud computing could be seriously hindered if the strong authentication problem isn’t resolved quickly. According to a survey conducted by IDG[5] this year, only 1 in 3 organizations feels comfortable with cloud computing security. Worse, 42% of companies that moved to the cloud for projects ended up returning back to their on-premise solution due to security concerns in 65% of cases. When control is the largest cloud computing concern and security isn’t being adequately addressed, authentication is a clear winner for the place that more attention should be given.

Fortunately, the past few years have brought a number of strong authentication solutions to market, leveraging advances in mobile technology and built to benefit from, as well as enable, cloud computing paradigms. Not only has this latest wave of authentication security brought a better experience for customers, but it has also brought more affordable choices. With lower overhead to entry and pay-as-you-go pricing, many solutions are enabling usage by small and medium businesses that could never afford such a deployment in the past.

To fully leverage cloud computing, a shift in authentication will need to occur before organizations will make the leap with both feet. While we’re far past the days of using challenge coins for actual authentication, we’d be remiss not to consider the lessons that they taught us. When function, ease of use, and financial viability of a security control all work in symphony, the benefits will be clear and the adoption, wide.

1. http://en.wikipedia.org/wiki/Challenge_coin

2. https://www.novainfosec.com/2013/09/03/american-express-forcing-complex-usernames-weaker-passwords/

3. http://www.intel.com/content/www/us/en/cloud-computing/whats-holding-back-the-cloud-peer-research-report.html

4. http://www.utdallas.edu/~mxk055100/courses/dbsec12f_files/trend-report.pdf

5. http://www.forbes.com/sites/louiscolumbus/2013/08/13/idg-cloud-computing-survey-security-integration-challenge-growth/

CIS Disclaimer: The content of this blog and the statements and opinions contained therein are those of the author. CIS makes no representations or promises as to the accuracy, completeness, currency or suitability of the information provided in this guest blog post and such posting does not constitute an endorsement of the content, viewpoint, accuracy, or opinions of the author.