Cloud computing opens up tremendous opportunities for companies that prefer to focus on their areas of expertise rather than on spending massive amounts of time, money, and personnel resources on their data center. But, there is one area where companies should not scrimp when it comes to securing their data — identity and access management (IAM).
This becomes even more important when the cloud-based data and applications are required to meet either regulatory or industry compliance rules such as Payment Card Industry Data Security Standards (PCI DSS), for credit card or personally identifiable information, and the Health Insurance Portability and Accountability Act (HIPAA), or Health Information Technology for Economic and Clinical Health Act (HiTECH), for data in the healthcare industry. These and many other regulations require companies to maintain the confidentiality of protected data and the best way to do that is to ensure that only authorized personnel have access to that data.
Traditionally, data has been protected simply by using a login name and password, but major data breaches at large healthcare providers such as Premera, federal agencies, including the governments personnel office, and even data security vendors, such as RSA, have demonstrated that this approach is no longer sufficient.
Multifactor authentication — a combination of something you know (a password), something you have (a token), and something you are (a biometric scan) — is generally considered an important step up from basic password-based access. Traditional tokens, sometimes called smart keys, were either a key fob that generated a random, one-time-use access code or a USB-based device that contained authentication data about the user. While these approaches are still used today, they can be expensive to maintain, difficult to manage, and require a lot of user support when the tokens are lost or the user forgets their authentication passwords.
Today, smart phones are becoming the token of choice for many service providers and security consultants. Cloud services, for example, can send users’ phones a special code if the user tries to log in from a system that the application’s database does not recognize. The user types in the one-time-use code and now that device becomes authenticated for future access.
Smart phones also can be fitted with near-field communications technology that acts as a smart key to authenticate a user. Hardware-to-hardware authentication is often preferred by security professionals because devices are capable of remembering very long and complex data strings that a human is simply not capable of memorizing. Authenticating the device, combined with something the user knows (password) or is (a biometric scan), therefore, can be more reliable than authenticating the user alone.
Today’s biometric devices, especially in the consumer realm, tend to be of relatively low sensitivity. Fingerprint scanners on many laptops, for example, can be defeated using a picture of the fingerprint. Retina scanners tend to be more reliable than fingerprints, but some of these also can be defeated with a photo. And false negatives can occur if the user has a cut on their finger or some types of eye diseases.
While the promise of biometrics is significant, this technology still lacks the price point and quality controls that some applications and chief security officers require.
Remember that for passwords to be reliable you need a user policy that dictates how often they need to change their passwords and how complex the password or passphrase should be. Long passphrases can be very secure, but only if the user changes them frequently — generally speaking, every 60 days — so that if credentials are compromised, the damage can be limited.
Multifactor authentication today is quite easy to implement. If your service provider is not yet offering multifactor authentication, ask them when it will be offered. It’s important enough of a security best practice to make you considering changing providers if it is not supported.