If your business replaces its desktop software with webbased applications, or its internal firewall-protected servers with externally hosted systems, then they become more easily accessible over the internet, which is presumably what you want, but there are associated internal security risks whether they are cloud-based or not. Rogue employees are a danger to any business on any system, and ‘insider theft’ accounted for 16 per cent of reported data breaches in the United States in 2008 (ITRC, 2009); but here are three scenarios that relate to web-based systems in general:
- Former employees or contractors may continue to have access to your intellectual property after they have stopped working for your organization if one or more of their user accounts have not been deactivated.
- Users may have their user names and passwords stolen by keyboard sniffing technology or professional hackers who use various techniques.
- If you use the same user name and password on multiple systems and one system is compromised, then those credentials may be used to access another system.
Now, mistakes happen, but there are ways to minimize the likelihood of internal security breaches, including internal processes, two-factor authentication and single sign-on.
Most businesses have checklists they use and processes they follow when employees take up or leave their employment;
but the deployment of new IT systems in public clouds can outpace the development of internal security processes, especially when they can be set up by non-IT staff. Thus, whenever a new cloud-based system is introduced, checklists must be modified immediately and existing user account management processes must be followed or, if necessary, extended to encompass them. You have to ensure through good internal processes that all ex-employees’ and ex-contractors’ user accounts are deactivated immediately to reduce the risk of these accounts being misused or confidential data passed on to competitors. You should also ensure that your employees use strong passwords when they access any of your systems, and that they use different passwords on different systems unless single sign-on
technology is implemented.
User names and passwords can be guessed or stolen, along with other personal information such as your mother’s maiden name or your place of birth, and so on. Thus if you really want to secure access to your cloud-based systems
then two-factor authentication is a good solution. This means keeping your user name and password but adding another identifying element that is immune to online identity theft. Examples of two-factor authentication techniques are:
- asking users (when they attempt to log on) to view a group of similar images and select the one that they chose or uploaded when they registered as a user on the system;
- biometric techniques such as retinal scans or voice prints;
- comparing the ‘typing rhythm’ of a user with recorded patterns for that user when they enter their user credentials;
- one-time passwords generated by a small portable ‘token’ carried by users;
- public-key infrastructure, which involves a public and a private cryptographic key pair that is obtained and shared through a ‘trusted authority’;
- sending one-time passwords to users’ mobile phones for them to type in after they have entered their usual credentials;
- smart cards that have on them a unique security grid which has characters in specific coordinates that the user can be quizzed on when logging in.
Two-factor authentication technologies are not new to cloud computing, they have been used to secure the virtual private networks of enterprises for some time, but the economies of scale afforded by public clouds have now made them affordable for small businesses.
As discussed earlier, your employees may end up with user accounts on multiple cloud-based systems so password management becomes a problem, and the temptation is there to use the same password on different systems, which is a security risk. To deal with this issue of ‘cloud proliferation’ there are a number of commercially available federated identity (or single sign-on) services that enable users to log on to multiple clouds and internal IT systems through a single website; and some cloud service providers also allow users to log on to their systems using their credentials from other cloud services without a third party being involved.