Google Cloud Next is now in its third day.
Mind set change is often required to adopt new solutions. For example, a horse and buggy driver will have a hard time figuring out how to harness the 200 “horse power” under the hood until he realizes that you don’t need to handle 200 reins, and you just have a steering wheel, one gas pedal, one brake, and maybe a clutch. What about security for cloud computing and apps?
Take the issue of ensuring two factor authentication to login to a system based on what you know (the password) and what you have (some special key). The classic method from the old days was to use something like a token (a hardware or software key) that generates a one time code. That worked fine, but it required looking after the key very carefully so it wouldn’t get lost. Furthermore, if you log into multiple systems, you may get issued multiple keys, each with a different expiration date, and it starts to get unwieldy.
Google announced support for Security Key Enforcement for GCP and G Suite apps via two-factor authentication (2FA). The use of security keys (provided by FIDO UFA compatible keys, such as those from Yubico) is not new, as it was supported for several years. What matters for the enterprise is the model for using 2FA in Google’s world. You don’t need to take care of each key like it’s precious. You can pick them up from a cookie jar by the handful and stash them away anywhere. You can even attach one to your laptop’s USB port and have it there all the time. This is similar to the pets (a special companion that you care for) vs. cattle (just an animal in a herd) analogy in scalable cloud architectures.
The key issue (pun intended) is that the attack we want to mitigate is someone stealing your password, and trying to login to your account from far away. By requesting a key that you have, the attacker (potentially overseas) won’t gain entry. If you lose a key, that’s fine, as you can simply revoke it (or all the keys). You can ask for the use of a key as often (or as seldom) as you want, based on the security requirement of the app or the organization. It’s important to make it so simple, that you make secured access as easy and common as possible.
These FIDO keys are also more secure than the common SMS 2FA codes since they are crypto-secure hardware. Unlike one-time codes sent via SMS, these are not vulnerable to man in the middle attacks or replays. You think SMS messages are just sent to your phone? It’s not always true, since some mobile carriers give you the option of receiving SMS text on multiple devices, such as a PC app, so now the security key may potentially be read on other devices via man in the middle snooping.
These new ways of securing GCP and G Suite are meant to help enterprises secure their assets in a simple way, which in turn provides for better ROI. For consumer-level apps, SMS codes may be relevant since they are simple, the protected assets are not as mission-critical, and mobile phones are commonplace. But enterprises need to up their games.
This is one of the ways in which it helps to turn your thinking upside down to appreciate new methods of securing enterprise assets on the cloud platforms of today, and it applies not only to Google but to other providers as well. But Google is showing this week that it is willing to provide leadership with groups such as the FIDO alliance, along with other partner and vendors.
Enterprises also need to change their mindset to benefit from a new way of doing things. If they don't, they will be stuck trying to drive a car like it's a horse.