As both the number and intensity of successful attempts to subvert popular cloud, SaaS offers increases, some prominent industry experts are calling for mandatory two-step verification procedures. But, if past history provides us with any reliable metrics on the usefulness of these added security controls, two-step verification methods need to be tightly managed if they are to provide a useful deterrent to subversive attempts.
Just two days ago a post was published to this blog on a related topic. This post addressed the recent, highly publicized successful effort of hackers to penetrate a celebrity’s account on Apple’ iCloud storage service. This post advocated a broader, perhaps mandatory, requirement of consumers of services like iCloud, OneDrive, Google’s Drive, etc. Any/all users of these services should be required to implement two-step identity verification methods.
It was, therefore, encouraging for us to review a short video interview with Tim Bucher, a respected authority on online security topics. This interview, titled Apple iCloud options buried: Expert (http://video NULL.cnbc NULL.com/gallery/?video=3000308065), records very similar opinions, expressed by Bucher, to those voiced in the post to this blog.
But readers should be aware of a couple of instances, in the recent past, where two-step verification methods (including the RSA system Bucher describes in the interview) have been compromised.
Back in April, 2011, RSA’s SecurID system (http://bits NULL.blogs NULL.nytimes NULL.com/2011/04/02/the-rsa-hack-how-they-did-it/?_php=true&_type=blogs&_r=0) was, unfortunately, successfully hacked. Of course RSA has long since cleaned up the errors, and, to their credit, the fact an expert of Bucher’s authority makes reference to the system as a reliable safeguard is good news.
Back in 2013, Duo Labs (https://www NULL.duosecurity NULL.com/blog/bypassing-googles-two-factor-authentication) identified, and subsequently publicized potentially dangerous problems with Google’s two-factor authentication system. Once again, these problems have been corrected.
The point of offering these examples is not to discourage readers from implementing similar trusted solutions, but, rather, to illustrate that any/all of these controls have vulnerabilities. When considered outside of the context of a sound attempt to implement an operational risk management policy truly capable of safeguarding online interaction with a cloud, SaaS offer, no control should ever be considered a completely infallible defense against hackers.
Readers may wonder just what constitutes “a sound attempt to implement an operational risk management policy”. Such an attempt is defined as an effort persistently enforced over any/all daily online computing instances. Any breakdown in the persistence of these procedures can, and, unfortunately, often does lead to successful subversive efforts.
Unfortunately, “dumbing down” doesn’t work when online computing is the activity at hand and the need is to safeguard confidential information.
Ira Michael Blonder
© IMB Enterprises, Inc. & Ira Michael Blonder, 2014 All Rights Reserved