CloudPassage Increases Cloud Security With Multi-factor Authentication

One of the unfortunate truths of cloud computing is that major improvements in efficiency and scalability have come at a cost.

While cloud computing has made it many times easier to start and run a business, it’s also made it many times more risky. Your business can be attacked by anyone from anywhere, and unless you can find a computer security specialist to help you out, there’s very little you can do about it.

According to Verizon’s most recent Data Breach Investigations Report, 94% of all data that was compromised last year involved servers and 97% of the breaches were avoidable through simple or intermediate controls.

This was the business challenge that CloudPassage set out to solve in 2010: It wanted to build a security platform that would protect virtual cloud servers—and the apps that run on top of them—yet be easy enough for a regular employee to manage.

CloudPassage’s founding team, which was made up of security experts with decades of experience, decided to automate everything from intrusion detection and host scanning to firewalls and multi-factor authentication.

Multi-factor authentication improves upon password-only authentication by requiring whoever is trying to access an online service to have some other form of identification, like a mobile phone. When someone logs in with his or her password, an SMS message is sent to the person’s mobile phone containing a special code that he or she also must use to get access.

To add SMS support to multi-factor authentication, CloudPassage compared various SMS providers. Wacker said the company ended up choosing Twilio because team liked the fact that they didn’t have to install an SMS appliance and could code the solution in any web language. In addition, they wanted to be able to escalate from SMS to voice, when necessary, and they needed global reach.

CloudPassage VP of Product Management, Rand Wacker

“The ability to deliver messages internationally was a big deal for us, because we have a very diverse international customer base,” CloudPassage Vice President of Product Management, Rand Wacker said.

Within a few weeks, CloudPassage’s developers built two-factor authentication into a Ruby on Rails application. “Twilio’s API and developer resources made it extremely easy,” Wacker said. “Time after time, our developers were coming to me and saying how cool the API was and how well things were documented.”

Since the launch of Halo GhostPorts SMS in June 2012, the authentication service has been deployed in more than a dozen major geographies.

Wacker said the service has performed reliably and the company has received kudos from its customers for rolling it out. “I don’t know any admin who would say ‘Oh, I don’t need that,’” he said. “As soon as they see how easy it is, they love it.”

CloudPassage had previously deployed multi-factor authentication using USB tokens, which has long been the traditional way of reinforcing online passwords, but unfortunately requires sending an individual USB device to every user before they can authenticate.

Wacker said phone-based authentication is preferable for many companies, because of the ease of use and the speed with which they can get up and running.  “Customers can actually register, deploy and secure their servers in literally ten minutes,” Wacker said, “by using Twilio to deliver authentication messages to any phone, we have made it even faster and easier for customers to secure their cloud servers.”