When a company whose mission is front-line defense for cloud infrastructure, every attack vector has to be accounted for. This includes users' accounts and access control. CloudPassage built a two-factor authentication solution on Twilio to ensure a user wanting to log in is who they say they are.
CloudPassage provides security for applications running on virtual servers that are housed in public or private clouds. It makes it easy for any developer or technician to manage everything from a host-based firewall to vulnerability scanning—no specialized expertise in computer security required. In addition, access to cloud servers is protected by multi-factor authentication, rather than passwords, which have proven to be easily compromised. By building multi-factor authentication on the Twilio Cloud Communications Platform, CloudPassage was able to deploy a carrier-grade solution in weeks that is now available to customers anywhere in the world.
One of the unfortunate truths of cloud computing is that major improvements in efficiency and scalability have come at a cost. While cloud computing has made it many times easier to start and run a business, it’s also made it many times more risky. Your business can be attacked by anyone from anywhere, and unless you can find a computer security specialist to help you out, there’s very little you can do about it.
According to Verizon’s most recent Data Breach Investigations Report, 94% of all data that was compromised last year involved servers and 97% of the breaches were avoidable through simple or intermediate controls.
This was the business challenge that CloudPassage set out to solve in 2010: It wanted to build a security platform that would protect virtual cloud servers—and the apps that run on top of them—yet be easy enough for a regular employee to manage.
CloudPassage’s founding team, which was made up of security experts with decades of experience, decided to automate everything from intrusion detection and host scanning to firewalls and multi-factor authentication.
Multi-factor authentication improves upon password-only authentication by requiring whoever is trying to access an online service to have some other form of identification, like a mobile phone. When someone logs in with his or her password, an SMS message is sent to the person’s mobile phone containing a special code that he or she also must use to get access.
To add SMS support to multi-factor authentication, CloudPassage compared various SMS providers. Wacker said the company ended up choosing Twilio because team liked the fact that they didn’t have to install an SMS appliance and could code the solution in any web language. In addition, they wanted to be able to escalate from SMS to voice, when necessary, and they needed global reach.
“The ability to deliver messages internationally was a big deal for us, because we have a very diverse international customer base,” Wacker said.
Within a few weeks, CloudPassage’s developers built two-factor authentication into a Ruby on Rails application. “Twilio’s API and developer resources made it extremely easy,” Wacker said. “Time after time, our developers were coming to me and saying how cool the API was and how well things were documented.”
Since the launch of Halo GhostPorts SMS in June 2012, the authentication service has been deployed in more than a dozen major geographies.
Wacker said the service has performed reliably and the company has received kudos from its customers for rolling it out. “I don’t know any admin who would say ‘Oh, I don’t need that,’” he said. “As soon as they see how easy it is, they love it.”
CloudPassage had previously deployed multi-factor authentication using USB tokens, which has long been the traditional way of reinforcing online passwords, but unfortunately requires sending an individual USB device to every user before they can authenticate.
Wacker said phone-based authentication is preferable for many companies, because of the ease of use and the speed with which they can get up and running. “Customers can actually register, deploy and secure their servers in literally ten minutes,” Wacker said, “by using Twilio to deliver authentication messages to any phone, we have made it even faster and easier for customers to secure their cloud servers.”