Main content

Cloud security - a chargeable extra?

Phil Wainewright Profile picture for user pwainewright October 6, 2013
Microsoft charges extra to add the security of multifactor authentication to Azure. Even banks give this for free, cloud vendors should too

Businessman with an umbrella looking at a giant key with blue sky on the background
Every security breach of third-party data harms public trust in cloud computing. Not only well-publicized mega-breaches like the theft of login data, encrypted credit card data and source code from Adobe, but also the word-of-mouth damage that arises every time an individual has their account hacked.

You'd think that cloud computing providers would go out of their way to minimize vulnerabilities. Of course they invest massive sums in securing their datacenters against direct attack. But most attacks today don't come at the physical network perimeter. Why try and tear down the walls when you can just steal the keys and walk right in? Most attacks today gain access by stealing or cracking passwords that allow the hacker to assume a trusted user's identity.

Therefore it's in the interests of cloud providers to encourage their users to do everything they can to protect their login credentials — in particular to use strong, unique passwords, multifactor authentication and tamper-proof password recovery processes.

Even banks get this right

Therefore I was quite surprised when I got a tweet the other week asking what I thought of Microsoft's charges for multifactor authentication on Azure:


As I tweeted in reply, multifactor authentication is one of the few things the banks give their customers without charging. I personally possess a plethora of keyfobs and card readers donated by various banks eager to protect my online banking experience.

The banks understand very well that their ability to do business online depends on minimizing their customers' security risks. In fact, they're so keen to encourage online behavior such as ecommerce and mobile banking that they're often prepared to indemnify customers against being swindled rather than risk a loss of confidence in the service.

Surely there's a lesson there for the cloud industry? Had Adobe encouraged or offered a multi-factor authentication option for its customers, those logins would have had additional protection. The hackers would not have been able to complete login without the second element: it's called multifactor because it relies on both:

  • something you know, such as a password or memorable phrase; and
  • something you physically hold, such as a keyfob or app that randomly generates an access code; or a personal phone number that receives an access code as a text or voice message

Convenience logjam

Maybe it's the on-premise heritage of vendors like Microsoft and Adobe that lead them to view essential security as a chargeable add-on. But it's a short-sighted tactic — especially in the case of a platform like Azure, that many ISVs are using to provide hosted applications to customers. It's poor form for Microsoft to financially discourage them from implementing and promoting good cloud security practices.

Cloud-native vendors have a better record on this score — Amazon Web Services makes no charge apart from the one-off cost of the keyfob device; Google's 2-step verification, using text messaging to your mobile phone, is free-of-charge; and there are many other examples.

Nevertheless, multifactor authentication is not without its hassles and there can still be vulnerabilities if the password recovery process isn't similarly protected.

Then there's the convenience issue. Many users will feel that logging into each cloud service separately is enough of a pain without also having to go through a multi-step process every time. That could all be solved by single sign-on in tandem with federated identity systems but as discussed in my interview with Ping Identity's Andre Durand, getting the industry to standardize on open specifications is still a work-in-progress.

The reluctance to promote multifactor authentication and federated identity systems reminds me of a similar logjam in the history of on-demand services.

For a long time there was a tremendous lack of progress in monetization technologies, which meant that unless a vendor could sell a relatively high-value subscription, the only cloud applications that could make any headway were funded by advertising. That has changed somewhat with the emergence of in-app purchasing within the Apple and Facebook ecosystems, but for a long while the development of subscription technologies were held back simply because it was so much easier to just hook some Google AdSense units into your web pages.


Today, it's simpler for cloud application providers to give in to user complacency and convenience than it is to really invest in offering an easy-to-implement single sign-on regime protected by robust multifactor authentication. But just like the failure to invest in monetization technologies, this laissez-faire attitude to user security vulnerabilities is going to hold the industry back.

I suspect in the end it's going to be the banks that come to the rescue, as the spread of in-app purchasing will give them a vested interest in properly securing user identities. But it's a disappointment that cloud providers can't already see the long-term upside of taking a lead on this.

In the meantime, I do wonder whether vendors that are determined to charge extra for multifactor authentication really understand the dynamics of doing business in the cloud. The first rule has got to be that you invest in building trust.

Image credit: © WavebreakmediaMicro -

A grey colored placeholder image