Security in a cloud world: Go multifactor

As Microsoft moves to delivering everything in the cloud, it's time to get serious about cloud security

Cloud computing is typically described with terms like "software as a service" (SaaS), "infrastructure as a service" (IaaS), and "platform as a service" (PaaS), but we've seen an explosion of the use of "aaS" to describe just about anything and everything as a service: communication, training, data, storage, and so on.

As I've previously written, Microsoft is fully focused on "aaS," even stating that it won't develop anything as an on-premises-only product going forward. Whether or not they like it, IT admins will be dealing with the cloud in their core work.

[ How to choose the right Office 365 option for your company. | What's new in Microsoft Azure. | Stay atop key Microsoft technologies in InfoWorld's Technology: Microsoft newsletter. ]

The cloud has a lot to offer, such as requiring limited or no capital expenditure (the infrastructure is provided by the vendor), easy deployment and scalability, and device/location independence.

But it carries a risk that makes many in IT very uncomfortable: putting corporate data (the lifeblood of any company) into someone else's cloud, including Microsoft's. We've seen some very public breaches of cloud services, as well as outages. Although Microsoft has escaped such major fails in the past year, it experienced an outage over an expired SSL cert and a cyber attack.

Microsoft gets the fear, which is why it has established the Office 365 Trust Center to explain how Office 365 addresses built-in security, continuous compliance, privacy, and transparent operations. If you are using -- or will use -- Microsoft cloud services, I encourage you to go through that information at the Microsoft website.

Another key to security is the need for multifactor, random authentication for access to cloud services. A single username and a password doesn't cut it, especially now that static security data is routinely stolen -- think how many times you've been told to change your password due to a breach at a social network or other cloud service. One method to combat habitual password theft is to require two-factor authentication, such as using a text message (SMS) to provide a random number or an automated voice call for confirmation.

Microsoft began supporting this approach a year ago, and today Google, Facebook, and Twitter, among others, all offer two-factor authentication for access to their cloud services. Of course, every network should support multifactor authentication, whether in the cloud or on premises. Had the U.S. credit card companies, banks, and merchants implemented multifactor credit cards (common in the rest of the world), breaches such as the one at Target recently wouldn't have been such a disruptive event.

Anything and everything as a service is here now. But securing it is an evolving discipline. A combination of strong technology on the part of the cloud vendor combined with increased user authentication (and training) will provide for a safer experience going forward. Microsoft has too much at stake with its Azure and Office 365 push for the future to give security short shrift.

This story, "Security in a cloud world: Go multifactor," was originally published at Read more of J. Peter Bruzzese's Enterprise Windows blog and follow the latest developments in Windows at For the latest business technology news, follow on Twitter.

Copyright © 2014 IDG Communications, Inc.