Amazon adds onetime password token to entice the wary

By Carl Brooks, Technology Writer 11 Sep 2009 | SearchCloudComputing.com

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

More on Amazon Web Services: Amazon Web Services product directory Amazon to release AWS APIs into the wild?

Onetime password token devices like this are widely used in the financial industry and others with sensitive data needs. Once bought, Gemalto's devices and a user's AWS account login are linked through Gemalto's "Strong Authentication" server. The move comes as Amazon increasing pitches its flagship EC2 cloud service to enterprises leery of using shared, public resources.

"They have seen an interest in a stronger form of authentication", said David Teo, marketing manager for Gemalto's Texas offices. He said that Gemalto's usual customers were enterprises who needed to manage a remote workforce, and even vendors like Bank of America, that issue token devices to its online banking customers.

But is it enough?
Currently, AWS is accessible to anyone with a credit card and an email device, and security concerns for most enterprises are far deeper than an automatic password generator. Any firm using onetime token devices also has sophisticated monitoring and governance tools, including federated identity management, activity tracking, user management and remote control of authentication systems.

"Any company that wanted this for their people would want to manage identities too," said Rich Buttermore, security analyst and senior director at CSC. When an employee leaves a company, for instance, it's standard to close computer accounts and rescind privileges to company resources, which presumably would include AWS services, said Buttermore. It's a basic security concern and something enterprises routinely take into account when managing IT resources.

"If your entire Web presence is on Amazon, and that account [and token device] belongs to one person, what happens if you can't find him?" said Buttermore. He added that disgruntled employees are even more of a risk as they may refuse to hand over access, as San Francisco network administrator Terry Childs famously did.

If your entire web presence is on Amazon, and that account [and token device] belongs to one person, what happens if you can't find him? Rich Buttermore, security analyst and senior director at CSC

Childs was a network administrator for the city of San Francisco who refused to hand over passwords and logins to superiors controlling the network infrastructure of the city. He eventually gave the information directly to Mayor Gavin Newsom. Childs was jailed and stood trial for the act.

Buttermore said the limited nature of this security product would not appeal to an IT department looking to manage cloud resources.

Gordon Haff, Principal Analyst with Illuminata, agreed. "This is two-factor authentication -- which is often referred to as multi-factor, even though it's just two," he said. Haff called two-factor authentication of this type very common.

"This is by no means a comprehensive approach to AWS security, which is a much, much broader topic that also plays into compliance of various sorts," he said. "However, this sort of two-factor authentication is a common way of providing an additional level of protection."

This token system may prevent someone from accessing AWS services without the physical device, but it comes with none of the other features a company familiar with a high level of security would expect. It's an interesting move and clearly comes in response to customer worries about security, but it is unlikely to lead to a sudden surge in use of EC2 for enterprises that take network security management seriously, analysts say.

Carl Brooks is the Technology Writer at SearchCloudComputing.com. Contact him at cbrooks@techtarget.com.

Tags: Data privacy in the cloud,  Cloud computing services,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Data privacy in the cloud Security issues in cloud computing Oracle users balk at cloud computing Learning to let go: A cloud security primer with George Reese Virtualization vulnerabilities leave clouds insecure Public sector drags its heels on cloud Novell tool to secure data and workloads in the cloud Researchers discuss virtual private clouds, coin CloudNet Trusted Cloud Computing Platform proposed to secure IaaS clouds Private Virtual Infrastructure proposed to address cloud security issues Cloudy with a chance of Ubuntu, Hohm gets hosted Cloud computing services Jeff Kaplan talks Salesforce Chatter at Dreamforce 2009 The benefits of being a Salesforce.com customer Azure's early 2010 launch comes with RightScale support Dreamforce 2009 conference coverage Taser develops 'cop cloud' for law enforcement AT&T squares up to Amazon EC2 Cloud computing management and monitoring primer Cloud computing management overview Cloud management pricing and licensing Google cuts cloud storage costs; Amazon expands its horizons

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary cloud cartography  (SearchCloudComputing.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary