Pratum Blog

Cloud computing is all the rage these days. The promises of seamless upgrades, long forgotten capital budgets for infrastructure or no talent acquisition and retention headaches are the sweet song of a lovely maiden to a weary seafarer. Moving services to the cloud is sexy to be sure.

There are so many positives to cloud computing that bringing up any negatives almost appears as if you’re simply playing devil’s advocate. Leveraging infrastructure across multiple organizations has huge benefits. Processing cycles are less like to sit idle, less electrical power is utilized, fewer support engineers are required. I could go on and on.

The two negatives I hear most frequently about cloud computing are customization and security or privacy. Naturally whenever a shared environment is utilized, the lowest common denominator is used. This limits the amount of customization one can do to that environment.

But what about this whole security and privacy uproar. Is it really that big of a deal? Let’s look at a few key points.

  1. You can’t control what you don’t “own”. You don’t own the infrastructure. So what happens to a drive when it goes bad and is replaced? Is it destroyed in such a manner that your data is rendered unreadable? Unless you’re going to be on-site for the disposal of every piece of equipment you have to rely on your contract.

  2. Shared infrastructure does not equal shared data. It also doesn’t exclude the possibility that your data is shared either. It’s important to do full due diligence on your cloud computer providers infrastructure AND application design to see if there are adequate administrative, technical and physical controls to protect your data.

  3. Possession is nine-10ths of the law. Data ownership should be outlined in your contract. With that said, having a piece of paper saying you own something doesn’t always equate to full and exclusive ownership does it?

Do these issues mean I’m against cloud computing? Not in the least bit. I’m a huge proponent of moving services into the cloud. In fact, Pratum is even working on an application for access certification which could potentially be a cloud service for our customers.

Cloud computing does however bring up the importance of improved data governance policies and procedures. It also raises the stakes during procurement. The biggest issue we had to worry about in the past was how we got service on a piece of hardware or software we bought. With your entire business and its data at stake, the ante has been upped.  With the proper precautions and understanding of the risk, the payout could be huge for cloud computing. Are you ready for a little high stakes gambling?

Grace and Peace to you in the name of our Lord Jesus Christ

as we celebrate His birth this Christmas season.

From my family to yours...Merry Christmas!

PhoneFactor has come up with a pretty cool solution to enhance user authentication.  By using your phone as a "token" you get two factor authentication without the added infrastructure costs.  Basically PhoneFactor works in conjunction with your website, network or application authentication to provide an additional layer of authentication.  Not only do you need to know your password, you need PhoneFactor to authenticate that you also have your phone (token) before being granted access to your apps.

In a nutshell here's how it works.  PhoneFactor's application gets a message from your website authentication mechanism.  It then dials your phone and requests either that you a.) answer and hit # or b.) answer and enter a PIN.  It then validates that this session took place and sends an acknowledgement back to your website which completes the authentication process.  (Author's Note: Why anyone would choose option a.) over b.) is beyond comprehension for my feeble mind.  I mean if you're trying to enhance security, enhance security.)

You have now been authenticated with something you know, username and password, along with something you have, your phone.  This is pretty slick.  One of the limits to widespread adoption of two factor authentication was the cost of supplying, managing and replacing tokens.  At upwards of $100 a piece you can see why.  PhoneFactor has eliminated this problem. 

From a security perspective, having PhoneFactor being out-of band in the authentication process helps minimize the risk of man-in-the-middle or replay attacks.  It doesn't eliminate it as their marketing suggests.  But then again...what good would marketing fodder be if it told the WHOLE story right?

Overall I like the idea of PhoneFactor.  There are some implementation questions that anyone looking at this from an enterprise perspective will want to explore such as multiple system management, support relay between PhoneFactor and your internal help desk and how to deal with areas of poor reception such as basements, interiors of large facilities or even data centers where cell phones are not allowed.  If you can work through those issues, you might have a feasible solution.

Kudos to the folks at PhoneFactor for attempting to remove the infrastructure barriers that plague two factor authentication.  It's probably not for everyone, but if you don't at least give it a once over you might be missing out.

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.