User credentials: the Achilles’ heel of cloud app security


If your organization is like most mid- and large-size organizations, you (along with your employees) have likely adopted anywhere from a half dozen to over a hundred cloud apps.  Some of these are sanctioned by the IT organization – Office 365 is a good example – and some are not.  Yet, all these applications have some things in common – they involve user credentials to authenticate and login to the application.  The other common thread is that they’re all accessible from anywhere.  As long as you have the login credentials, you have access to the data.  Given these challenges, it’s not surprising that discussions are heating up about enforcing the use of something more than just a user name and password to enable secure access.

One approach that is gaining traction, and one we are recommending more customers apply, is Multi-factor Authentication (MFA) or strong authentication.  With MFA, IT staff can force the use of a one-time passcode as an additional factor beyond the usual user name and password in order to verify the identity of the person logging in.  By requiring users to have something they know (e.g., their login credentials) and something they have (e.g., their mobile device), IT security teams can easily add another layer of security for high-risk actions performed by users.  For example, if an Office 365 user is going to download a large number of files from OneDrive, requiring that individual to authenticate with a second factor might be a good way to enhance security without making things difficult for the end user.


User is required to enter a verification code beyond just a username and password.


User enters the verification code that was sent to his or her mobile device.

Credentials are the easiest way for a bad actor to get access to the data.  Breaking through the cloud app provider’s security infrastructure is usually much more difficult than attacking an end user to obtain their credentials.  The end user is often the weakest link.  And, hackers know that cloud app providers can’t really secure against the misuse of valid, stolen credentials that fall into the wrong hands as a result of malware or social engineering techniques initiated against these unsuspecting end users.

For these scenarios, it’s important to consider MFA capabilities that work hand-in-hand with anomaly detection functionality to identify things like an unknown mobile device, an atypical location, an uncommon or risky user request, and much more.  Taking the Office 365 example from above, an IT security organization might want to automatically trigger MFA when the login credentials are valid, but the mobile device being used to access Office 365 has never been used by the account owner and the session is originating from a non-typical location.  All of these anomalies could indicate an attempted attack is underway.

The responsibility to protect against the misuse of cloud account credentials lies with employees and IT security staff, not the app provider.  MFA technologies can help provide a defense-in-depth approach to help indicate where credential theft, brute force, or man-in-the-middle attacks have occurred.  Equally important, they provide IT pros the flexibility to enforce MFA based on pre-defined needs and/or dynamically when anomalous activity occurs – allowing IT to detect and prevent these threats before data is stolen.  Validating initial user authentication and continuously monitoring post-login activity for anomalies and further re-identification using MFA are going to be increasingly important as we move more data into the cloud.