Secure Cloud Computing (Swiss Made)
February 2014 by MARC JACOB
Swiss cloud service provider ensures secure logins using SecurAccess, thereby providing its customers with protection against identity and data theft by means of modern two-factor authentication technology.
To date, cloud computing has only been a partial success in Europe. One obstacle is the varied range of different national data protection regulations and laws in place. The data scandals of the past year have also confirmed the prevailing skepticism caused by careless handling of the issue of data protection. It was in this regard that Vito Critti and Sascha Carroccio wanted to make a difference and therefore established the company swiss cloud computing ag, based in Cham in the canton of Zug. The company’s aim is to combine the positive attributes of cloud computing with Europe’s high safety standards.
Entirely cloud-based IT infrastructure
The Swiss company and its staff offer solutions related to SaaS (Software as a Service), IaaS (Infrastructure as a Service), DaaS (Desktop as a Service) and Cloud Backup from its computing centers in Zurich and Geneva. Small and medium-sized companies from Switzerland and ultimately from the whole of Europe can store their data and applications virtually here, as well as being able to access them flexibly and when on the move. The company quickly acquired a number of large clients and configured its capacities in order to achieve significant supraregional growth. The company’s business model specifies that customers can choose between an application model and a desktop model. From Office to graphics and even a complete Windows Server or SQL database – customers of the Swiss cloud service provider can procure their IT from the cloud and only pay for what they actually use.
Cybercrime 2.0 requires secure Cloud Computing 2.0
The hype around cloud computing is suffering not only from the espionage affair, but also as a result of increased cybercrime triggered by ever more advanced malware. Criminal tools that are enjoying increasing popularity are so-called man-in-the-middle attacks, keyloggers, phishing, spear-phishing e-mails and also sniffing. Identity theft in particular is flourishing on the Internet. If companies want to use the cloud services and their employees access these services from unsecured wireless networks, there is a risk that hackers can spy on the users and copy their login details. They can then log in at the same time and steal or manipulate data uploaded to the cloud. The desire for increased security has resulted in guidelines being issued stating that passwords must be as long as possible, must be composed of letters, numbers and special characters and must not be similar to the last five passwords used. However, this has increasingly resulted in complicated passwords being written on sticky notes and thus being made freely accessible. The use of a second factor offers an alternative in this respect.
Demanding requirements with regard to security and flexibility for remote access
Sascha Carroccio, CTO and co-founder of swiss cloud computing ag, immediately started looking for a security solution that would offer highly secure logins in order to meet the needs and philosophy of the Swiss provider of cloud services. Vito Critti, CEO and also a co-founder of swiss cloud computing ag, summarizes the initial situation: "We wanted to offer our customers two access options – standard access using a password and maximum security access using an extended login method with an additional SMS-based passcode." The need for a highly secure login was an important issue right from the very start. Many of the companies that use the services of the Cham-based provider are only permitted to save data in the cloud if the provider meets rigorous compliance policies. Many banks and insurance companies must also comply with requirements specified by the Swiss Financial Market Supervisory Authority (FINMA) as well as those associated with business continuity. The two co-founders therefore wanted a solution that met current security standards, was fit for the future and complied with all relevant data protection legislation in Switzerland as well as the rest of Europe. It quickly became clear that two-factor authentication with SMS would be the perfect solution for ensuring a high level of security when logging into the cloud. However, there were only a few providers in the market that could meet such stringent requirements.
Pilot phase dispelled any remaining doubts
“As a service provider in the cloud environment, we had been looking for a flexible and future-proof solution that ensured highly secure logins," explains Sascha Carroccio, CTO of swiss cloud computing ag. Additional criteria included device-side and server-side SIM card independence. At the World Hosting Days 2013 at Europapark in Rust, Carroccio met with Erich Kronfuss, Manager at the Austrian branch of ProSoft Software Vertriebs GmbH, to talk about the possibilities offered by the SecurAccess tokenless two-factor authentication solution developed by SecurEnvoy. The identity management software made an excellent initial impression. After intensive discussions with Mr Kronfuss and a successful pilot phase, the Swiss company therefore opted for SecurAccess. The solution offers a range of transmission channels for the six-digit passcode, such as SMS, soft token app or email. An important aspect for the CTO was also that ProSoft was on hand to offer good service and assistance throughout the evaluation period, for example with regard to the integration of the SMS Gateway.
"Based on our experiences, it was clear from the very outset that transmission via SMS would be the channel of choice for us, because it is the most convenient and familiar method of communication. Our clients use our services because we can meet their desire for flexibility and mobility. The acquisition of additional, expensive hardware to generate the passwords was therefore not an option. Two-factor authentication using SMS is scalable, has a competitive pricing model, ensures business continuity and fits perfectly with our mission to provide quality, transparency and security," explains Sascha Carroccio.
The best from the cloud and from BYOD combine to provide secure identity management
In addition to the simple and fast installation, an impressive feature of the two-factor authentication solution is the fact that it works with all appliances and all SIM cards. This clinched the matter for swiss cloud computing ag and resulted in the company procuring its first licenses and starting the rollout in September. The authentication method works as follows: users at companies that use the highly secure access method receive so-called one-time passwords (OTP), which are sent via SMS to their internet-enabled mobile phones or smartphones. It does not matter in this regard with which vendors they have their mobile phone contracts or from which manufacturer they purchased their devices. With this one-time password, which is transmitted using AES 256-bit encryption, staff can log into the cloud platform. The solution’s security results from the fact that the passwords are only valid for one session, i.e. one login action, and must be replaced with a new one for each subsequent session. "One way to save time here is to use pre-generated passcodes. However, in our experience only a few customers want to do this and many find it too cumbersome," says Sascha Carroccio.
New technologies for a new generation
15 companies are now already using the highly secure login procedure based on the tokenless two-factor authentication solution. Sascha Carroccio therefore wants to continue with this approach. "We are very satisfied with the first few months of operation, and the feedback from our customers is also positive, so we will be purchasing additional licenses in the near future." It is also possible that the new One Swipe transmission method offered by SecurAccess will be introduced if the technology is requested by customers. With this approach, a QR code can be used for authentication in order to provide a smooth and secure login even if the user is offline, i.e. does not have an Internet connection. "The two-factor authentication solution has really impressed us in terms of security and flexibility and has fully met our expectations from the outset, so we will continue to invest in this technology in the coming years," says Sascha Carroccio as he looks to the future.
The best from cloud computing and from BYOD
From its data centers in Zurich and Geneva, offering SaaS, IaaS, DaaS and Cloud Backup, swiss cloud computing ag, based in Cham in Switzerland, ensures the scalability and investment security of IT infrastructure. Swiss companies from the banking, insurance and pharmaceutical sectors are already among the customers whose employees use applications from the cloud service provider’s cloud environment on a daily basis. For customers with special security requirements, the provider has implemented the SecurAccess two-factor authentication solution in order to ensure secure login procedures.