News: 1730834230

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Don't have MFA on a Google Cloud account? You'll have to from Jan

(2024/11/05)


Google Cloud is the latest to take the decision away from customers and enforce the use of multi-factor authentication (MFA) for all users to improve the security of the minority that don't already have it enabled.

The company's phased approach has already begun but starting in January, the roughly 30 percent of Google Cloud customers that still rely on a password only for account authentication will be forced to enable an MFA solution.

For the next two months, Google Cloud will be pushing reminders about the impending change to MFA-less users, along with links to resources to make the rollout easier for organizations who need a little extra support.

[1]

"At Google Cloud, we're committed to providing the strongest security for our customers," the company [2]blogged today.

[3]

[4]

"As pioneers in bringing multi-factor authentication to millions of Google users worldwide, we've seen firsthand how it strengthens security without sacrificing a smooth and convenient online experience. That's why we will soon require MFA for all Google Cloud users who currently sign in with just a password."

The final phase of the rollout is slated to begin at the end of next year. After the password-only crowd, all customers who used federated authentication for Google Cloud will also be roped into enabling MFA.

[5]

There will, however, be some flexibility for these customers. Google Cloud said it's working with the major identity providers so that MFA can be enabled on their side and that will satisfy the company's new MFA requirements, or customers can choose to enable it on Google's side, whichever is the preferred option.

Google introduced consumer-grade 2FA for users in 2011 and since then has developed it further to phishing-resistant security keys, which latterly evolved into passkeys. 2FA isn't mandatory for consumer accounts, although Google said it's widely used, and Google Cloud customers are most likely hosting more sensitive data anyway, which necessitates greater security controls.

"Today, there is broad [two-step verification (2SV)] adoption by users across all Google services. However, given the sensitive nature of cloud deployments – and with phishing and stolen credentials remaining a top attack vector observed by our Mandiant Threat Intelligence team – we believe it's time to require 2SV for all users of Google Cloud.

[6]

"This shift is backed by strong evidence both from our own experience and from U.S. government agencies. The Cybersecurity and Infrastructure Security Agency (CISA) found that MFA makes users 99% less likely to be hacked, a powerful reason to make the switch."

Google Cloud's move follows that of Amazon which last week [7]announced MFA as an account security option for WorkMail customers for the first time, eight years after the enterprise email service launched.

Its cloud arm, AWS, also announced over the summer its intention to force MFA on customers, but [8]only for privileged accounts . The approach was similar to [9]that of Microsoft , whose execs confirmed in May that its policy would only apply to Azure admins.

Snowflake said it too would be [10]mandating MFA for all users in July, although this was essentially forced on the company after a swathe of account break-ins were attributed to users lacking the extra authentication security.

Regardless of the motivations behind the respective companies' decisions to enforce MFA on more customers, doing so is always a step forward in security.

The prevailing advice from all corners of the infosec industry is to enable it as widely as possible – it's one of the most effective ways of preventing breaches.

[11]Snowflake lets admins make MFA mandatory across all user accounts

[12]Cloud threats have execs the most freaked out because they're not prepared

[13]AWS is pushing ahead with MFA for privileged accounts. What that means for you ...

[14]Microsoft gives Windows admins a break and MFA a hard push

It's something that should ideally be adopted across the wider industry and not just at the big tech companies given that cybercrims have targeted cloud customers on an increasing basis for years now, with researchers citing [15]chunky year-on-year increases in targeting attempts.

A report from PwC released in September found that [16]cloud-based threats were at the very top of CISOs' list of fears mainly due to their organizations not being set up to defend against them – an even greater fear than ransomware for many.

Similarly, Microsoft's [17]research into Storm-0501, a double trouble group which both breaches cloud environments and uses ransomware, showed that its methods could all be stifled heavily by enabling MFA. It serves as a case study showing how effective additional account controls can be for organizations defending against the most sophisticated cybercriminals. ®

Get our [18]Tech Resources



[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offprem/paasiaas&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Zyqjlxeb0I4Tip_FruD7ngAAAA4&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[2] https://cloud.google.com/blog/products/identity-security/mandatory-mfa-is-coming-to-google-cloud-heres-what-you-need-to-know

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offprem/paasiaas&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zyqjlxeb0I4Tip_FruD7ngAAAA4&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offprem/paasiaas&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zyqjlxeb0I4Tip_FruD7ngAAAA4&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offprem/paasiaas&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zyqjlxeb0I4Tip_FruD7ngAAAA4&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offprem/paasiaas&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zyqjlxeb0I4Tip_FruD7ngAAAA4&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[7] https://www.theregister.com/2024/10/31/amazon_mfa_workmail/

[8] https://www.theregister.com/2024/06/17/aws_mfa_roll_out/

[9] https://www.theregister.com/2024/05/23/microsoft_windows_updates_azure/

[10] https://www.theregister.com/2024/07/10/snowflake_mandatory_mfa/

[11] https://www.theregister.com/2024/07/10/snowflake_mandatory_mfa/

[12] https://www.theregister.com/2024/09/30/pwc_security_survey/

[13] https://www.theregister.com/2024/06/17/aws_mfa_roll_out/

[14] https://www.theregister.com/2024/05/23/microsoft_windows_updates_azure/

[15] https://www.theregister.com/2023/01/20/cloud_networks_under_attack/

[16] https://www.theregister.com/2024/09/30/pwc_security_survey/

[17] https://www.theregister.com/2024/09/27/microsoft_storm_0501/

[18] https://whitepapers.theregister.com/



Right.....For Some Of The Wrong Reasons....

Anonymous Coward

Quote: "...organizations defending against the most sophisticated cybercriminals..."

Yup....the article does mention Google, Microsoft and Amazon.............!!!!

All your you's belongs to us.

Omnipresent

It's over. The world has been turned over to the AI the ALMIGHTY. They didn't even have to try, and you were sooooooo eager to jump when they said jump. All Hail the data thief kings! Hail!Hail!

Now they have your voice, fingerprint, eye scan, and even your deepest thoughts. Your house has been mapped, your children's names and locations databased. No way out. The spider has you. Become the hive mind or die. You will be assimilated. You do not have a choice. The monkeys were too stupid to live anyway.

operation failed because: there is no message for this error (#1014)