- Security TWENTY
- Women in Security
To date, cloud computing in Europe has faced varied national data protection regulations and laws. The data scandals of the past year have also confirmed the prevailing skepticism caused by careless handling of data. Vito Critti and Sascha Carroccio wanted to make a difference and thus established the company swiss cloud computing ag, based in Cham in the canton of Zug. The company’s aim is to combine the positive attributes of cloud computing with safety standards.
The Swiss company and its staff offer solutions related to SaaS (Software as a Service), IaaS (Infrastructure as a Service), DaaS (Desktop as a Service) and Cloud Backup from its computing centers in Zurich and Geneva. Small and medium-sized companies from Switzerland and ultimately all Europe can store their data and applications virtually here, as well as being able to access them flexibly and when on the move. The company acquired clients and configured its capacities to achieve supraregional growth. The company’s business model specifies that customers can choose between an application model and a desktop model. From Office to graphics and even a complete Windows Server or SQL database – customers of the Swiss cloud service provider can procure their IT from the cloud and only pay for what they actually use.
The hype around cloud computing is suffering not only from the espionage affair, but also as a result of increased cybercrime triggered by ever more advanced malware. Criminal tools that are enjoying increasing popularity are so-called man-in-the-middle attacks, keyloggers, phishing, spear-phishing e-mails and also sniffing. Identity theft in particular is flourishing on the Internet. If companies want to use the cloud services and their employees access these services from unsecured wireless networks, there is a risk that hackers can spy on the users and copy their login details. They can then log in at the same time and steal or manipulate data uploaded to the cloud. The desire for increased security has resulted in guidelines being issued stating that passwords must be as long as possible, must be composed of letters, numbers and special characters and must not be similar to the last five passwords used. However, this has increasingly resulted in complicated passwords being written on sticky notes and thus being made freely accessible. The use of a second factor offers an alternative in this respect.
Sascha Carroccio, CTO and co-founder of swiss cloud computing ag, started looking for a security solution that would offer secure logins, to meet the needs and philosophy of the Swiss provider of cloud services. Vito Critti, CEO and also a co-founder of swiss cloud computing ag, says: “We wanted to offer our customers two access options – standard access using a password and maximum security access using an extended login method with an additional SMS-based passcode.” The need for a highly secure login was an important issue from the start. Many of the companies that use the services of the Cham-based provider are only permitted to save data in the cloud if the provider meets rigorous compliance policies. Many banks and insurance companies must also comply with requirements specified by the Swiss Financial Market Supervisory Authority (FINMA) as well as those associated with business continuity. The two co-founderswanted a solution that met current security standards, was fit for the future and complied with all relevant data protection legislation in Switzerland as well as the rest of Europe. Two-factor authentication with SMS looked a solution for ensuring a high level of security when logging into the cloud. However, there were only a few providers in the market that could meet such requirements.
SecurEnvoy collaborates with partners such as AEP, Astaro, Cisco, Checkpoint, Citrix, Juniper, F5, Palo Alto, Sophos, etc. See www.SecurEnvoy.com for further information.
“As a service provider in the cloud environment, we had been looking for a flexible and future-proof solution that ensured highly secure logins,” explains Sascha Carroccio, CTO of swiss cloud computing ag. Additional criteria included device-side and server-side SIM card independence. At the World Hosting Days 2013 at Europapark in Rust, Carroccio met with Erich Kronfuss, Manager at the Austrian branch of ProSoft Software Vertriebs GmbH, to talk about the possibilities offered by the SecurAccess tokenless two-factor authentication solution developed by SecurEnvoy. The identity management software made an excellent initial impression. After intensive discussions with Mr Kronfuss and a successful pilot phase, the Swiss company therefore opted for SecurAccess. The solution offers a range of transmission channels for the six-digit passcode, such as SMS, soft token app or email. An important aspect for the CTO was also that ProSoft was on hand to offer good service and assistance throughout the evaluation period, for example with regard to the integration of the SMS Gateway. “Based on our experiences, it was clear from the very outset that transmission via SMS would be the channel of choice for us, because it is the most convenient and familiar method of communication. Our clients use our services because we can meet their desire for flexibility and mobility. The acquisition of additional, expensive hardware to generate the passwords was therefore not an option. Two-factor authentication using SMS is scalable, has a competitive pricing model, ensures business continuity and fits perfectly with our mission to provide quality, transparency and security,” explains Sascha Carroccio.
In addition to the installation, a feature of the two-factor authentication solution is the fact that it works with all appliances and all SIM cards. This clinched the matter for swiss cloud computing ag and resulted in the company procuring its first licenses and starting the rollout in September. The authentication method works as follows: users at companies that use the secure access method receive so-called one-time passwords (OTP), which are sent via SMS to their internet-enabled mobile phones or smartphones. It does not matter in this regard with which vendors they have their mobile phone contracts or from which manufacturer they purchased their devices. With this one-time password, which is transmitted using AES 256-bit encryption, staff can log into the cloud platform. The solution’s security results from the fact that the passwords are only valid for one session, that is, one login action, and must be replaced with a new one for each subsequent session. “One way to save time here is to use pre-generated passcodes. However, in our experience only a few customers want to do this and many find it too cumbersome,” says Sascha Carroccio.
Fifteen companies are now already using the secure login procedure based on the tokenless two-factor authentication. Sascha Carroccio wants to continue with this approach. “We are very satisfied with the first few months of operation, and the feedback from our customers is also positive, so we will be purchasing additional licenses in the near future.” It is also possible that the new One Swipe transmission method offered by SecurAccess will be introduced if the technology is requested by customers. With this approach, a QR code can be used for authentication as secure login even if the user is offline, that is, does not have an internet connection. “The two-factor authentication solution has really impressed us in terms of security and flexibility and has fully met our expectations from the outset, so we will continue to invest in this technology in the coming years,” says Sascha Carroccio.
From its data centers in Zurich and Geneva, offering SaaS, IaaS, DaaS and Cloud Backup, swiss cloud computing ag, based in Cham in Switzerland,