One of the practical manifestations of the recent flurry of interest in “cloud computing” is the adoption, by at least some organizations, of the Google Apps platform for E-mail, calendar and document sharing, and other “cloud” services. One of the frequently expressed concerns about cloud services in general has been security: some managements are made very nervous (not without some justification) by the idea of their confidential data not being under their control. One set of worries has to do with the data being physically in someone else’s data center; another centers on how well the access controls on the data — which, after all, is in principle accessible from anywhere on the Internet — will work.
As reported in an article at Ars Technica, Google today announced the availability of additional security measures for its Google Apps customers (which, according to a post on the official Google blog, now number more than 3 million) to address the second class of concerns. Customers may now choose to enable an additional layer of security verification: in addition to a user ID and password, the new system will require the user to enter a six-digit code sent to the user’s mobile phone. This covers two items of the security trinity: something you know (the password), and something you have (the mobile device). The system, which is described in more detail in a post on the Google Enterprise Blog, also will enable certain devices to be designated as trusted, meaning that the two-factor authentication will not be required. (One might use this, for example, for devices on a local wired network.)
Google says that the new security measures are available now for customers of its Premier, Education, and Government Editions of Google Apps, and that it plans to eventually make the system available to all users.
This seems to me to be a useful step forward in the attempt to provide better security for Internet applications. There is no perfect system, of course, but this makes life a bit more difficult for the potential shoulder surfer or password sniffer. But it is also predictable that some users will manage to mess it up. If you’re planning to enable this feature, have you sent out the “Don’t keep your cellphone in your laptop bag!” memo yet?