Amazon adds onetime password token to entice the wary

Aiming to allay corporate IT's fears about cloud security, Amazon is now selling password-generating devices for use with its cloud. Is it enough?

Amazon Web Services (AWS) has announced a partnership with security vendor Gemalto to sell its Ezio Time Token onetime password devices for use with individual AWS accounts. The devices sell for $12.99 and, once activated, generate a random password every 30 seconds for a user's AWS login. It does not effect the encryption keys used with AWS accounts.

More on Amazon Web Services:
Amazon Web Services product directory

Amazon to release AWS APIs into the wild?

Onetime password token devices like this are widely used in the financial industry and others with sensitive data needs. Once bought, Gemalto's devices and a user's AWS account login are linked through Gemalto's "Strong Authentication" server. The move comes as Amazon increasing pitches its flagship EC2 cloud service to enterprises leery of using shared, public resources.

"They have seen an interest in a stronger form of authentication", said David Teo, marketing manager for Gemalto's Texas offices. He said that Gemalto's usual customers were enterprises who needed to manage a remote workforce, and even vendors like Bank of America, that issue token devices to its online banking customers.

But is it enough?
Currently, AWS is accessible to anyone with a credit card and an email device, and security concerns for most enterprises are far deeper than an automatic password generator. Any firm using onetime token devices also has sophisticated monitoring and governance tools, including federated identity management, activity tracking, user management and remote control of authentication systems.

"Any company that wanted this for their people would want to manage identities too," said Rich Buttermore, security analyst and senior director at CSC. When an employee leaves a company, for instance, it's standard to close computer accounts and rescind privileges to company resources, which presumably would include AWS services, said Buttermore. It's a basic security concern and something enterprises routinely take into account when managing IT resources.

"If your entire Web presence is on Amazon, and that account [and token device] belongs to one person, what happens if you can't find him?" said Buttermore. He added that disgruntled employees are even more of a risk as they may refuse to hand over access, as San Francisco network administrator Terry Childs famously did.

If your entire web presence is on Amazon, and that account [and token device] belongs to one person, what happens if you can't find him?
Rich Buttermore, security analyst and senior director at CSC,
Childs was a network administrator for the city of San Francisco who refused to hand over passwords and logins to superiors controlling the network infrastructure of the city. He eventually gave the information directly to Mayor Gavin Newsom. Childs was jailed and stood trial for the act.

Buttermore said the limited nature of this security product would not appeal to an IT department looking to manage cloud resources.

Gordon Haff, Principal Analyst with Illuminata, agreed. "This is two-factor authentication -- which is often referred to as multi-factor, even though it's just two," he said. Haff called two-factor authentication of this type very common.

"This is by no means a comprehensive approach to AWS security, which is a much, much broader topic that also plays into compliance of various sorts," he said. "However, this sort of two-factor authentication is a common way of providing an additional level of protection."

This token system may prevent someone from accessing AWS services without the physical device, but it comes with none of the other features a company familiar with a high level of security would expect. It's an interesting move and clearly comes in response to customer worries about security, but it is unlikely to lead to a sudden surge in use of EC2 for enterprises that take network security management seriously, analysts say.

Carl Brooks is the Technology Writer at Contact him at [email protected].

Dig Deeper on AWS security