It seems like every IT vendor is jumping on the cloud computing bandwagon, hoping to appeal to enterprises struggling with limited budgets and the need to do more with less. However, while there have been plenty of success stories, the main stumbling block to wider cloud adoption has been security as IT departments worry about relying on services stored on remote servers they neither own nor control.

Eran Feigenbaum, director of security for Google Apps, said that companies have to look at security in a new way to appreciate the benefits cloud computing offers. "It's a paradigm shift, just like a hundred years ago when people had to consider moving the money they had always stuffed in their mattresses to banks," Feigenbaum told InternetNews.com.

"Cloud computing can be just as secure as what organizations are using today," he said.


To that end, Google (NASDAQ: GOOG) on Monday announced a significant security enhancement to its cloud-based Google Apps suite, giving administrators the option of adding two-factor authentication that requires two levels of password protection. (Google calls its implementation 'two-step verification.') A version for the iPhone is set to launch Monday, as well.

The two layers are a password to a user's Google Apps account and a verification code for the device or system you're working on. That extra layer is designed to prevent someone who might have a user's password from accessing the account illegally or without permission.

Feigenbaum said two-factor authentication isn't new, but it's been a costly addition that some companies are reluctant to pay extra for and is often complex to implement. "The issue has been one of cost. A lot of companies are paying as much for authentication as they are for apps, which is kind of shocking," he said.

Certain implementations require companies to maintain separate servers to manage the randomly generated authentication codes or physical tokens, such as a smart card, that users have ready access to.

"We wanted to do this in a simple way from an admin and user perspective," said Feigenbaum. "So it's free, and from the user's perspective, very easy."

Google's two-step verification feature will be available this week to customers of its paid Google Apps Premier suite, as well as education and government users. The company said it plans to expand availability to the hundreds of millions of individual users of free Google Apps later this year.

"The cool thing is that we built this on an open standard so companies can tailor the UI to the look and feel they want," said Feigenbaum. "And because we support the OAuth standard, we're letting you create two-factor security for all your other Web applications that support Oauth, with Google as your identity supplier."

The open OAuth standard can be used to verify users' credentials. As part of its recent redesign, Twitter is now requiring all third-party applications to use the OAuth technology to verify users' credentials and access their Twitter accounts.

The two-factor verification feature is the latest move by Google to improve security and assure potential customers their information is safe.

In July, the company rolled out Google Apps for Government, a custom version of its software and the first cloud computing suite to receive Federal Information Security Management Act (FISMA) certification and accreditation from the U.S. government. Google said it had to document hundreds of security and other controls to win FISMA certification, which promises to clear the way for the company to win more government contracts.

David Needle is the West Coast bureau chief at InternetNews.com, the news service of Internet.com, the network for technology professionals.

Follow eSecurityPlanet on Twitter @eSecurityP.