Improved security for cloud applications

| By: Jeff Bishop

In the wake of larger companies having fallen prey to hackers, leaving customers vulnerable to ransomware or malicious scams, we’ve received many questions about web applications and security.

Our development and cloud ops teams have put a lot of effort into reinforcing our cloud infrastructure to prevent these kinds of incidents. In this post, we’ll spotlight the changes we’ve made to help keep your systems safe.

Two-factor authentication (2FA) through Google Authenticator

2FA requires a you to use two different methods to authenticate an application. With our Google Authenticator enhancement, a user would need the password to the cloud account and a one-time password (OTP) generated from a device within the Google Authenticator app.

Once enabled, you will be prompted for your normal password and then will see an OTP field to enter the password from the Google Authenticator app.

The Google Authenticator app generates secure, unique passwords every minute.  The solution takes five minutes to set up and is a vital component in securing your account against attacks.

Lockout protection on the cloud administrator accounts page

Lockout protection strengthens our defenses against brute force attacks, or trial-and-error methods used to decode encrypted data, including passwords.

Brute force attacks can send an insane number of password guesses per second to an application in an effort to access the account. As a result, a brute force attack on a weak password can result in access within a few minutes, or even seconds.

One way to discourage brute force attacks is to issue a lockout after a specific number of password attempts. Our recent ConnectWise Control® Cloud update helps to protect against brute force by locking a user out of an account for 10 minutes after eight invalid password attempts.

The lockout strategy decreases the probability of an attack, and limits the number of invalid guesses to about forty-eight per hour, versus millions (or even billions) of attempts per minute.

It’s important to note that there are measures already in place to protect and alert us against brute force attacks. The lockout feature is an additional counter-measure on top of our existing defenses.

Account security does not begin and end with infrastructure. Education is also key. Be sure to emphasize the importance of strong password complexity and proper user setup on the account level.