The global cloud market continues to grow rapidly, growing 23% year-over-year. This year, Google captured 13%, up from 10% last year. Google complements this impressive growth rate with an emphasis on privacy and security. The commitment to security is clear, as Google is the first cloud service provider mandating Multi-Factor Authentication (MFA) on all cloud accounts. The company announced it will require MFA for all users who sign in with a password, and this rollout will happen in gradually throughout 2025.
What is MFA?
Multi-Factor Authentication (MFA) adds an extra layer of security with the addition of an additional factor. Typical MFA methods are a security key, which is provided from a second communication option, like another email account or a cell phone, and in some cases, even Biometric authentication like fingerprint or facial recognition.
Why is Google mandating it now?
It is becoming more and more apparent that the “Achilles Heel” of cloud security is not software vulnerabilities, but human errors, and in particular, ones related to credentials abuse. A Google study found that more than 80% of cloud hacks were done using stolen credentials. This is not surprising because close to half of Americans admitted that their passwords were stolen in the past year. Examining recent cloud breaches shows that credential theft and spraying, credential re-use and just weak or never-changing credentials, are often the cause of massive breaches. For instance, in the snowflake breach some of the user accounts “hacked” had very old credentials which had not been changed in years. In some cases, credentials were used that belonged to past-employees who have long-since left the organization.
Google opted to reduce the risk of unauthorized access and chose to mandate the use of MFA. Google says about 70% of its users have implemented MFA , which makes it significantly harder for attackers to compromise accounts, even if they know your password.
Adhering to Industry Best Practices and complying with New regulations
Google isn’t alone in stepping up its security measures. Many organizations, including government agencies and large enterprises, are adopting MFA as a standard security practice. By making MFA mandatory, Google Cloud is aligning itself with industry best practices and demonstrating its commitment to security.
In addition, several regulations and standards, such as GDPR and HIPAA, require organizations to implement strong security measures, including MFA. Recently, NIST has published its new password guidelines that calls for implementation of MFA in cloud accounts.
Is MFA enough?
While we applaud the adoption of more stringent security measures, it is important to remember that even after MFA is widely adopted, it cannot serve as the only means of protection. Capable hackers could still find ways to social-engineer employees and obtain the additional information required for accessing the cloud. This was demonstrated in recent hacks, such as s are conducted by insiders, who pass all the legitimate authentication tests. Such insiders can use cloud resources for crypto-mining or other nefarious purposes.
Summary
Google seems to understand better than most how cloud accounts get hacked. However, as Google accounts for only 13% of the global cloud market, even if 100% of its users employ MFA, there will still be many, many other cloud users who could continue to ignore it and expose their accounts to unnecessary risks. Additionally, even if most of the cloud users will improve their initial authentication, the interconnectivity between cloud system will still allow users to “hop” between different systems and roles according to their permissions.
Skyhawk’s AI-based Autonomous Purple Team simulates all the probable attack paths leading to the organization’s Crown Jewels, including utilization of compromised identities to “hop” between environments and roles. It also provides security teams with immediate and precise remediation of threats in real time.
Interested in a Purple Team Assessment? Learn more!
