right
Profile

CheckRed Editorial

Identity Security
11 November 2024

Google Cloud Update – Mandatory Multi-factor Authentication (MFA) by 2025

In a move to bolster security and protect against rising cyber threats, Google is making Multi-factor Authentication (MFA) mandatory for users of its cloud services by 2025. Starting soon, all users accessing Google Cloud and associated services will be required to enable MFA, adding an extra layer of protection to prevent unauthorized access to sensitive data and systems. This new policy aims to safeguard both businesses and individuals from increasingly sophisticated cyberattacks.

Google Cloud Update - Mandatory Multi-factor Authentication (MFA) by 2025

Phased Roll-out for Google Cloud Users

Understanding that not all organizations are in the same place when it comes to cybersecurity maturity, Google’s approach offers flexibility and time for businesses to adapt.

Phase 1: Encouraging MFA Adoption (Starting November 2024)

Google’s phased rollout begins in November 2024 with an emphasis on encouraging MFA adoption. The company will provide resources, reminders, and guidance within the Google Cloud Console to help users implement MFA smoothly. This phase focuses on raising awareness, planning, and testing MFA configurations, ensuring organizations are well-prepared for the more stringent requirements in the next phases.

Phase 2: MFA Required for Password Logins (Early 2025)

In early 2025, Google will make MFA a requirement for password-based logins. This step addresses a significant vulnerability, as password-only authentication is increasingly susceptible to breaches. Users will be notified within the Google Cloud, Firebase, and gCloud consoles, guiding them through the MFA setup process. This phase is crucial for reducing the risk of unauthorized access due to compromised credentials.

Phase 3: MFA for Federated Users (End of 2025)

By the end of 2025, Google will extend its MFA mandate to all federated users, meaning those who use third-party identity providers to authenticate into Google Cloud services. This final phase will offer flexible options for organizations to meet the MFA requirement, ensuring that all user access—whether native or federated—is secured with multi-factor authentication. Federated authentication often opens the door to additional security gaps, and this move will help ensure that all users, regardless of how they access the cloud, are subject to the same robust security protocols.

This phased approach to mandatory MFA reflects Google’s commitment to securing cloud services while giving organizations the time and resources to adapt.

The Impact of Not Enforcing MFA in Your Cloud and SaaS Environment

Breaches in cloud and SaaS environments due to the absence of MFA are particularly concerning, as these platforms often host a wealth of sensitive data and critical applications. With more businesses migrating their operations to the cloud, the risk of unauthorized access to these environments grows significantly, especially when relying solely on passwords. Without MFA in place, these systems become prime targets for cybercriminals, who can exploit the weaknesses inherent in password-only security to compromise user accounts and gain unauthorized access to cloud resources.

Cloud and SaaS Vulnerabilities Without MFA

In cloud and SaaS environments, credentials often provide the “keys to the kingdom.” Once attackers have access to an employee’s credentials—whether through phishing, credential stuffing, or a data breach—they can move freely within cloud applications. Services such as AWS, Google Cloud, Microsoft Azure, Salesforce, and Office 365 are all frequent targets of cybercriminals because they contain vast amounts of valuable data and critical business functions. Without MFA, a simple stolen password can give attackers full access to cloud-hosted resources, including confidential files, intellectual property, and financial data.

Phishing and Cloud Service Compromise

Cloud services are particularly vulnerable to phishing attacks, which remain one of the most common attack methods in SaaS and cloud environments. Attackers may impersonate a trusted cloud service or internal company communication to deceive users into entering their login credentials. If MFA is not enabled, these stolen credentials can be used directly to access sensitive applications and data. Without MFA, attackers can also take advantage of weak or reused passwords to access multiple cloud and SaaS platforms. In cloud environments, where data flows between applications and services, a breach of one account can lead to a domino effect, allowing attackers to gain access to a broader range of systems and information.

Data Exfiltration and Ransomware in the Cloud

One of the most severe consequences of cloud breaches is data exfiltration, where attackers gain access to, steal, and potentially sell sensitive data stored in cloud platforms. Without MFA, hackers can not only view or steal sensitive files but also move laterally within the cloud environment, escalating their privileges and compromising other accounts. Ransomware attacks targeting cloud services have also been on the rise, where attackers lock up critical data and demand a ransom. With MFA in place, even if an attacker steals a password, they would still need the second form of authentication (e.g., a mobile app or hardware key) to complete the login, significantly reducing the risk of these attacks.

SaaS and Cloud Misconfigurations

In cloud and SaaS environments, misconfigurations often serve as an easy entry point for attackers. Without MFA, even well-intentioned users might inadvertently expose their accounts to threats through poor security practices, such as weak password policies or improper access controls. For instance, many cloud services have default settings or overly permissive configurations that grant excessive permissions to users, and without MFA, any threat actor who gains access to a weakly configured account can exploit these permissions to compromise an entire system.

Mitigating Cloud and SaaS Risks with Monitoring Tools to Identify Weak Access Controls

Google’s recent announcement of mandatory MFA for all cloud services highlights the importance of implementing strong, multi-layered security measures to prevent unauthorized access. While MFA adds a crucial barrier against breaches, monitoring tools are equally essential in identifying weak access controls that could undermine its effectiveness. These tools provide real-time visibility into user activity, tracking when and how users access cloud applications, and identifying any unusual or risky behavior that could signal improper permissions or misconfigurations. Organizations can thus stay ahead of potential threats, reduce the risk of unauthorized access, and improve overall cloud security.

How Can CheckRed Help?

CheckRed continuously monitors your cloud and SaaS environments, including Google Cloud, to detect identity misconfigurations, lack of MFA, excessive privileges, and unauthorized access. With our CIEM solution, you get a complete picture of your cloud identity infrastructure. You also gain remediation guidance in the event of identity threats or poor access configurations. What’s more, CheckRed’s platform offers CNAPP, SSPM, CSPM, CWPP, KSPM, and more, making it the ideal cloud and SaaS security solution. Get in touch with us to know more!

See CheckRed in Action

Dive into the future with our interactive demo
and explore the possibilities.