CIOZone.com - Professional Network for CIOs and IT Professionals

A hack which exposed sensitive corporate information about Twitter is creating a lot of debate in the Internet community about the security of cloud computing. While it may be too drastic to paint cloud computing red with this latest breach, it does raise serious concerns for companies thinking of using cloud computing services and whether they’ve paid enough attention to their most serious security flaw: the human factor.

To recap, Twitter revealed this week (after a Website published stolen information), that it suffered a breach about a month ago. The hacker, who has been identified as calling himself Hacker Croll, managed to break into an administrative employee’s email account and then gained access to the employee’s Google Apps account. For those not familiar with Google Apps, it essentially acts as a cloud service, allowing users to create, share and edit spreadsheets, presentations, forms and other business documents.

The hacker was able to gain access to sensitive documents about Twitter’s business plans, finances, confidential contracts and job applicants, and emailed copies of those documents to tech blogs TechCrunch, based in Silicon Valley, and Korben, a French site. The hacker was also reported to have been able to gain access to personal information of several Twitter employees, including credit card information, and managed to break into the email account of the wife of Twitter Chief Executive Evan Williams.

The Twitter hack clearly highlights the danger of storing corporate information and sensitive financial documents in the cloud. Now, before I get a hailstorm of emails defending the security of cloud offerings, I want to point out that I believe most cloud vendors have put in place industry-accepted security procedures. The problem lies in the human factor. As Twitter cofounder Biz Stone told the New York Times, it isn’t so much about a flaw in the cloud service, rather “it speaks to the importance of following good personal security guidelines such as choosing strong passwords.”

Security experts have long advised people to use complex passwords including a mix of numbers, letters and capitals and to use a unique password for every Web service they access. But the reality is many people will stick to relatively weak passwords because they can be easily remembered and will use the same password for a number of sites. In fact, security vendor Sophos published a study last year which showed about 40% of Internet users use the same password for every site they regularly access.

The Twitter hack doesn’t mean an end to the use of cloud services by corporations. But it is cause for pause. First, cloud vendors – including Google- need to think seriously about implementing more layers of security, such as requiring users to use strong passwords and perhaps change them regularly. Secondly, before CIOs start allowing their companies to use cloud services to store such things as business plans and corporate financial documents, they better darn well make sure they have briefed employees on how to choose and safeguard passwords.

Otherwise, the human factor is waiting to trip you up every time.
 

Comments (3)

	1. 07-16-2009 13:56
	I totally agree and left a comment on a different CIOZone.com article addressing the Twitter hack endorsing what you have said, which is that the need for basic info security awareness is alive and well in the cloud environment. Although the entry point for this attack was Gmail (a pure play webmail service), it might just as well have been any of the various email outsourcing providers where corporations host their Exchange servers but which also expose a webmail interface. Regrettably, I think we're going to see many more of these types of exposures given the explosion of data in the cloud. There are many third party Twitter services, for example, that require users to input their Twitter ID and password to manage followers, etc...I expect one of those to be a target for some embarrassing scenarios. Registered

Frederick B. Kauber

	2. 07-20-2009 09:49
	Jonathan Zittrain, a law professor at Harvard and author of \"The Future of the Internet -- And How to Stop It,\" had some thoughts on the dangers of cloud computing and how to solve some of the problems in an op-ed piece in The New York Times today (7/20/09). The most difficult challenge of the cloud, he said, \"is its effect on our freedom to innovate.\" He noted that the freedom for people to write apps for fun for the PC is at risk in the cloud \"where the vendor of a platform has much more control over whether and how to let others write new software.\" Check out the rest of his comments online. Registered

Ellen Pearlman

	3. 07-21-2009 10:18
	The subject of information sharing (the socialization of information) and security is addressed in a featured video on this site. Walt Okon - Senior Enterprise Architect for the Defense Department has a good take on this topic. For more about his discussion on this site see: http://www.ciozone.com/index.php/CIOZone-Video-Library-2.html.     Walt takes a very practicle view of Indentity Access Management. He discusses how the DOD is Sharing Information using PKI (Public Key Infrastructure). Worth the 5 minute view to gain some insights on his perspective from someone who probably knows a few things about security and information sharing. Registered

John Sane

Only registered users can write comments.
Please login or register.