Friday 10 September 2010
The concerns come after sensitive Twitter documents were stolen by a hacker who gained access to a Twitter employee’s Yahoo e-mail account and from there got information that allowed access to the company’s data on Google Apps. Although the breach occurred in May, the severity of the situation wasn’t clear until last week when the hacker fed the data to TechCrunch for public posting. While Twitter executives noted that there was no security vulnerability in Google Apps, the linking of personal and work e-mail by the employee, re-use of passwords on multiple accounts, and easy to guess security questions allowed an outsider to steal confidential information and expose it to the world. Washington, D.C., is the first major U.S. city to sign up for the $50 per user per year service. Seattle, meanwhile, is using Google’s Postini service called Message Security. “Government agencies at all levels - federal, state, and city - are looking to cloud computing as way to advance innovation while decreasing costs,” a Google spokesperson said in a statement.
We agree that security is a very important consideration for any organization considering cloud computing, and we’ve been working very closely with the City of Los Angeles to address any questions and concerns government officials or citizens might have,” the statement said. “Security is at the core of how we design Google Apps, and as the City of Los Angeles’ evaluation report notes, the proposed cloud computing system is an improvement over the level of security currently in place. It also provides other benefits of cloud computing — such as increased innovation at reduced cost — which are driving the city’s request for a cloud solution to suit its IT needs.
Cue a chorus of commentary alleging how this shows that if you want to keep stuff private, don’t put it on the web, period, because cloud security is not ready for prime time and nothing is secure on the net. OK, so let’s go back to storing confidential company documents on laptops that people leave in cars or forget on trains, or transferring them on computer tape and CD-ROMs that couriers deliver to the wrong address, or backing them up to USB sticks that go missing, or forgetting to wipe them off the hard disks of office servers when we dispose of them (UPDATE: see Michael Krigsman’s post on the same topic for a catalog of examples). Cloud security is no different from real-world security. It’s just a matter of identifying the risks and containing them.
Users really like the convenience of the cloud — far too much for them to give it up — but the trouble is, they also like the convenience of authentication using a simple username-password pair. They haven’t yet figured out that’s far too little to separate your confidential data from a nefarious interloper, especially when the Web means that authentication will work from anywhere, which dramatically increases the threat level. Now it’s up to cloud providers to inflict the same pain on their users — for their own sake — to protect their data. We won’t like it, but we’ll put up with it because at the end of the day we’d rather jump through all those hoops than give up all the convenience the cloud brings us.
