Summary
Regardless of how careful a cloud provider is with security, all it takes is one or two persons with weak passwords to lead critical information. Although blameless, cloud computing in general and Google in particular are likely to suffer from this incident.
Analysis
The greatest concern enterprises have about moving key business applications to the cloud is security. When the word “security” is used most people think of Black Hat hackers and a socially-disadvantaged teenager in a dark room in the middle of the night. The reality is that breaking through the technology in place today in most enterprises and cloud providers is difficult at best, and rarely worth the effort.
The focus of security is usually not to completely lock down some piece of information, but simply to make it so difficult to reach that the effort is not worth the reward. The various security tools in place today in most enterprises and cloud providers are quite effective against the “casual” hacker. The value of the data simply isn’t worth the massive effort required to obtain it.
The easy way to get in, however, is through some form of social engineering. One of the most common approaches is to guess the correct answer to a challenge question on an account. Another common approach is to use one of the widely available password crackers to break simple passwords.
Moving sensitive data to the cloud doesn’t change the prevalence of accounts with simple passwords or guessable challenge questions. It does, however, make those weaknesses more critical. When all the sensitive company data is safely ensconced within the corporate network getting access from an external location is more complex and difficult. Most enterprises have accounts that are accessible from the Web, but usually it requires more specific knowledge than does, for example, a Google or Yahoo account.
Full access to corporate systems usually requires a VPN connection of some sort. Some of these require two-factor authentication, which is nearly invulnerable to the casual hacker. Even the systems that only require a password usually enforce strong passwords. Enterprises can do that – cloud providers can’t!
Before enterprises can safely move sensitive applications (and thus data) to the cloud they must ensure their security is effective, since a key layer of protection is being removed. Cloud providers should seriously consider offering the option of two-factor authentication to their enterprise customers.
In the meantime, Twitter’s well-publicized debacle is embarrassing to them, and will inevitably force cloud providers such as Google and Amazon to spend more time defending their business model.
