I just finished reading a great article by Eric Lundquist – “10 Lessons IT Execs Should Learn from the Twitter and TechCrunch Document Dustup” that apparel in eWeek on July 17, 2009, and would like to reiterate and clarify some of the issues both IT and business executives face when making decisions around cloud-computing.
According to eWeek “…A hacker apparently was able to access the Google account of a Twitter employee. Twitter uses Google Docs as a method to create and share information. The hacker apparently got at the docs and sent them to TechCrunch, which decided to publish much of the information…”
To my knowledge, the account in question was hacked using a combination of common or “simple” user IDs and password, which is not uncommon. As silly as it may sound, a hacker simply guessed user ID/password combination. To minimize the risk, Google Apps Premier edition offers Advanced Password Settings that also contain password strength and monitoring tool for domain administrators. If the password policy was enforced and monitored, the system would have been much more difficult to penetrate.
What I disagree with is the fact that media keeps referring to the above event as if an attacker found a “hole” in Google Apps, an entire Google infrastructure or was able to figure out how to hack the Cloud, which is simply ignorant. I would like to clarify that there is no magic when it comes to getting into someone else’s user account. As an administrator, you must enforce user account password policies ensuring that user passwords are nearly impossible to guess.
I do agree that it is more complex to gain access to an on-premise based infrastructure simply because most of the time, access to your office computer is not visible to the general public, or detectable from outside your network. A hacker needs a lot of information in order to gain access to logon screen(s), to then start guessing passwords. In case of Google Apps, a logon screen is available on the Web and could be easily guessed if not disguised by an administrator using unique domain names etc. By the way, use of unique domain names must be encouraged by the SaaS vendors such as Google and Microsoft. It is their job to make sure that both IT executives and administrators are aware of security risks and educated enough to make informed decisions around protection of sensitive information.
While it isn’t possible to secure your environment 100%, be it on-premise or in the Cloud, the most important exercise is to constantly train and educate your end-users, as the weakest link, sharing stories and reminding them how important information security is for them personally and for the business they are in.
Until next time,
Steve E. Driz
Filed under: Cloud Computing, Google Apps, Information Security, SaaS, Web 2.0 | Tagged: education, Google Apps, Information Security, tech crunch, techcrunch, training, Twitter, twitter hack |
The Driz Group Blog 
Leave a comment