Security in the Cloud, Twitter Case
Why is security in the cloud so crucial? The Financial Times discusses a prime example this week, when an employee at Twitter posted and leaked their financials on Google Apps, in the article "Twitter files leaked in ‘cloud' lapse."
16 July 2009
Why is security in the cloud so crucial?
Let me disagree off the bat. If this is a ‘lapse' of anything, it is a lapse in judgement by the Twitter employee who put sensitive information on a site that clearly states "THE SERVICE IS NEITHER DESIGNED NOR INTENDED FOR HIGH RISK ACTIVITIES." (See Google Apps' Premier Edition Agreement.) Obviously, this was written in Aesopian language, which in plainer terms says: ‘if you are putting information of any value up here, you are on your own.'
Some general statements in the article apply to cloud applications for consumers with basic technical skills. For example, my teenage son, who wants to keep (free of charge) his home videos and essays on the internet in case his computer crashes, would be in the category of savviest users in this group. These are users who will simply walk away if the application access becomes too complex or costly.
Security doesn't come for free. (Even if the application is.)
A teenager will not dish out ten dollars for an hardware token to protect her homework. Her risk/benefit evaluation will determine those ten dollars as unjustified cost. (And she will be right, by the way.) All the questions about inadequate authentication strength for login and weaknesses of secondary authentication (a security question) are valid and apply to all applications. If the question is "Which provider is likely to make the investment to implement them properly?" I would answer:"Only the ones whose users have the clout to demand it."
The FT.com article, maybe unintentionally, also highlights the importance of differentiating between free web applications that cast as wide a net as possible to attract users (their business model is in getting advertisement revenues, after all), and SaaS (Software as a Service), a subset of what is now called "cloud computing" business applications, which is designed to handle critical data and charge for use.
SaaS solutions invest in secure infrastructure for you.
SaaS solutions geared towards providing business users with document sharing capabilities are built with security in mind. They have many controls and features to protect the data - from strong cryptography to user roles and elaborate authorization schemes to document level permissions and dynamic watermarking. SaaS solution providers also invest heavily in secure infrastructure and processes, e.g. requiring employee background checks and mandatory two-factor authentication for administrative users, to name a few. Do they still have the same issues as free apps with weak passwords? Some do. But the market forces them to adopt newer technologies and stronger authentication schemes.
The other advantage that business applications have is their built-in data segmentation that allows a different level of security per role or even per document group. Consumer applications, on the other hand, are forced to cater to the lowest common denominator. They may have free, normal and premium accounts, but they cannot go beyond that. For example, it is very difficult to segment users so some will have regular password-protected accounts and some others, who are willing to pay for it, will have some kind of two-factor authentication for the login. I am not even talking about having escalating security scheme where simple login is sufficient to enter the application, but extra authentication is needed to access certain "highly sensitive" areas of it.
Vote with your feet.
So what is the user of those consumer applications to do if they cannot force better security from the vendors? First, stop assuming that a free service will give them state-of-the-art security - you get what you pay for. Second, stop being so truthful to the application. If the application stores user-provided answers to security questions to later compare with the answer entered, any long phrase you will remember can serve as answers to those security questions. If a user enters "Mahalia Jackson" as their favorite teacher or "Mario Lemieux" or "Batman" as their favorite artist the scheme will still work and, the better yet, they can change those names any time. One thing to remember is that there is an authentication type which works only in United States and goes against public databases to verify answers, so truthful answers are needed here. This is easy to recognize because the user will not be asked to enter the answer in their profile or on some kind of registration page. The third, and most powerful thing consumer application users can do is to vote with their feet. If you need to store sensitive data securely, open an account with a business provider. That Twitter employee sure wishes to have had the foresight to do so. And if a sufficient number of users move away from consumer applications to satisfy their business needs, maybe those former vendors will pay attention.
Is it fair to lambast Google for inadequate security? Maybe not, in this case. They have warned their users, after all. Should they modify their authentication scheme to satisfy the needs of perhaps less than one percent of their users? It must be left up to them. It depends what kind of user populations they are competing for. But if they want to move to providing business applications they need to provide ‘business grade' security. Talk about stating the obvious. This is not so obvious for some users, though. See that article above.
Mushegh Hakhinian represents Intralinks at the Cloud Security Alliance SME Council, is a certified information systems security professional, and is a frequent contributor to industry publications. Prior to joining Intralinks, Mr. Hakhinian lead security functions at a multi-tenant online banking service provider and an international bank.