Twitter’s Google Docs Hack – A Warning For Cloud App Users

Eric Lundquist eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved.,

Twitter lost its data through a hack on Google Docs. Learn from this to be very careful how much trust you place on cloud apps and Web 2.0, says Eric Lundquist

Here’s the background. A hacker apparently was able to access the Google account of a Twitter employee. Twitter uses Google Docs as a method to create and share information. The hacker apparently got at the docs and sent them to TechCrunch, which decided to publish much of the information.

The entire event – not the first time Twitter has been hacked into through cloud apps – sent the Web world into a frenzy. How smart was Twitter to rely on Google applications? How can Google build up business-to-business trust when one hack opens the gates on corporate secrets? Were TechCrunch journalists right to publish stolen documents? Whatever happened to journalists using documents as a starting point for a story rather than the end point story in itself?

Alongside all this, what are the serious lessons that business execs and information technology professionals can learn from the Twitter/TechCrunch episode? Here are my suggestions:

1. Don’t confuse the cloud with secure, locked-down environments.
Cloud computing is all the rage. It makes it easy to scale up applications, design around flexible demand and make content widely accessible [in the UK, the Tory party is proposing more use of it by Government, and the Labour Government has appointed a Tsar of Twitter – Editor]. But the same attributes that make the cloud easy for everyone to access makes it, well, easy for everyone to access.

2. Cloud computing requires more, not less, stringent security procedures.>br /> In your own network would you defend your most vital corporate information with only a username and user-created password? I don’t think so. Recent surveys have found that Web 2.0 users are slack on security.

3. Putting security procedures in place after a hack is dumb.
Security should be a tiered approach. Non-vital information requires less security than, say, your company’s five-year plan, financials or salaries. If you don’t think about this stuff in advance you will pay for it when it appears on the evening news.

4. Don’t rely on the good will of others to build your security.
Take the initiative. I like the ease and access of Google applications, but I would never include those capabilities in a corporate security framework without a lengthy discussion about rights, procedures and responsibilities. I’d also think about having a white hat hacker take a look at what I was planning.

5. The older IT generation has something to teach the youngsters.
The world of business 2.0 is cool, exciting… and full of holes. Those grey haired guys in the server room grew up with procedures that might seem antiquated, but were designed to protect a company’s most important assets.

6. Consider compliance.
Compliance issues have to be considered whether you are going to keep your information on a local server you keep in a safe or a cloud computing platform. Finger-pointing will not satisfy corporate stakeholders or government enforcers.