Here’s the background. A hacker apparently was able to access the Google account of a Twitter employee. Twitter uses Google Docs as a method to create and share information. The hacker apparently got at the docs and sent them to TechCrunch, which decided to publish much of the information.
The entire event – not the first time Twitter has been hacked into through cloud apps – sent the Web world into a frenzy. How smart was Twitter to rely on Google applications? How can Google build up business-to-business trust when one hack opens the gates on corporate secrets? Were TechCrunch journalists right to publish stolen documents? Whatever happened to journalists using documents as a starting point for a story rather than the end point story in itself?
Alongside all this, what are the serious lessons that business execs and information technology professionals can learn from the Twitter/TechCrunch episode? Here are my suggestions:
1. Don’t confuse the cloud with secure, locked-down environments.
Cloud computing is all the rage. It makes it easy to scale up applications, design around flexible demand and make content widely accessible [in the UK, the Tory party is proposing more use of it by Government, and the Labour Government has appointed a Tsar of Twitter – Editor]. But the same attributes that make the cloud easy for everyone to access makes it, well, easy for everyone to access.
2. Cloud computing requires more, not less, stringent security procedures.>br /> In your own network would you defend your most vital corporate information with only a username and user-created password? I don’t think so. Recent surveys have found that Web 2.0 users are slack on security.
3. Putting security procedures in place after a hack is dumb.
Security should be a tiered approach. Non-vital information requires less security than, say, your company’s five-year plan, financials or salaries. If you don’t think about this stuff in advance you will pay for it when it appears on the evening news.
4. Don’t rely on the good will of others to build your security.
Take the initiative. I like the ease and access of Google applications, but I would never include those capabilities in a corporate security framework without a lengthy discussion about rights, procedures and responsibilities. I’d also think about having a white hat hacker take a look at what I was planning.
5. The older IT generation has something to teach the youngsters.
The world of business 2.0 is cool, exciting… and full of holes. Those grey haired guys in the server room grew up with procedures that might seem antiquated, but were designed to protect a company’s most important assets.
6. Consider compliance.
Compliance issues have to be considered whether you are going to keep your information on a local server you keep in a safe or a cloud computing platform. Finger-pointing will not satisfy corporate stakeholders or government enforcers.
Page: 1 2
German foreign minister warns Russia will face consequences for “absolutely intolerable” cyberattack on ruling party,…
Google is reportedly laying off at least 200 staff from its “Core” organisation, including key…
Investor appeasement? Apple unveils huge $110 billion share buyback program, as sales of iPhone decline…
Tesla retreats from pioneering gigacasting manufacturing process, amid cost cutting and challenges at EV giant
No skynet please. After the US, UK and France pledge human only control of nuclear…
Microsoft's AI investments continue in south east Asia, after investments in Japan, Malaysia, Indonesia, as…
View Comments
Arrggg?ARE WE BRAIN DEAD?
The existing user id / password system is an ancient method that was developed for fixed computer systems such as servers, desktops and people needed mobility of account access and people had just one or two accounts to manage.
It is totally a different situation today? People register to tens and possibly hundreds of accounts in their short online lifetime.
And having to define a different user id and password for each of these accounts is simply crazy to expect. And then to give away my mothers maiden name, pets name, my favorite restaurant, etc to a online website that can get hacked can not only compromise my online accounts but also my real accounts such as bank accounts where these are used many a time.
IT IS SCARY?..
I have not used social networking sites much and have switched from one to another regularly. I was on orkut, then got bored and switched to LinkedIn which sounded more professional and now use FaceBook regularly and come to think of it, I use the same password for all of these.
IT IS EVEN MORE SCARY NOW?.
And this thought did not cross me nowoeit happened many months ago when the AOL story broke out and I wondered if there is a solution for this. And then I realized that the solution is not stronger password or having to tell the computer to remember it for me or to use my mother's maiden name to recover it.
THE SOLUTION IS TO JUST DUMP THE PASSWORD?oeiT IS NO LONGER NEEDED.
Today?s USER AUTHENTICATION system is developed for DESKTOP COMPUTING not for CLOUD COMPUTING where people exchange information between each other more regularly.
Today, the computer is mobile be it the NetBook or your Smart Phone. You carry it where you go and with pervasive mobile internet connectivity, you can get connected from anywhere using Wi-Fi, or GPRS or EDGE.
SO PLEASE INTERNET SECURITY EXPERTS?..WAKE UP?WE ARE NO LONGER STUCK TO A DESKTOP. AND HENCE NOT NEED TO USE A USER ID/PASSWORD TO ACCESS OUR ACCOUNTS FROM A DIFFERENT COMPUTER. WE OWN A NETBOOK OR AN IPHONE FROM WHICH WE DO MOST OF OUR ONLINE ACCESS OR WORK EXCEPT FOR WHEN WE ARE WORKING IN OUR OFFICES WHERE THE COMPANY SPENDS ZILLIONS ON SECURITY ANYWAYS.
IBM had thought of a password free system many years back?.they also filed a prior art on this.
http://www.priorartdatabase.com/IPCOM/000039794/
Others have followed? http://www.kirit.com/A%20simpl.....eb%20sites
And I have filed my own patent for EasySecured which offers a unique, simpler and completely SECURED way to achieve the same concept.
ISNT THIS AMAZING??NO PASSWORD TO REMEMBER, NO PASSWORD STORED ANYWHERE AWAITING TO BE HACKED?
IF PASSWORDS ARE NOT STORED ON THE SERVER OR YOUR COMPUTER, THERE IS NO WAY HACKERS CAN HACK INTO ONLINE ACCOUNTS.
AM I CRAZY? HOW DOES ONE AUTHENTICATE AN ACCOUNT IF THERE ARE NO PASSWORDS?
The solution is downright SIMPLE, your computer is your password. By this I mean not just a desktop, your netbook, your laptop, your smartphone, IPHONE anything that is a computer. YOU ARE NOT STUCK TO A SINGLE COMPUTER.
Your online account will open only from the computers you have registered to access. You do not have to define a password or remember it. Only your User ID which is like the PIN number of your Credit Card and which will work only from your computer or the computers you allow it to work.
ONCE AGAIN ?..NO PASSWORD?. IS STORED IN YOUR COMPUTER?. OR THE HOST SERVER.
The password is a unique signature derived from the various parts of your computer mashed up using a patent pending technology that is generated real time every-time you try to login to you account from the registered computer.
The server authenticates by decrypting your user account details using this real-time generated password and granting you access to your account.
Hackers rely on stored user id and password on servers to hack accounts. In this case only your user id is stored on the server encrypted a real time generated password that is stored NOWHERE.
IF a hacker has to gain access to your online account, he or she has to also gain access to your computer or IPHONE or NetBook along with your original User ID.
As every User ID and critical user information such as credit card numbers etc are encrypted using a unique key generated by a physical device, there is NO WAY HACKERS CAN HACK INTO ONE ACCOUNT AND GET THE KEY TO HACK THE REST OF THE ACCOUNTS ON THE SERVER.
I have been working on this idea and concept for months and only need industry support to make this a reality and ONCE AND ON FOR ALL PUT AN END TO THE VULNERABILITY OF ONLINE ACCOUNTS.
You can twitter me @gurudatts to know more about this or email me.
Thanks for your rather long and heated contribution.
What you're describing just sounds like well established token systems such as RSA SecurID to me.
http://en.wikipedia.org/wiki/Securid
Still I enjoyed your comment!
Peter Judge
Editor
EasySecured is based on the philosophy that passwords are not stored on servers waiting to be hacked.
Token systems store information on servers and they are very costly. SecureID costs something like $60 per token. Competitors offer similar technology for $10 and which may not be secure enough.
Whereas EasySecured if adopted will be virtually free as no new hardware is needed as I have been able to uniquely identify a computer without referring to any network address.
I have closely worked with a Biometric firm which developed different variants of token based solutions. Believe me they are not for the masses.