The real problems with cloud computing

Google may protect servers better than you do. But Ira Winkler says your job is to protect information, not just servers.

The recent Twitter hack, where a French hacker compromised internal Twitter documents by accessing the account of administrative assistant, among others, was essentially an attack on Google Docs. The reason is that Twitter outsourced their infrastructure by contracting with Google, and the accounts in question were on Google's infrastructure.

The ensuing reports questioned the security of Google Apps and cloud security in general. In the process, Google claimed that their security was better and less expensive than the security that companies could provide for themselves. At the same time, people (including me) persisted in their statements that exposed information is exposed information. This position takes the stand that companies want to protect their information, and not the computers themselves. This can be extremely confusing for CSOs trying to decide whether or not to implement cloud computing. This issue is at the forefront, especially given Los Angeles County's stated intention to migrate to Google Apps.

Also see: Chris Hoff on Virtualization and Cloud Computing

Let's first acknowledge that Google Apps was not specifically "hacked" in the traditional sense of the word during the Twitter hack. A hacker did not break into Google computers through some technical vulnerability in the Google infrastructure.

A hacker found a personal e-mail account for the administrative assistant previously mentioned. Similar to the Sarah Palin Yahoo! account hack, the hacker researched social networking sites to find the answer to the "secret question" required to reset the account's password. In going through the e-mails in the account, the hacker apparently found the password used by the administrative assistant on other sites, and correctly assumed that person used that password on their Twitter corporate account at Google Apps.

This gave the person access to e-mails and files. Other information available to the account also allowed the attacker to compromise the Twitter corporate accounts of other employees.

While the initial reaction would be to blame the guessability of the security questions on the freemail account, as well as the reuse of the password, that is akin to saying people drown because of water. Clearly, there are many other vulnerabilities in cloud computing implementation that enabled the compromise of the accounts on Google Apps.

For example, the fact is Google Apps allowed for anyone in the world to attempt to log into any account at Twitter. In this case, the account holder was in the San Francisco area and the hacker logged in from France. If the accounts were maintained internally, Twitter would have had the ability to deny remote access. Similarly, if there was misuse and abuse detection, even allowed accesses would have been flagged given the location as well as the scope of the data access. There are also data leak prevention (DLP) tools that could have been in place.

Google Apps doesn't provide for add-on security tools, such as those mentioned above. They do provide for SAML 2.0 authentication integration. However, that is a footnote, and organizations who are using Google Apps because they don't want to maintain the internal technical staff required to run office applications are not likely to maintain staff to manage a SAML compliant tool, which can be even more complicated. Using an automobile analogy, it is like saying you will bring your car to a repair shop for everything, even simple oil changes -- except for the ignition system, which you agree to maintain entirely on your own.

There is a great deal of truth that Google can maintain the security of systems better than individual companies. This specifically involves server security, not data security. For example, hackers target vulnerable operating systems that don't have properly applied patches. While I may be critical of some aspects of Google Apps security, I firmly believe that Google is significantly more likely to maintain the security of individual systems than companies would themselves.

Google also implements sharding, which means that an individual file could be divided among hundreds of systems in theory. This way, if someone actually does break into a server, they will not likely get a useful amount of information out of individual documents.

However, the fact is that attackers want your information and will get it however they have to. For example, the recent Heartland hacks resulted from SQL injection which targeted the database applications, not the servers. While Google Apps may better maintain fundamental security of the office applications, that again does not help with the access, and sniffing potential.

Cloud computing puts your data outside of your organization. Also when you use a cloud computing service, you are limiting yourself to the amount of advanced security tools that you can put on the system. I already gave the examples of DLP and misuse and abuse detection, which is not available to Google Apps users. Likewise, you cannot limit the access to only internal staff. There are many other security tools that cannot be put in place in cloud environments, unless the cloud environment is specifically designed for them.

There are also other issues to consider. You have little control over how much audit information is collected. For example, you likely do not have access to failed log-in attempts, so you cannot proactively look for attack reconnaissance. Likewise, while you may maintain ownership of your own data, you do not likely own all of the access log data. That potentially creates legal problems. For example, if someone does illicitly access your information, you might need to get a court order to see where they are coming from. If however you maintained your data internally, you would have instant access to all of this information.

Editorial limitations do not allow me to bring up all potential limitations of cloud computing security. However, I intend to get you thinking about what you need to consider.

Also see: Winkler on Awareness Training

Let's face it: The $US50 per user annual fee for Google Apps is very attractive from a financial perspective. I also believe that CSOs should make decisions not from a security perspective, but from a risk perspective. Risk acknowledges that you have to make decisions that balance potential losses against potential cost savings.

For those organizations that wouldn't normally implement more any additional security controls, like DLP or intrusion detection, you might as well use a cloud computing solution like Google Apps. They would be much more likely to implement basic security controls better than you would.

However, if you are an organization with a great deal of intellectual property, believe that your data is valuable, and intend to implement more than basic security measures, you probably need to maintain your own data infrastructure. You can however review cloud computing providers and see if they allow for the implementation of the security countermeasures you believe are necessary. There are a significant number of software vendors who are beginning to offer cloud security products. The better cloud computing providers should be integrating these tools.

My perception of the Twitter hack is that Twitter is a company where money is not a driving force in their infrastructure decisions. While they do plan for rapid growth, and Google Apps does allow for that growth, it is my belief that Twitter should implement more than basic security measures. After all, they eventually want to move into the corporate market and if they can't protect their own data, how can other companies trust Twitter with their data?

Los Angeles County has different circumstances. While they clearly have more than enough value that would justify maintaining the infrastructure internally, it seems like there is a major financial problem that might prevent it.

Unfortunately, given all of the regular abuse we see of government databases, by authorized users, Los Angeles would be taking an unacceptable risk. The recent convictions of State Department employees for looking at celebrity travel records demonstrates the abuse that can only be detected when there is the ability to regularly review audit logs. Los Angeles is also infamous for celebrity information, and people have been accused of accessing medical information of celebrities. For example, the Octomom's medical records were leaked, as were those of Britney Spears and countless other celebrities. Without the ability to provide for automated misuse and abuse detection, Los Angeles will miss a wide variety of criminal activities.

So while a cloud computing provider will likely better secure the servers, it is highly questionable as to whether than can secure your information better than you can. The acronym CISO stands for Chief Information Security Officer, not Chief Computer Security Officer. That should give you an idea as to what your priorities should be.

Join the PC World newsletter!

Error: Please check your email address.

Tags Googletwittercloud computing

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ira Winkler

CSO (US)
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?