Twitter breach revives security issues with cloud computing

Computerworld - Security and privacy issues over cloud computing are not very different from those surrounding any sort of IT outsourcing and need to be treated that way, security managers and analysts say in the wake of breaches involving Twitter and Google Apps.

The incident has resurfaced many familiar concerns relating to cloud computing and is raising questions over a multimillion-dollar plan by the city of Los Angeles to move its e-mail and office applications to the cloud.

While many of the concerns are valid, it's important to retain perspective around them, security experts said.

"These concerns are very similar to the concerns and risks associated with traditional data storage outsourcing, offshoring, or other forms of remote data access," said Christopher Pierson, chief privacy officer with a large financial institution, which he asked not be identified. "Within the cloud, the standard issues of user access, authentication, encryption, location of storage all exist and need to be thought through on the front end," he said.

The advice comes in the wake of the July 15 disclosure by Twitter that a hacker had accessed a substantial amount of company data stored on Google Apps by first hijacking a Twitter employee's official e-mail account. Though the breach had more to do with weak passwords and password resets, the incident has nevertheless drawn fresh attention to broader security and privacy concerns related to cloud computing.

Some groups in Los Angeles are pointing to the Twitter/Google Apps incident as a reason why the city needs to reconsider a recently proposed plan to move e-mail and office applications to Google Apps.

Under the $7.25 million plan, the city will transition its Novell GroupWise e-mail and Microsoft Office applications to Google's e-mail and office productivity products starting this December. The migration is expected to save the city more than $6 million in software license costs over the next five years and an additional $7.5 million from reallocating resources dedicated to GroupWise to other tasks.

But some, such as the Consumer Watchdog group said the Twitter incident raises the question of whether "Google's cloud as offered provides adequate safeguards." Moving medical and health-related records, and information on domestic and sexual assault and substance abuse to Google raises concerns over how such sensitive data will be protected, the group wrote in a letter addressed to City Council members.

"Before jumping into the Google deal, City Council needs to insist on appropriate guarantees -- for instance substantial financial penalties in the event of any security breach," John Simpson, a consumer advocate for the group wrote.

In a similar letter sent a few days after the Twitter breach, the World Privacy Forum urged the city to move forward "slowly and cautiously' because of continuing uncertainty over the legal status of sensitive private information stored in the cloud. The letter noted that different types of information that the city was planning on migrating to Google had different security requirements. For instance, while health data is covered by the Health Insurance Portability and Accountability Act (HIPAA), classified information, tax records and law enforcement data are subject to different requirements.