Twitter breach revives security issues with cloud computing
Concerns are the same as with any outsourcing, remote data access, IT managers say
Computerworld - Security and privacy issues over cloud computing are not very different from those surrounding any sort of IT outsourcing and need to be treated that way, security managers and analysts say in the wake of breaches involving Twitter and Google Apps.
The incident has resurfaced many familiar concerns relating to cloud computing and is raising questions over a multimillion-dollar plan by the city of Los Angeles to move its e-mail and office applications to the cloud.
While many of the concerns are valid, it's important to retain perspective around them, security experts said.
"These concerns are very similar to the concerns and risks associated with traditional data storage outsourcing, offshoring, or other forms of remote data access," said Christopher Pierson, chief privacy officer with a large financial institution, which he asked not be identified. "Within the cloud, the standard issues of user access, authentication, encryption, location of storage all exist and need to be thought through on the front end," he said.
The advice comes in the wake of the July 15 disclosure by Twitter that a hacker had accessed a substantial amount of company data stored on Google Apps by first hijacking a Twitter employee's official e-mail account. Though the breach had more to do with weak passwords and password resets, the incident has nevertheless drawn fresh attention to broader security and privacy concerns related to cloud computing.
Some groups in Los Angeles are pointing to the Twitter/Google Apps incident as a reason why the city needs to reconsider a recently proposed plan to move e-mail and office applications to Google Apps.
Under the $7.25 million plan, the city will transition its Novell GroupWise e-mail and Microsoft Office applications to Google's e-mail and office productivity products starting this December. The migration is expected to save the city more than $6 million in software license costs over the next five years and an additional $7.5 million from reallocating resources dedicated to GroupWise to other tasks.
But some, such as the Consumer Watchdog group said the Twitter incident raises the question of whether "Google's cloud as offered provides adequate safeguards." Moving medical and health-related records, and information on domestic and sexual assault and substance abuse to Google raises concerns over how such sensitive data will be protected, the group wrote in a letter addressed to City Council members.
"Before jumping into the Google deal, City Council needs to insist on appropriate guarantees -- for instance substantial financial penalties in the event of any security breach," John Simpson, a consumer advocate for the group wrote.
In a similar letter sent a few days after the Twitter breach, the World Privacy Forum urged the city to move forward "slowly and cautiously' because of continuing uncertainty over the legal status of sensitive private information stored in the cloud. The letter noted that different types of information that the city was planning on migrating to Google had different security requirements. For instance, while health data is covered by the Health Insurance Portability and Accountability Act (HIPAA), classified information, tax records and law enforcement data are subject to different requirements.
- Popular Internet-of-Things devices aren't secure
- Many antivirus products are riddled with security flaws
- Mobile management: Making sense of your options
- British hacker Gary McKinnon launches SEO startup
- iPhone gets first free app for encrypting voice calls
- Zero-day flaws found in Symantec's Endpoint Protection
- BlackBerry plans to focus on security for the enterprise
- Senator pushes new version of bill to limit NSA phone records collection
- How to Protect Personal, Corporate Information When You Travel
- Privacy groups call for Facebook to halt off site user tracking plans
- Securing Mobility, From Device to Network At one time, the process of managing and securing mobile devices and applications was fairly straightforward. Most organizations worried about one application (email)...
- Data Protection eGuide In this eGuide, CSO and sister publications IDG News Service, Computerworld, and CIO pull together news, trend, and how-to articles about the increasingly...
- Warning: Cloud Data at Risk Experts agree that relying on SaaS vendors to backup and restore your data is dangerous. Yet that's exactly what huge portions of the...
- The Opportunities and Challenges of the Cloud In this report F5 poses questions to IDC analysts, Sally Hudson and Phil Hochmuth, on behalf of F5's customers to better understand the...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!