My Google Alerts for cloud security have been going off with an increased vengeance.
In the current Web buzz about the recently stolen Twitter documents sent out by a hacker to TechCrunch, people have been pointing to the attack and citing it as a cloud computing security wake-up call.
In fact, the Twitter hack is an older and more common type of attack that any computing system is vulnerable to: weak password security. [See also: How to Write Good Passwords]
In reading Twitter's description of the attack, it's apparent that once the attacker had obtained the password to a single e-mail account of a Twitter employee, he/she was able to execute password resets (using the 'Forgotten Password' function) on several other accounts. This enabled the attacker to use the compromised e-mail account as a springboard to access additional data stored elsewhere.
It's the oldest trick in the book, and it has very little to do with cloud security any more than someone stealing your identity and then using it to open up credit card accounts has to do with bank security.
Why is it important to distinguish password weakness from broader cloud security issues?
- Misunderstanding of the issues may prejudice some in ways that could prevent them from adopting advantageous cloud solutions.
- The preventative measures are clearly different.
For instance, to prevent the Twitter breach from happening again the steps that should be taken (some of which Twitter has already acknowledged are taking place) are employee education (don't succumb to social engineering or phishing ploys), auditing password strength (6-plus alpha/numeric/symbol characters is for a reason!), and, as a policy, clearly separating personal and work accounts/data so if your personal account is compromised no damage can be done to corporate information or accounts.
On the other hand, cloud security is an architecture issue:
- Most cloud systems are designed by putting all accounts/customers/applications on one platform and co-mingling the data (called 'multi-tenancy' and dangerous from a security perspective!)
- We recommend pursuing a different architectural approach and running separate instances of cloud applications per customer whenever possible for maximum security.
Cloud security is an important topic that gets (deservedly) a considerable amount of attention these days, but let's keep the conversation focused on the real issues so that progress can be made in making the cloud a secure and reliable IT infrastructure that all businesses can benefit from.
Pete Soderling is founder of Web development shop Mechanikal and API management company Stratus Security Technologies.
This story, "Why Twitter Hack is NOT a Cloud Security Wake-up Call" was originally published by CSO.