The real problems with cloud computing

Google may protect servers better than you do. But Ira Winkler says your job is to protect information, not just servers.

The recent Twitter hack, where a French hacker compromised internal Twitter documents by accessing the account of administrative assistant, among others, was essentially an attack on Google Docs. The reason is that Twitter outsourced their infrastructure by contracting with Google, and the accounts in question were on Google's infrastructure.

The ensuing reports questioned the security of Google Apps and cloud security in general. In the process, Google claimed that their security was better and less expensive than the security that companies could provide for themselves. At the same time, people (including me) persisted in their statements that exposed information is exposed information. This position takes the stand that companies want to protect their information, and not the computers themselves. This can be extremely confusing for CSOs trying to decide whether or not to implement cloud computing. This issue is at the forefront, especially given Los Angeles County's stated intention to migrate to Google Apps.

Also see: Chris Hoff on Virtualization and Cloud Computing

Let's first acknowledge that Google Apps was not specifically "hacked" in the traditional sense of the word during the Twitter hack. A hacker did not break into Google computers through some technical vulnerability in the Google infrastructure.

A hacker found a personal e-mail account for the administrative assistant previously mentioned. Similar to the Sarah Palin Yahoo! account hack, the hacker researched social networking sites to find the answer to the "secret question" required to reset the account's password. In going through the e-mails in the account, the hacker apparently found the password used by the administrative assistant on other sites, and correctly assumed that person used that password on their Twitter corporate account at Google Apps.

This gave the person access to e-mails and files. Other information available to the account also allowed the attacker to compromise the Twitter corporate accounts of other employees.

While the initial reaction would be to blame the guessability of the security questions on the freemail account, as well as the reuse of the password, that is akin to saying people drown because of water. Clearly, there are many other vulnerabilities in cloud computing implementation that enabled the compromise of the accounts on Google Apps.

For example, the fact is Google Apps allowed for anyone in the world to attempt to log into any account at Twitter. In this case, the account holder was in the San Francisco area and the hacker logged in from France. If the accounts were maintained internally, Twitter would have had the ability to deny remote access. Similarly, if there was misuse and abuse detection, even allowed accesses would have been flagged given the location as well as the scope of the data access. There are also data leak prevention (DLP) tools that could have been in place.

Google Apps doesn't provide for add-on security tools, such as those mentioned above. They do provide for SAML 2.0 authentication integration. However, that is a footnote, and organizations who are using Google Apps because they don't want to maintain the internal technical staff required to run office applications are not likely to maintain staff to manage a SAML compliant tool, which can be even more complicated. Using an automobile analogy, it is like saying you will bring your car to a repair shop for everything, even simple oil changes -- except for the ignition system, which you agree to maintain entirely on your own.

There is a great deal of truth that Google can maintain the security of systems better than individual companies. This specifically involves server security, not data security. For example, hackers target vulnerable operating systems that don't have properly applied patches. While I may be critical of some aspects of Google Apps security, I firmly believe that Google is significantly more likely to maintain the security of individual systems than companies would themselves.

Google also implements sharding, which means that an individual file could be divided among hundreds of systems in theory. This way, if someone actually does break into a server, they will not likely get a useful amount of information out of individual documents.

However, the fact is that attackers want your information and will get it however they have to. For example, the recent Heartland hacks resulted from SQL injection which targeted the database applications, not the servers. While Google Apps may better maintain fundamental security of the office applications, that again does not help with the access, and sniffing potential.

Cloud computing puts your data outside of your organization. Also when you use a cloud computing service, you are limiting yourself to the amount of advanced security tools that you can put on the system. I already gave the examples of DLP and misuse and abuse detection, which is not available to Google Apps users. Likewise, you cannot limit the access to only internal staff. There are many other security tools that cannot be put in place in cloud environments, unless the cloud environment is specifically designed for them.

There are also other issues to consider. You have little control over how much audit information is collected. For example, you likely do not have access to failed log-in attempts, so you cannot proactively look for attack reconnaissance. Likewise, while you may maintain ownership of your own data, you do not likely own all of the access log data. That potentially creates legal problems. For example, if someone does illicitly access your information, you might need to get a court order to see where they are coming from. If however you maintained your data internally, you would have instant access to all of this information.

Editorial limitations do not allow me to bring up all potential limitations of cloud computing security. However, I intend to get you thinking about what you need to consider.

Also see: Winkler on Awareness Training

Let's face it: The $US50 per user annual fee for Google Apps is very attractive from a financial perspective. I also believe that CSOs should make decisions not from a security perspective, but from a risk perspective. Risk acknowledges that you have to make decisions that balance potential losses against potential cost savings.

For those organizations that wouldn't normally implement more any additional security controls, like DLP or intrusion detection, you might as well use a cloud computing solution like Google Apps. They would be much more likely to implement basic security controls better than you would.

However, if you are an organization with a great deal of intellectual property, believe that your data is valuable, and intend to implement more than basic security measures, you probably need to maintain your own data infrastructure. You can however review cloud computing providers and see if they allow for the implementation of the security countermeasures you believe are necessary. There are a significant number of software vendors who are beginning to offer cloud security products. The better cloud computing providers should be integrating these tools.

My perception of the Twitter hack is that Twitter is a company where money is not a driving force in their infrastructure decisions. While they do plan for rapid growth, and Google Apps does allow for that growth, it is my belief that Twitter should implement more than basic security measures. After all, they eventually want to move into the corporate market and if they can't protect their own data, how can other companies trust Twitter with their data?

Los Angeles County has different circumstances. While they clearly have more than enough value that would justify maintaining the infrastructure internally, it seems like there is a major financial problem that might prevent it.

Unfortunately, given all of the regular abuse we see of government databases, by authorized users, Los Angeles would be taking an unacceptable risk. The recent convictions of State Department employees for looking at celebrity travel records demonstrates the abuse that can only be detected when there is the ability to regularly review audit logs. Los Angeles is also infamous for celebrity information, and people have been accused of accessing medical information of celebrities. For example, the Octomom's medical records were leaked, as were those of Britney Spears and countless other celebrities. Without the ability to provide for automated misuse and abuse detection, Los Angeles will miss a wide variety of criminal activities.

So while a cloud computing provider will likely better secure the servers, it is highly questionable as to whether than can secure your information better than you can. The acronym CISO stands for Chief Information Security Officer, not Chief Computer Security Officer. That should give you an idea as to what your priorities should be.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags cloud computingGoogletwitter

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ira Winkler

Show Comments


James Cook University - Master of Data Science Online Course

Learn more >


Sansai 6-Outlet Power Board + 4-Port USB Charging Station

Learn more >

Victorinox Werks Professional Executive 17 Laptop Case

Learn more >



Back To Business Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?