I've been really ticked off by the number of "pundits" writing nonsense about this story, so I wrote this blog entry for my personal site, which I thought might be of interest here so I'm reposting for all you developer workers!
If you’re busy, here’s the abstract:
- It wasn’t twitter that was hacked – it was Google Apps
- Please don’t confuse “network” with “cloud” – it’s embarrassing to read and makes you look stupid
- This is not a story about cloud computing, it’s a story about security
- The moment you make a computer accessible via the internet you have a security challenge
- Security is an important issue for cloud computing – So instead of hyping it, or denying it, we need to deal with it
- The good the bad and the ugly – Some of the articles/blog posts I’ve seen on this topic
It wasn’t twitter that was hacked – it was Google Apps
Here’s what happened : Someone hacked into the Google Apps service used by Twitter. The guys at Twitter use Google Apps (you can confirm this by typing “docs.twitter.com” into your browser). Someone managed to hack into one or more Twitter employee acounts. It seems as if a hacker was able to guess (either by cunning or brute force) the relevant password or passwords, and “hey” presto.
So the lesson here is about password security, and the steps that providers like Google ought to implement in order to detect and prevent brute force attacks (where someone attempts to log in over and over again using different passwords).
Please, please stop confusing “network” with “cloud” – it’s embarrassing to read and makes you look stupid
No, really! They’re not the same thing! Cloud computing is a computing paradigm in which one or more third parties provide a load of underlying infrastructure that enables you to do stuff. A network is a collection of computers that can talk to each-other. Sure you need network connectivity for cloud to work – but the two things are as different as “tarmac” and “road”.
A useful test, which you can use either on your own comments or others is to see whether you can safely substitute “network” for “cloud” without affecting the actual meaning of the piece. If you can, then stop and have a think.
We analysts love coining our own very special definitions of things like cloud - I quite like this one from Wikipedia
This is not a story about cloud computing, it’s a story about security
This story is only coincidentally connected with the fact that the Google Apps service runs on a cloud. If Twitter were using Exchange (and I’m guessing hell might have to freeze over for the cool kids at Twitter before that happened) they could very well have suffered the same issue - by carelessly allowing web-access to the exchange server, or sharepoint for example.
The moment you make a computer accessible via the internet you have a security challenge
Everyone has heard someone say “if you want your data to be really safe, then don’t put it onto a device that can be connected to a network”. While this (obvious) statement does have some truth to it – it’s slightly beside the point. We really do have to make our computers accessible via the network, and lots of smart people have developed all sorts of cunning techniques to make that data secure.
I had a short twitter exchange with another analyst (the wonderful James Governor) on the topic of “cloud security” a little while ago. James was irritated by a comment from a vendor that cloud computing raises serious security issues. His assertion was that cloud computing is not inherently “less secure” than a private network. As it happens I disagree fairly strongly with this assertion as a general statement – but James also made the point that most internal networks are a security nightmare.
My take is that it should be obvious to anyone with even a basic level of competence that when you make sensitive data accessible over a public network you need to take steps to ensure that it is secure. If you’re not asking questions like “Do I trust my provider to keep my data safe from harm (ie Loss, Tampering etc) , and secure against unauthorised access (ie Hacking)” or “Will I be compliant with my company’s regulations (and the relevant legal requirements) for data security?” then, you’re not a fit person to be making important decisions about data (or indeed about how many sugars to put in your coffee).
By way of a short aside:
A long time ago, I once “saved the day” after a disk crash, by fishing some discarded back-up tapes from the trash so we could restore the lost data after the current tape-set proved to be corrupt (the current tapes having been carefully stored on top of a large and super magnetic line printer), it was only afterwards that it occurred to us that anyone could have snaffled those tapes and recovered the data, so we agreed that from then on we’d leave the tapes we wanted to discard on top of the printer for a day before putting them in the bin.
Oh yes - that really is a true story.
Security is an important issue for cloud computing – So instead of hyping it, or denying it, we need to deal with it
Cloud-based computing does raise security challenges. And you have to consider them. You absolutely should not put data into the hands of a third-party without asking some very straight forward questions (which might include “how do you dispose of back-up media…”).
Sensationalist stories that hype up the security challenges of cloud computing are just stupid, but we also have to avoid falling into denial as well.
Will be talking and writing at length about security in cloud environments – but the key message here is that you can make cloud computing environments secure – you just have to engage your brain.
The good the bad and the ugly – Some of the articles/blog posts I’ve seen on this topic
Good -Recent Twitter Hack Reveals Humans Are Still Security’s Weakest Link by Terrence O’Brien. A really good common-sense post.
Good - Twitter Gets Hacked. Can It Happen to You? Riva Richmond provides some sensible advice.
Good - Twitter’s hack is a timely reminder that the cloud is only as safe as you make it I’m not so much a fan of the Tory-graph, but this is good stuff from Basheera Khan.
Good - Possible link to Twitter hack – GMail vulnerable to password cracking Some important technical information about potential vulnerabilities
Mostly Good - Twitter’s Problem With the Google Cloud - Although “cloud” and “network” are more or less interchangeable in this piece it has some good advice – “Before enterprises can safely move sensitive applications (and thus data) to the cloud they must ensure their security is effective, since a key layer of protection is being removed.” – Although, I’d submit that if you’re planning to move apps and data to the cloud, and this hasn’t already occurred to you then the chances are you’re too stupid to sign up for a cloud-based service anyway.
OK - Twitter Hack: Are Companies Moving Too Quickly To The Cloud? I was going to put this into the “bad” category because the headline is sensational, but in fairness Andy Cordial from Origin Storage makes some good points:
But Origin Storage’s Cordial and other security experts raise a different sort of question. They say that the means to properly secure IT operations in the cloud may be in place at the service provider’s end, but the hard work of integrating those security mechanisms with companies’ own internal protocols isn’t getting done in the mad dash to the cloud.
“Applying effective security is all about planning and then applying that planning, backed up by a set of solid security policies with encryption at its heart,” Cordial said. “If Twitter had had this strategy operating at all levels of its hierarchy, rather than apparently going for user growth at any cost, it wouldn’t be in the embarrassing situation it is now.”
Bad - Twitter hack raises questions about ‘cloud computing’ By John D. Sutter I’m putting this one into the bad category, because the headline is misleading, and the article closes by confusing “cloud” and “network” which is either scaremongering or a sign that Mr Sutter doesn’t understand the difference
Ugly - The Twitter hack and the cloud This is a real shame; the bbc should have higher standards. The last sentence highlights the confusion between “cloud” and “network” –
“But if you allow your employees - including very senior members of staff - to send confidential information on cloud-based e-mail then you’d better make sure their passwords are super secure.”
Dude, it’s not the “cloud” that’s at issue here – it’s the fact that you can connect to the email account over the interweb.