Several observers have noted that the theft of confidential Twitter documents (which ended up in the hands of TechCrunch) took place by accessing a Twitter employee's Google Apps account. Cue a chorus of commentary alleging how this shows that if you want to keep stuff private, don’t put it on the web, period, because cloud security is not ready for prime time and nothing is secure on the net.
OK, so let's go back to storing confidential company documents on laptops that people leave in cars or forget on trains, or transferring them on computer tape and CD-ROMs that couriers deliver to the wrong address, or backing them up to USB sticks that go missing, or forgetting to wipe them off the hard disks of office servers when we dispose of them (UPDATE: see Michael Krigsman's post on the same topic for a catalog of examples). Cloud security is no different from real-world security. It's just a matter of identifying the risks and containing them.
Users really like the convenience of the cloud — far too much for them to give it up — but the trouble is, they also like the convenience of authentication using a simple username-password pair. They haven't yet figured out that's far too little to separate your confidential data from a nefarious interloper, especially when the Web means that authentication will work from anywhere, which dramatically increases the threat level. In the Twitter case, as my ZDNet colleague Sam Diaz points out, the security breach exploited "an easy-to-guess password and recovery question," which is one of the simplest ways to make a username and password combination really insecure. Unfortunately, users they won't wise up until the cloud providers force them to.
The banks figured this out long ago, and they knew they had to sort it because customers were losing money and blaming them. As a result, I now have to answer 'challenge questions' before I can access any of my online banking services. I have to remember a user ID and two passwords to access my personal current account, and to authorise a bill payment I have to insert my chip-and-pin debit card into a special reader, type in the pin number plus some other data and then copy a code that the reader generates into the payment authorization page. My business bank account requires a user ID, a password and a code generated by a separate security device. All this is a pain but I put up with it because I don't want my bank to make it easy for other people to defraud me of my money. Nor do I want to go back to the days of having to write out checks and put them in the mail or waiting till my statement arrives at the end of the month to find out how much money I have left.
Now it's up to cloud providers to inflict the same pain on their users — for their own sake — to protect their data. We won't like it, but we'll put up with it because at the end of the day we'd rather jump through all those hoops than give up all the convenience the cloud brings us.