Users have to wise up to cloud security

Users have to wise up to cloud security

Summary: Cloud services - such as Google Apps, which is where Twitter's stolen company documents were purloined - must follow in the footsteps of online banking, and start forcing users into stronger authentication practices if our cloud data is to remain secure.


Several observers have noted that the theft of confidential Twitter documents (which ended up in the hands of TechCrunch) took place by accessing a Twitter employee's Google Apps account. Cue a chorus of commentary alleging how this shows that if you want to keep stuff private, don’t put it on the web, period, because cloud security is not ready for prime time and nothing is secure on the net.

OK, so let's go back to storing confidential company documents on laptops that people leave in cars or forget on trains, or transferring them on computer tape and CD-ROMs that couriers deliver to the wrong address, or backing them up to USB sticks that go missing, or forgetting to wipe them off the hard disks of office servers when we dispose of them (UPDATE: see Michael Krigsman's post on the same topic for a catalog of examples). Cloud security is no different from real-world security. It's just a matter of identifying the risks and containing them.

Users really like the convenience of the cloud — far too much for them to give it up — but the trouble is, they also like the convenience of authentication using a simple username-password pair. They haven't yet figured out that's far too little to separate your confidential data from a nefarious interloper, especially when the Web means that authentication will work from anywhere, which dramatically increases the threat level. In the Twitter case, as my ZDNet colleague Sam Diaz points out, the security breach exploited "an easy-to-guess password and recovery question," which is one of the simplest ways to make a username and password combination really insecure. Unfortunately, users they won't wise up until the cloud providers force them to.

The banks figured this out long ago, and they knew they had to sort it because customers were losing money and blaming them. As a result, I now have to answer 'challenge questions' before I can access any of my online banking services. I have to remember a user ID and two passwords to access my personal current account, and to authorise a bill payment I have to insert my chip-and-pin debit card into a special reader, type in the pin number plus some other data and then copy a code that the reader generates into the payment authorization page. My business bank account requires a user ID, a password and a code generated by a separate security device. All this is a pain but I put up with it because I don't want my bank to make it easy for other people to defraud me of my money. Nor do I want to go back to the days of having to write out checks and put them in the mail or waiting till my statement arrives at the end of the month to find out how much money I have left.

Now it's up to cloud providers to inflict the same pain on their users — for their own sake — to protect their data. We won't like it, but we'll put up with it because at the end of the day we'd rather jump through all those hoops than give up all the convenience the cloud brings us.

Topics: Banking, Security, Social Enterprise

Phil Wainewright

About Phil Wainewright

Since 1998, Phil Wainewright has been a thought leader in cloud computing as a blogger, analyst and consultant.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Cloud security done right

    Turns out that, if you put all the required elements in place, cloud security can actually be packaged in a way where it doesn't need to be inconvenient for the end-user and delivers more effective security than traditional solutions.

    You do need quite a bit of technology for such a "Secure Dataroom" SaaS solution: strong authentication, encryption on the server, over the wire, and on the client endpoint -- and an easy to use UI with no desktop software required.
    Oliver Gajek
  • Consumer MFA is coming

    Great points, Phil. I think consumer multi-factor authentication (MFA) is poised to become more of a mainstream reality. As you pointed out, some banking/finance websites already do it.

    The problem is that without a single web identity, managing passwords is already complex and daunting for consumers. Imagine now the tens or hundreds of passwords you have to remember are multiplied by two. Or you have to carry a set of dongles or smart-cards with you - one for each consumer service.

    Identity management on the web is already a major issue and now if we try to throw MFA into the mix without trying to fix the identity issue first, it's just going to get crazier.

    Hopefully we can make progress one or a few major open ID providers so that in another 5-10 (15? 20?) years I can log into most websites worldwide with a single set of credentials; using multiple factors, of course -- maybe a regular password plus a OTP over SMS or a USB-based hardware token.

  • Cloud Security, and SSO

    We are using Tricipher's MyOneLogin service at Ingres to provide single signon (SSO) for all of our open source based community sites. We also rolled it out internally to establish a multi-factor authentication based portal for our employees. Once inside, they can select any of their cloud based and open source applications without re-entering their passwords. Particularly effective are sites that allow SAML assertions, and then block access unless it comes from the MyOneLogin portal. In this way we still get all the benefits of cloud computing and hosted open source utilities with the advantages of strong authentication and SSO. If the standards around SAML/OpenID etc get stronger we can envision global secure access to all cloud offerings. Check out Tricipher. More on my blog here:
  • RE: Users have to wise up to cloud security

    Interesting article - is the bank security that you describe part of UK law or is it up to each bank?
  • The truth about data security

    Cloud security is indeed an issue but so is the threat of data access through Wireless or Wi-Fi, simply using sniffers (Which I think should be banned) currently accessible to all, allowing any crook to see the downloaded information on your screen.

    I love cloud computing because at least backup discs or tapes are not required and hence cannot be 'lost' or stolen, which happens more often than not these recent years.

    There are excellent sites which discuss daily security breaks or data loss. You would be amazed to see the numbers related to in-house servers.
    Even banks lose or are stolen their data backup discs/ tapes.

    I think that if you do go for a SaaS or a cloud computing system, you should always pick the best ones, since those will have the best security systems to date. Currently, the only two leaders I heard of are: NetSuite (ERP, CRM, e-commerce) and SalesForce(CRM).

    If companies were serious about data security they would invest more time & resources in ensuring that their data is safe from harm. Paying 'White Hackers' to reveal their security flaws could be a very good start, but data loss is not just about access security. It also mainly consists of a set of best practices to follow.

    One of the few sites that I discovered is doing a pioneering work with this regard, focussing on 'IT Governance Audit Tools' amongst other things.
    itscontrol say that their upcoming IT Governance tool will be ready in September 09. It might be a good starting point.

  • RE: Users have to wise up to cloud security

    You got it perfectly right. 'Users have to wise up'. I lot of security breaches that I have seen and also been on the news was not due to software vulnerabilities, but simple users carelessness or negligence and of course and companies get the blame.

    Having a security system in place consists of both the technology and users training. Without the latter, all you will be left with is a false sense of security.

    Search for ITSControl if you want to seriouly consider where you company stands in terms of Information System security and control