The latest Twitter controversy surrounding the blog, the hacker and the cloud vendor isn’t disturbing – just inevitable. By now anybody with an iota of interest in cloud computing will know what this story is about. Many people are probably damning Google for their ” lack of security.” But hang on here. Aren’t people being quite cavalier with their data? The other day I refused to give my own partner my PIN… but as I write, it’s happily stored somewhere as a draft on GMail. That really doesn’t make sense.
Hell, I trust the cloud more than I trust myself
Who’s really to blame? I don’t think it’s black-and-white. Frankly, as a rule I trust some company I know nothing about a lot more than I trust myself. I leave my passwords lying around on the desktop. I write my PIN on a scrap of paper and keep it in my wallet next to my debit card (nobody’s fooled by the fact I’ve made it look like a phone number). I’m lazy and useless – and I suspect most people out there are too. However, I think cloud vendors have a responsibility to make sure they compensate for users’ inadequacies.
Keeping sensitive data in the cloud isn’t “probably going to happen” – for consumers, it’s been happening for years – the big vendors just need to pull their finger out. At the moment, if you get stung by a lack of cloud security you’ll just be told:
“Only a dribbling buffoon leaves all their valuable data in the cloud.”
While it’s true that simple passwords were used – and in this respect Google is relatively blameless – there really ought to be more safeguards in place so people are forced to at least set more secure passwords. This is a must if the business cloud is going to expand from web services and utilities into other areas such as secure data hosting.
Jamie Turner, UK cloud computing evangalist and IT Director of TheWebService, has this to say:
Cloud storage, just like Esperanto and the Sinclair C5, is a concept that makes sense… almost.
Having access to your data anywhere in the world from any device is an incredibly powerful thing. The scope is huge, enabling much wider usage and new possibilities, most of which haven’t even been thought of yet.
The problem is, making your calendar universally available in the cloud is a very different thing to placing business-critical company and customer information out there – especially financial information. Despite the significant business drivers that may promote this approach – scalability, agility and all the things that basically remove the inertia that blights most IT departments – security’s still the show-stopping concern.
There are too many questions, and too few answers. What control do we really have over data once it’s up there? What’s the physical security of the data centre? Where is the data centre? Are there cross-border legal issues with hosting the data overseas or in territories with ‘incompatible’ legislative environments? What if you need to destroy data – is that even possible? Then we need to consider the availability of the data: what if the cloud provider folds or they’re taken over by an overseas organisation? If there’s a catastrophic data centre failure, what’s the recovery time? Do they even back things up or just hope that a single data centre will always be safe? It’s a glib but important question – you can have as much redundancy as you like at any given site but if it disappears into the San Andreas Fault you’ll be wishing you still had that magic DAT tape. Are we blindly throwing data into the sky in the hope it will stay safe? Ultimately, this is the big problem with storing sensitive data in the cloud – at least for now: there are just no convincing answers to any of these questions.
So let’s not throw the baby out with the bathwater – this problem just needs to be addressed, fast.
July 16, 2009 at 8:56 pm
Jamie
Where did you receive the information that the “concept of Esperanto…” has no sense.
If you have a moment look at an interesting video which can be seen at http://www.youtube.com/watch?v=_YHALnLV9XU
Alternatively see http://www.lernu.net
July 17, 2009 at 12:17 pm
I diagree that users should be forced to conform to a particular password pattern. Most users use the same password for everything (there’s no way we can expect to momorise 50 totally different passwords) and when our normal password isn’t valid if we’re forced to enter a new one for that one service then we’re going to write it down on a scrap of paper or in a text document on our computer or email account.
However, using the same password is a very bad idea on it’s own. If one site gets hacked and users figure out your password, they will then log onto many different services and see if you’ve used the same passwrod with each of them. Banking, credit cards, paypal, all because someone hacked into Monster.co.uk and you used the same password.
Here’s a handy trick. Set a standard password for yourself, then modify it for each site according to a set of rules. For instance, set the password as “Passw0rd” and then for each site, insert the first, third and fifth letters of the site name into the middle. So your Twitter password would become “Passtitw0rd”. (OMG I really didn’t do that on purpose!!!) Modify your rules so it’s not obvious to a hacker what pattern you use, and you’re done – a hacker of one site will no longer be able to guess you other passwords and you won’t have to remember 50 different passwords.
August 25, 2009 at 12:38 pm
[...] driver for people to take the plunge elsewhere. Privacy I’ve already discussed “Twittergate” here. This is linked to cloud security and there are no concrete answers here either. Control This is my [...]