Small Fish, Big Pond

Google made a blog posting in response to recent security concerns since Twitter’s data in the Google cloud was illegally hacked.

Password strength and account recovery options

Google basically states that they provide info on how to make better passwords, and different ways to make password recovery a bit more secure. Interestingly for Google Apps they also support advanced login methods that use “certificates, smartcards, biometrics, one time password devices, and other stronger tokens”.

All cool stuff but I’d like to point out that all of this only addresses login issues. In the medieval castle analogy I made yesterday I pointed out that security is layered like an onion. The inherent problem with cloud computing is that you eliminate almost all physical security options available to you; and believe me there are a lot of amazing, very secure, network level security options available. All you’re left with is having a strong password.

A lot of people including Twitter are saying that there was no flaw in Google Apps, and in a way there wasn’t. It worked as strong as it possibly can and it was the password that was hacked. But that’s my point! Your security is only as strong as your password, and with that as your only line of defense there are no additional security checks between your data and every hacker and script kiddie on the internet.

From a business standpoint I’d never advise moving all data over to the cloud, it literally goes against all the lessons in computer security we’ve learned in the last few decades. And even as cloud technologies mature I can only foresee a hybrid-cloud business model where private confidential company data is stored onsite in a traditional manner, and public or publicly safe documents are stored in the cloud (similar to our traditional “DMZ” zone in network security).]]>