In the New York Times Bits Blog, Claire Cain Miller and Brad Stone discuss the recent Twitter hack that exposed 300+ private documents.
Claire and Brad hit on many of the right pieces, including the simplicity of password guessing for the accounts of public/semi-public personalities – and the fact that more people should take secret questions seriously. They also correctly highlight that users should think about what they put into the cloud. I think there are a few additional prescriptive points worth making, especially when organizations are looking at the risk/benefit of employing cloud-based applications (either formally or informally).
Many organizations immediately focus on the back-end (datacenter) security – assuming since the data is in the cloud, that’s where the problems lie. It is certainly a consideration that organizations should weigh, but most of the providers are hosting applications in hardened datacenters – that may in fact have better security than most. Using this recent example as a guide, there are far easier ways to get at the data without breaking into the datacenter (either physically or logically).
The key thing organizations should focus on is how the data got to the cloud. It’s a fact that enterprise users will employ cloud-based applications – either because that’s how a business process is getting automated, or because it helps them do their individual jobs better/faster/cheaper. For risk managers, the job is not to stand in the way, but safely enable this use. With that said, the first thing organizations need to manage is the cloud-based apps they do embrace – talking to the business about what’s appropriate, and appraising the business about the risks the application(s) carry. So maybe Google Docs is allowed for the manufacturing team, but uploads to DocStoc are not. Second, for the applications that the enterprise does enable, it needs to manage the types of documents that are put into the cloud-based application – so perhaps word processing documents are appropriate, but spreadsheets are not. Third, to some degree, organizations need to control the content that flows between internal users and cloud-based applications – especially with regard to sensitive, confidential, or malicious content. Obviously, all of this has to be enforced, but if organizations can do these three things, the inevitable use of cloud-based applications will result in far fewer embarrassing moments.