The recent Twitter hack, where a French hacker compromised internal Twitter documents by accessing the account of administrative assistant, among others, was essentially an attack on Google Docs. The reason is that Twitter outsourced their infrastructure by contracting with Google, and the accounts in question were on Google's infrastructure.
The ensuing reports questioned the security of Google Apps and cloud security in general. In the process, Google claimed that their security was better and less expensive than the security that companies could provide for themselves. At the same time, people (including me) persisted in their statements that exposed information is exposed information. This position takes the stand that companies want to protect their information, and not the computers themselves. This can be extremely confusing for CSOs trying to decide whether or not to implement cloud computing. This issue is at the forefront, especially given Los Angeles County's stated intention to migrate to Google Apps.
Also see: Chris Hoff on Virtualization and Cloud Computing
Let's first acknowledge that Google Apps was not specifically "hacked" in the traditional sense of the word during the Twitter hack. A hacker did not break into Google computers through some technical vulnerability in the Google infrastructure.
A hacker found a personal e-mail account for the administrative assistant previously mentioned. Similar to the Sarah Palin Yahoo! account hack, the hacker researched social networking sites to find the answer to the "secret question" required to reset the account's password. In going through the e-mails in the account, the hacker apparently found the password used by the administrative assistant on other sites, and correctly assumed that person used that password on their Twitter corporate account at Google Apps.
This gave the person access to e-mails and files. Other information available to the account also allowed the attacker to compromise the Twitter corporate accounts of other employees.
While the initial reaction would be to blame the guessability of the security questions on the freemail account, as well as the reuse of the password, that is akin to saying people drown because of water. Clearly, there are many other vulnerabilities in cloud computing implementation that enabled the compromise of the accounts on Google Apps.
For example, the fact is Google Apps allowed for anyone in the world to attempt to log into any account at Twitter. In this case, the account holder was in the San Francisco area and the hacker logged in from France. If the accounts were maintained internally, Twitter would have had the ability to deny remote access. Similarly, if there was misuse and abuse detection, even allowed accesses would have been flagged given the location as well as the scope of the data access. There are also data leak prevention (DLP) tools that could have been in place.
Google Apps doesn't provide for add-on security tools, such as those mentioned above. They do provide for SAML 2.0 authentication integration. However, that is a footnote, and organizations who are using Google Apps because they don't want to maintain the internal technical staff required to run office applications are not likely to maintain staff to manage a SAML compliant tool, which can be even more complicated. Using an automobile analogy, it is like saying you will bring your car to a repair shop for everything, even simple oil changes -- except for the ignition system, which you agree to maintain entirely on your own.
There is a great deal of truth that Google can maintain the security of systems better than individual companies. This specifically involves server security, not data security. For example, hackers target vulnerable operating systems that don't have properly applied patches. While I may be critical of some aspects of Google Apps security, I firmly believe that Google is significantly more likely to maintain the security of individual systems than companies would themselves.
Google also implements sharding, which means that an individual file could be divided among hundreds of systems in theory. This way, if someone actually does break into a server, they will not likely get a useful amount of information out of individual documents.
However, the fact is that attackers want your information and will get it however they have to. For example, the recent Heartland hacks resulted from SQL injection which targeted the database applications, not the servers. While Google Apps may better maintain fundamental security of the office applications, that again does not help with the access, and sniffing potential.
Cloud computing puts your data outside of your organization. Also when you use a cloud computing service, you are limiting yourself to the amount of advanced security tools that you can put on the system. I already gave the examples of DLP and misuse and abuse detection, which is not available to Google Apps users. Likewise, you cannot limit the access to only internal staff. There are many other security tools that cannot be put in place in cloud environments, unless the cloud environment is specifically designed for them.
There are also other issues to consider. You have little control over how much audit information is collected. For example, you likely do not have access to failed log-in attempts, so you cannot proactively look for attack reconnaissance. Likewise, while you may maintain ownership of your own data, you do not likely own all of the access log data. That potentially creates legal problems. For example, if someone does illicitly access your information, you might need to get a court order to see where they are coming from. If however you maintained your data internally, you would have instant access to all of this information.
Editorial limitations do not allow me to bring up all potential limitations of cloud computing security. However, I intend to get you thinking about what you need to consider.
Also see: Winkler on Awareness Training
Let's face it: The $US50 per user annual fee for Google Apps is very attractive from a financial perspective. I also believe that CSOs should make decisions not from a security perspective, but from a risk perspective. Risk acknowledges that you have to make decisions that balance potential losses against potential cost savings.
For those organizations that wouldn't normally implement more any additional security controls, like DLP or intrusion detection, you might as well use a cloud computing solution like Google Apps. They would be much more likely to implement basic security controls better than you would.
However, if you are an organization with a great deal of intellectual property, believe that your data is valuable, and intend to implement more than basic security measures, you probably need to maintain your own data infrastructure. You can however review cloud computing providers and see if they allow for the implementation of the security countermeasures you believe are necessary. There are a significant number of software vendors who are beginning to offer cloud security products. The better cloud computing providers should be integrating these tools.
My perception of the Twitter hack is that Twitter is a company where money is not a driving force in their infrastructure decisions. While they do plan for rapid growth, and Google Apps does allow for that growth, it is my belief that Twitter should implement more than basic security measures. After all, they eventually want to move into the corporate market and if they can't protect their own data, how can other companies trust Twitter with their data?
Los Angeles County has different circumstances. While they clearly have more than enough value that would justify maintaining the infrastructure internally, it seems like there is a major financial problem that might prevent it.
Unfortunately, given all of the regular abuse we see of government databases, by authorized users, Los Angeles would be taking an unacceptable risk. The recent convictions of State Department employees for looking at celebrity travel records demonstrates the abuse that can only be detected when there is the ability to regularly review audit logs. Los Angeles is also infamous for celebrity information, and people have been accused of accessing medical information of celebrities. For example, the Octomom's medical records were leaked, as were those of Britney Spears and countless other celebrities. Without the ability to provide for automated misuse and abuse detection, Los Angeles will miss a wide variety of criminal activities.
So while a cloud computing provider will likely better secure the servers, it is highly questionable as to whether than can secure your information better than you can. The acronym CISO stands for Chief Information Security Officer, not Chief Computer Security Officer. That should give you an idea as to what your priorities should be.
