If you thought Gov. Sarah Palin’s name in the title implied a political post, you have come to a wrong place. Rather, I am going to use the incident of Sarah Palin’s email account hijack (see Techmeme discussion here) to highlight a very important point which has the potential to develop as a cloud computing meme.
I have been debating with a friend of mine who runs the IT department for an enterprise level company in Asia for sometime now. I was advocating cloud computing for his company but he was resisting my moves so far. Today, as soon as he saw the news on the hijack of the email account of Gov. Sarah Palin, he sent me an instant message to make his case against cloud computing. He argued that putting the enterprise data on the cloud has the same danger and hence it is not worth adopting cloud technologies. My friend has a very valid point about the data security but his understanding of the cause is a flawed one.
If you ask any security guru, he/she would point out that the weakest link in any enterprise is the careless user of the network. Even in the traditional enterprise computing infrastructure, we are faced with the same problems and threats. A hacker (rather, a cracker) with good social engineering skills can easily hack into any enterprise network if he/she could find one vulnerable user who is careless about the authentication procedures and other security measures.
In the case of Gov. Palin, we are still not sure how they hijacked her email account. But, based on my observation of many individual consumers, it is quite possible that she had a very weak password or security question in her Yahoo account. The hijackers could have exploited this weakness to obtain the email information. If it was the case of lack of security in the cloud computing infrastructure, the hijackers would have got every single email that has ever gone into the Yahoo email system and not just the Governer’s email. Before anyone jumps out with an argument that we still don’t know the modus operandi on this, I want to emphasize that this is my educated guess based on observing the consumer behavior with respect to security including those in my own family.
Any attempts to paint this incident as a weakness in cloud computing will be a naive one. As I pointed out earlier, it can happen in a traditional network infrastructure too. I will definitely buy the argument that enterprises need to take additional measures to protect their data in the clouds compared to the data of individual consumers. However, cloud computing is not the weak point in the enterprise data security. Rather, the vulnerable enterprise cloud computing user will be the one.
Of course Kirsh another angle to look at is that which says that no matter how much IT tries to control it, users will subvert directives and use their own cloud computing solutions – IT departments are better off to work proactively with users rather than batten down the hatches and be caught out with stuff like this
It is a very good point too. I agree completely.
Of course, in an enterprise cloud context, it would be possible to restrict service access to certain IPs, keep audit trails etc.
When customers pay for services, they would expect these kinds of measures.
It is also fairly common for people to use throw-away passwords for services they don’t care much for, and use strong passwords only on services important to them.