Twitter hack spurs cloud computing security debateRevelations on Wednesday that a hacker was able to hijack sensitive Twitter company documents has spurned discussion around the potential security implications of on-demand computing.
As more organizations move toward cloud services, they must consider the possible data security consequences, Amrit Williams, CTO of security and systems management firm BigFix, told SCMagazineUS.com on Thursday.
In the case of Twitter, an intruder using the alias "Hacker Croll" was able to crack the password to a high-ranking employee's personal email account, which in turn, gave him access to that worker's Google Apps account, according to a blog post Wednesday written by Biz Stone, Twitter's co-founder.
The account stored sensitive Twitter communications, including financial reports and plans for a reality show based on the popular microblogging service, according to TechCrunch, a tech blog. TechCrunch received more than 300 documents from Hacker Croll and decided to publish some on Wednesday.
"Any organization that uses Google -- or any third-party for providing services -- has no validation that the right level of security controls are being implemented," Williams said. "People are running headlong into cloud computing without really understanding the ramifications."
But others said the fault should rest with Twitter for practicing lax security policies.
"This is not really about the innate security or insecurity of cloud computing," said Keith Crosley, director of market development at email security firm Proofpoint. "It's about password security. This hack can happen to any enterprise that makes web-based email available."
He told SCMagazineUS.com on Thursday that organizations must enforce strong password policy and force their employees to make regular password changes on email accounts.
Jim Walden, a former chief of the Computer Crimes Section in the U.S. Attorney's Office in New York and now a lawyer specializing in white-collar crime, said the problem is that Twitter permitted an employee to keep confidential company information linked to a personal email account.
"If an employee was permitted to keep such vital information on his personal email account, there are effectively no safeguards," Walden said. "If the employee was not permitted to keep it there, someone needs to investigate whether this was a lapse or an attempted theft. Either way, Twitter has a new and expensive problem, which will carry reputational consequences."
A Twitter spokesperson did not respond to a request for comment.