Wednesday, 15 July 2009

Security in the cloud

One of the areas we've been looking at is how much of our commodity services we can outsource. Student email is an obvious one (and we're dong that from September), but what about staff mail, file storage. Everything comes with a risk, and these have to be analysed and assessed and a decision taken. One of the criticisms often thrown at us is that we can appear to be risk averse. I'm a great believer in taking risks, as long as they have been carefully assessed and the consequences of the risk materialising or not are fully understood.

The company Twitter took a risk when it started up by using Google for email and storing their corporate data with them in the cloud. I don't know how carefully they assessed the risk, what security measures they should put in place, and and the possible damage that could be done to the company if that data somehow got out, but they might be wishing they'd looked a bit closer at it now.

A french hacker announced yesterday that he'd managed to get hold of hundreds of confidential documents, apparently by using password recovery techniques (ie guessing the answers to key questions and having the paswords mailed to an address of his choosing). The technology blog Techcrunch has got hold of this information and is in the process of publishing parts of it. There's a row going on about how ethical it is for this information to be published, but alongside that, and more relevant to us, questions are being asked about just how secure cloud computing is. There's no question that Google's servers were hacked, just that Twitter employees did not have very secure passwords or password recovery questions.

It's an issue we will have to deal with carefully as we make decisions about whether to make more use of the cloud and what for. It all goes back to the main security weakspot in any system being people!

EDIT: If you're interested in how that hack worked (and it was relatively simple), Techcrunch have published it here. Makes sobering reading for those of who use a lot of web apps and struggle to remember passwords.


Phillip Fayers said...

Computing would be so much easier to deal with without the people.

Back in 2004 a survey reported by the BBC claimed that "more than 70% of people would reveal their computer password in exchange for a bar of chocolate".

I would have been in the 70%. I'd happily make up a password to give to someone running a survey in exchange for a chocoloate bar.

Anonymous said...

Certainly the limited storage of your IMAP service makes it practically unusable as IMAP, so you need to do something pretty quick! A few Gb of storage each is the minimal requirement.

As for outsourcing storage I think you might enjoy The Scarecrow by Michael Connelly...or perhaps it might give you nightmares...

masked & anonymous said...

"Certainly the limited storage of your IMAP service makes it practically unusable as IMAP, so you need to do something pretty quick! A few Gb of storage each is the minimal requirement."

Unusable if you don't actually manage your email & why do they need to do something quick?

Anonymous said...

Someone keeps deleting my replies! That's the trouble with blogs!

Most staff will need access to all their emails all the time from anywhere. A few Gb is needed on IMAP for this, not a few Mb.

Chris Sexton said...

"Someone keeps deleting my replies"

Yes. I do.