The Dark Side of Cloud Computing
We’ve all done it. Try to email something to a friend and Outlook, or whatever mail client we use accidentally selects a different contact to send to. It’s not such a big problem when you’re sending pictures of the baby, or directions to the weekend barbeque, but what happens when you accidentally send sensitive information to the wrong person, like a journalist.
The problem is utterly compounded when you give accidentally give access to your information sitting out in the cloud. Things like sharing a Google Doc with the wrong person, or giving access to sensitive Google Analytics info with a journalist. Especially one who works for a competing media giant.
That’s exactly what happened at Community Newspaper Holdings recently. Apparently someone meant to share Google Analytics access for all their sites with a staffer named Denise Gallagher but instead shared access with David F. Gallagher, who writes the tech blog for The New York Times. If you were the person who gave access to the Times, I can sum up your thoughts on seeing this headline: “I’m in Your Google Docs, Reading Your Spreadsheets.” That thought has got to be “my career is over.”
There was a time when it would have taken a fair amount of criminal activity to get access to this much information about a company’s internal workings and Web site performance. Now an employee can accidentally drop it into the lap of a random outsider without even knowing that anything is amiss. That’s the power of cloud computing at work.
Most of the discussion about the security of online applications revolves around whether or not you can trust Google and its competitors to protect your data. In this case, CNHI needed to be protected from its own employee. Google could help with this by, for example, flashing a warning before you share a document with a person you have not exchanged e-mail with in Gmail. But in the end, security requires careful typing — and perhaps some careful decisions about whether some documents would be better left behind the corporate firewall.
Here’s the issue, as we all make more and more use of Cloud Computing apps, like Google Docs, like Google Analytics, we’re taking huge risks with not only our company data, but our professional lives. This is the one big failing that we tend to miss, the potential for error is so great, that it’s really not a matter of if mistakes will happen, it’s a matter of how many, and how severe.
What Google has missed by forcing us to use gmail addresses as the common login parameter for these apps is that for business security reasons, we must be able to authenticate against our own internal, authoritative systems. It’s wrong to expect business to maintain customer access in potentially hundreds of cloud apps, instead they need to open a bridge to the business so that one single point of authentication can be maintained. In this manner, it’s easy to add someone, and more importantly, easy to remove them if you need to.
This is a huge problem right now in business. I know of people who have left previous employers and are still having company email, including staff only stuff and management level group email, forwarded to them at their Gmail accounts. I know of situations where a year or two later, users still have access to external systems like Webex, etc. Is it all inept management? No, the problem is that the more logins you must manage, the more likely you’re going to forget something. And once in a while, that something is going to be really, really important.