Security in The Cloud

Twitter co-founder Evan Williams’ e-mail account getting hacked has got a lot of coverage this week (details of how it was done here).  And it’s reaised a lot of questions about just how secure The Cloud, hosted business applications and Web 2.0 services are.

I write this as the former managing director of an information security company, long time hosted applications user and founder of a Web 2.0 company — and I have to say, the biggest threat to online security is ignorance and laziness!

First off, let’s be clear, it was not Twitter the Application that was hacked, but Twitter the Staff — it was actually Williams’ e-mail account that was hacked and that provided the hacker all he needed to then get into the  Twitter company’s instance of Google Apps, giving access to the documents now in circulation.  Twitter staff got targeted because they are high profile and the hacker knew the press would be interested in the story.

How did this happen?  Simple: Williams’ password was guessed.  Or to put it another way, he simply didn’t set a strong enough password and has now paid the price.

There are very obvious benefits to using web based services, not least of all in their convenience and availability.  Because they are web based, so available to any member of the public, they are at greater risk that an application or data store on a stand alone server in a locked office that you need to walk over to to use; but that isn’t very convenient.  Broadly speaking, the risks of attack are offset by the convenience of the services — there is risk, but it’s worth taking for the upside.

But whether you use Cloud based applications or on-premise, it pays to follow these basic rules on password security:

1. NEVER write your passwords down — make them easy to remember but personal to you so you don’t need to write them down
2. Use a password system no one could ever guess.  Here’s a suggestion: take the first letters of a sentence you can easily remember, e.g. Ian Watches Formula 1 Every Other Sunday would become IWF1EOS — who is ever going to guess that as a password?  Factor is that the sentence could be about ANY aspect of your life and it becomes harder still for anyone to guess
3. Never use the same password on more than one website — introduce just the smallest change between them, inspired by something about the site or service, e.g. add BA at the start or end for your online Barclays account, HO for Hotmail, WE for your WeCanDo.BIZ login etc.
4. If you are asked to set a password reminder question, make it the most obscure option offered (things like your date of birth or mother’s maiden name may not be hard to find out) — make it something very few, if any people at all, know about you.  You might even want to lie about the answer, but if you do make the answer memorable!

Why not use these guidelines to come and reset your WecanDo.BIZ password?

Or you can also associate your WeCanDo.BIZ account with a Google, Facebook, Yahoo, Microsoft Live, OpenID or, yes, Twitter account so that you sign in to our site using that identity instead — that’s one less password to worry about, forget or have guessed.

Your comments and questions welcomed, just post below.