10 Lessons IT Execs Should Learn from the Twitter and TechCrunch Document Dustup
Here's the background. A hacker apparently was able to access the Google account of a Twitter employee. Twitter uses Google Docs as a method to create and share information. The hacker apparently got at the docs and sent them to TechCrunch, which decided to publish much of the information. The entire event sent the Web world into a frenzy. How smart was Twitter to rely on Google applications? How can Google build up business-to-business trust when one hack opens the gates on corporate secrets? Can you define journalism as TechCrunch simply deciding to publish stolen documents? Whatever happened to journalists using documents as a starting point for a story rather than the end point story in itself?
There are also some lessons for business execs and information technology professionals in the Twitter/TechCrunch episode. Here are 10 lessons.
1. Don't confuse the cloud with secure, locked-down environments. Cloud computing is all the rage. It makes it easy to scale up applications, design around flexible demand and make content widely accessible. But the same attributes that make the cloud easy to access for everyone makes it, well, easy to access for everyone.
2. Cloud computing requires more, not less, stringent security procedures. In your own network would you defend your most vital corporate information with only a username and user-created password? I don't think so.
3. Putting security procedures in place after a hack is dumb. Security should be a tiered approach. Non-vital information requires less security than, say, your company's five-year plan, financials or salaries. If you don't think about this stuff in advance you will pay for it when it appears on the evening news.
4. Don't rely on the good will of others to build your security. Take the initiative. I like the ease and access of Google applications, but I would never include those capabilities in a corporate security framework without a lengthy discussion about rights, procedures and responsibilities. I'd also think about having a white hat hacker take a look at what I was planning.
5. The older IT generation has something to teach the youngsters. The world of business 2.0 is cool, exciting and full of holes. Those gray hairs in the server room grew up with procedures that might seem antiquated, but were designed to protect a company's most important assets.
6. Consider compliance. Compliance issues have to be considered whether you are going to keep your information on a local server you keep in a safe or a cloud computing platform. Finger-pointing will not satisfy corporate stakeholders or government enforcers.
7. Who do you trust? The emerging computing model of melding private and public clouds makes the most sense. Again, you need to have tight control over vital information. If you are going with a cloud vendor, how much control can you exert over the vendor's IT infrastructure? Can you tweak it to your specs or do you have to take what is offered?
8. Don't confuse consumer with corporate requirements. Google applications are great for sharing the little league roster and schedule or a list of your favorite BBQ joints. Those applications are not so good for sharing your corporate financial projections. Use the right tool for the job.
9. Learn from the mistakes of others. Your company is not Twitter, but that doesn't mean you are not a target of the hacking community. Your most important corporate information may be being shared right now on Web-based services. Do you know, have you asked the execs in your company if they are using Google and other shared cloud applications? I'll bet you'd be surprised by the amount of information going around the cloud.
10. Use strong passwords and change them regularly. Maybe you can't stop corporate information from leaking to the cloud, but at least give your co-workers some good advice in using strong passwords that are difficult to hack. Google has some tools to help in this and has sensible limits on the number of access attempts you can make before you are shut out. Use the capabilities that are present in the cloud community even if they are not up to your standards.