The front-page headlines read "Hacker steals Twitter’s confidential documents," but the real story isn’t about Twitter — it’s that the stolen documents were stored online, "in the cloud." This could happen to any nonprofit or company storing data this way. As we’ve seen over and over, it’s amazingly easy to guess or steal passwords. And anyone who gets access to the password of an employee with access to those online files gets access to all files shared with that employee. This can happen with internal network passwords as well, but there are differences:
- IT staff can require secure passwords for their own networks and email systems. They can’t control the password requirements for web-based email accounts or cloud computing apps.
- IT staff can require employees to change their network passwords regularly. They can’t do that for cloud apps.
- IT staff can test the security of passwords on their own networks. Do they do that with their employees’ Google Doc passwords?
- IT can disable email and network accounts for former employees. Does anyone think to disable those employees’ access to docs in the cloud?