How Consumerization is Lowering Security Standards
Security and convenience are a direct tradeoff. The market need to make products convenient makes them insecure. Just ask Wired journalist Mat Honan, whose identity was stolen through his Amazon and Apple accounts.
Honan lost his data when a couple of 19-year-olds wanted his Twitter handle. They used no technical equipment except their phone. The two impersonated Honan in calls to the providers' help desks with only a few bits personal info. First they changed his Amazon password, then his iCloud password, then his Google password, and finally his Twitter account. No encryption algorithm could have prevented that hack, which took all of half an hour.
The threat to safety of cloud computing is in the numbers. Yahoo, LinkedIn, Dropbox, and e-Harmony have lost millions of customer passwords in the last three months alone. Three of them host platforms. Yahoo Small Business, for example, is driven with the user's Yahoo email password. Both Apple and Amazon host their customers' entire digital library, such as ebooks, music, personal notes, family photos--everything.
Consumerization is, in a sense, a democratization of technology where employees can pick the best products and services from the market. And the IT department is only in a position to make recommendations, yet still provide alternatives. For example, although employers are willing to incorporate employee-purchased iPhones into the enterprise, many will still issue the RIM Blackberry, which is far more secure.
And the difference between those two phones might be at the heart of consumerization of IT (CoIT)'s biggest challenge: Mob rule. No too long ago, when the IT department dictated that Blackberries were the only phone, it was acting as a benevolent dictator. Security is Blackberry's greatest strength yet it's a blip in sales to consumers.
The allure of cloud storage is its ease of use. A central repository that employees can access from anywhere on any device improves productivity because the user can work on the latest version and collaborate with colleagues and customers. If cloud providers adopted a stricter authentication policy, they risk losing customers to a competitor that promises greater convenience--which is always a trade-off for security. In a risk management assessment, cloud providers might conclude that it's better to grow exponentially with a reduced security threshold and manage the fallout from a breach, than to make a rock-solid system that no one will use.
Providers already are upselling convenience over security. Even though Android is not a secure mobile platform, nearly all providers make an app for it. In March, Dropbox partnered with Facebook, making sharing documents easier with friends.
And companies aren't anxious to upset their existing password policies. Just look at the actions of Apple and Amazon, even after the Mat Honan PR nightmare. According to Wired, Apple currently is "deciding how much strictness is required."
The cornerstone of consumerization is secure public servers--i.e. the cloud--to store and manage our digital life. Even credit cards are now stored in the cloud with Google Wallet. Yet few cloud providers have demonstrated a bulletproof method to keep customer data safe. Smaller companies such as Watchdox and FileTrek that initially offered cloud-based document management services are now marketing non-cloud enterprise-based solutions for hosting customer data. It makes sense. Among other reasons, even in very large companies, impersonating a user to change a password will be quickly detected by a help desk technician because the tech will likely know the caller.
Honan had done everything right. He backed up the local copies of his files to iCloud, but iCloud's tight integration coupled with changing the password for a stranger allowed the service to reach into his hard drive and delete his personal and corporate data.
Tech giant clouds breached in 2012:
Yahoo -- In July, 435,000 passwords were stolen. What's worse, TrustedSec, the security firm that discovered the hack, said the passwords were stored in clear text so they could be used immediately.
LinkedIn -- In June, a Russian hacker lifted 6 million passwords that were inadequately encrypted. The hack revealed how little attention LinkedIn paid to security.
Dropbox -- In August, User names and passwords culled from other websites were tested on Dropbox accounts. One of those stolen passwords was used to access a Dropbox employee's account, which contained a project document with Dropbox user email addresses. [[Correction: An earlier version misstated the role of the Dropbox employee in this incident.]]
eHarmony -- In June, a hacker stole 1.5 million passwords from the dating service.
Apple and Amazon -- In August, both were duped by two men who wanted to steal a Twitter handle.