Proofpoint: Security, Compliance and the Cloud

Interesting news out today about Twitter employees' email accounts and Google Docs accounts being compromised by one "Hacker Croll" who gained access to hundreds of confidential documents and then sent a large number of them to TechCrunch... which proceeded to publish much of the information related to Twitter's business plans and internal strategy.

Now, your business may not be under the same kind of spotlight as Twitter's, but this sort of attack should serve as a wake-up call to take a close look at your own email security policies - especially those related to end-user passwords. My main observation: This is not a story about the security of cloud computing services - this sort of hack could happen to almost any enterprise that makes corporate email access available via the web.

I've talked to a couple of news outlets about this issue today and you can read my comments in the following TechNewsWorld and SC Magazine stories:

TechNewsWorld: Twitter Hack Opens Pandora's Box of Security Issues:

This episode does not reflect negatively on cloud security, argued Keith Crosley, director of market development for Proofpoint.

"I was having a discussion over email earlier this morning where people were asking me if this was an example that suggested cloud computing is innately less secure than on-premises approaches -- particularly to email," Crosley told the E-Commerce Times.

"I don't believe this is the case. Even if an enterprise doesn't outsource its email to a SaaS solution like Google Apps, many, if not most, organizations make some sort of Web access to corporate email available."

A breach of the corporate email system could happen in those cases just as easily as one could breach a Gmail/Google Apps account, he said.

"All the hacker would have to know or guess is the address to access the OWA system and execute a successful social engineering or brute force attack on an account or accounts."

SC Magazine: Twitter hack spurs cloud computing security debate:

"This is not really about the innate security or insecurity of cloud computing," said Keith Crosley, director of market development at email security firm Proofpoint. "It's about password security. This hack can happen to any enterprise that makes web-based email available."

He told SCMagazineUS.com on Thursday that organizations must enforce strong password policy and force their employees to make regular password changes on email accounts.

Employees often demand web-based access to email, and web-based access to email greatly increases the utility of corporate email, but proper security policies should be in place to minimize the risks. Here are a few tips for increasing the security of web-based email used by your organization:

• Enterprises should enforce “strong” password policies as well as regular password changes. I’m not sure if the “enterprise” version of Google Apps has such a feature to enforce such policies, but it should.

• For extra security, webmail can be protected by two factor authentication (e.g., not just a password, but also a USB token or similar). Many enterprises do this, though many do not.

• Keep in mind that email continues to be the de facto filing system and file transfer system in the enterprise. It’s nearly impossible to change this behavior, but as the Twitter hack shows, *massive* amounts of confidential information resides in the email system.  Adopting an easy-to-use solution for secure file transfer – to send files that are large or that require extra security “out of band” from the email system – and encouraging employees to use it for any file that contains sensitive data can help solve this problem.  (Proofpoint offers such a solution – http://www.proofpoint.com/sft - but of course there are others.)