Would the SONY Hack Work on a Google Drive Based Business?

Your Information IS your business, Keep It Safe

Google Drive & Docs
Google Drive & Docs

A modern business of ANY size is largely the sum of it’s data and documents. Keeping them safe and private is crucial for the survival of your business. Are you safe if you use Google services?

Security in the Post Sony Hack World

The Sony Pictures hack has shone the spotlight on the security issues posed by Internet connected systems, particularly those using Windows desktops. Sony, it will probably be revealed, got hacked via a spearfishing attack. Spearfishing is aiming a carefully crafted attack at an individual using personal information to make the attack seem like an email or document they expect, know, or want. Once they have allowed it into the network, lax security procedures and poor passwords gave them access to everything. However they got in, poor security procedures will ultimately be revealed to be the main culprit.

Sony Hack
Sony Hack

Passwords were stored in unencrypted files named “passwords”. Thousands of email messages stored in Microsoft Outlook .PST data files were copied. massive numbers of documents were just copied off the Sony servers and out to the web. It is obvious that security was lax, but the reason all this was copied is basically that it was all sitting on Sony servers, and the passwords were weak or available to the hackers.

This was a failure of the classic server-client network on a huge scale.

Security in the Google Cloud World

Google Drive Logo
Google Drive Logo

On the other hand, a business that keeps it’s workers on Chromebooks and stores data in the cloud is going to be in a better position to defend it’s data.

The documents, spreadsheets and mail are all stored on Google’s secure and backed up servers. Access is via individual user passwords. Documents can be private, shared with individuals, shared with domains (everyone in the business) or publicly.

There is one huge security advantage to this. Instead of documents being emailed around the company, they can be shared via email. This means that all that is sent is a link. A document in an email can be forwarded, copied and stolen. The document link will only work for someone logged into Google Drive as the recipient of the document. Anyone else that gets the link will not be able to access the document. This is a huge step up from emailing documents.

An Example of the Dangers of Sending Documents

Some time ago, I worked for a very large organization that used Microsoft Office. Everyone used Outlook for email. People inside the company sent contracts, proposals, memos and other documents as Word documents attached to emails.

In one large department, Instead of saving documents on the corporate servers, they began to go back to Outlook to find the last version of the document and worked on that. Then they sent it or saved it back to Outlook. Corporate data was not being saved on the file servers. Outlook .PST files grew to huge sizes.

Then, one Sunday night, the mail server for that department ran out of disk space. It tried to alert the Sysadmin, but there was no space on the server to process the email. The whole system collapsed at 2:35 AM and no-one knew anything was wrong until they arrived for work on Monday.

The lack of disk space had also prevented backups from running properly. Tape backups had failed weeks before, but no-one had checked the logs. It took two weeks to get the mail system running, and many users had lost hundreds of documents and revisions of documents. Some lost their entire email history, address book and calendar. For weeks, email flew around the organization begging for recent versions of contracts, proposals and other documents to be sent back to the originators. The fallout went on for a year or more.

As the Sysadmin for my department, I began monitoring the size of Outlook data files, and began delivering scathing warnings if they began to grow to large.

It was a lesson I never forgot.

And the Winner Is…

If Sony had been using Google cloud storage, how may this have played out?

E-mail would have been protected by storage in Google’s cloud. Google mail is accessible by web browser. The connection to Gmail is by a secure HTTPS connection. This would have made intercepting e-mail difficult to impossible. Attachments would have been replaced by links, and not accessible to the hackers without the relevant passwords. Email would have remained secure as long as passwords remained secure.

I have mentioned secure passwords a few times. A cloud based solution needs good password security. Sony obviously were using bad passwords and poor password procedures.

For Google Docs (the business version of Drive) User policy is controlled centrally by the Administrator and allows policy like good passwords and two factor authentication to be enforced.

Lastpass
Lastpass

A corporate account with Lastpass would have saved a lot of grief. Lastpass creates and stores secure passwords. Instead of using “Monkey” or “123456” everywhere, Lastpass will generate a real, unique and secure password for every site and then store it for you. Every time you visit that site while logged into lastpass, it will paste the password and username into the browser for you.

And even better, it is really secure, really cheap, and uses two factor authentication.

Singing the Praises of Two Factor Authentication  

Two factor authentication simply means you need something other that the password. The password is easily stolen, but a second form of identification means the password is not enough

The second factor or token can be one of those key-ring devices that shows a number every thirty seconds, a fingerprint, a retinal scan, or a usb dongle that has to be plugged into your computer before you can log in.

Every teller at my bank has to swipe a card and type a password before they can use a terminal. That card is their second factor.

The simplest one for most of us is an app for our phone or tablet. I use Google Authenticator. I have registered my Google Mail account, and when I login, I have 30 seconds to type in the six digit number displayed on my phone or tablet. I also have a sheet of six emergency codes. I keep that paper very safe, and have never had to use it. I always have a phone or tablet in range when I sit down at the computer.

The Cloud IS Secure

00131-drive-iconsAs we can see from this, using a cloud service like Google Docs is no less secure than storing everything on a local server.

Is it absolute security? No. No-one is even sure such a thing exists. It is all relative.

If the FBI, NSA, ASIO or GCHQ want your data, they will get it. But Google is working hard to make this process more difficult for them, and is making great strides.

This is a low friction, low cost option to provide secure storage and sharing of your data with high reliability, and no cost for a big IT team to keep it working.

REALLY Secure Information in the Cloud  

Some things really are secrets, rather that just private. There are ways to put the absolutely most secret things in the cloud to. They just require a little work to get them there.

More on that later – Enjoy!

Share

One Reply to “Would the SONY Hack Work on a Google Drive Based Business?”

Leave a Reply

Your email address will not be published. Required fields are marked *