The front-page headlines read "Hacker steals Twitter's confidential documents," but the real story isn't about Twitter ' it's that the stolen documents were stored online, "in the cloud." This could happen to any nonprofit or company storing data this way. As we've seen over and over, it's amazingly easy to guess or steal passwords. And anyone who gets access to the password of an employee with access to those online files gets access to all files shared with that employee. This can happen with internal network passwords as well, but there are differences:

• IT staff can require secure passwords for their own networks and email systems. They can't control the password requirements for web-based email accounts or cloud computing apps.
• IT staff can require employees to change their network passwords regularly. They can't do that for cloud apps.
• IT staff can test the security of passwords on their own networks. Do they do that with their employees' Google Doc passwords?
• IT can disable email and network accounts for former employees. Does anyone think to disable those employees' access to docs in the cloud?

I'm a fan of cloud computing, but we need to think carefully about how we keep sensitive data secure when it's stored beyond our control. Alan Gunn of Aspiration summed this up in a presentation he called "Best Practices for Hosted Data." A few of his points apply here:

• Know where all of your data lives. Keep this inventory up to date.
• Do everything you can to keep your data secure and private.
• Make sure your vendor(s) privacy and security standards are at least as good as yours.
• Understand the limits of free services.
• Ask up front: if you need to change vendors some day, will your data be portable?

Resources:

Learn more about cloud computing for your nonprofit or library on TechSoup's cloud page.

Lessons from Twitter's security breach

Twitter hacked by old technique - again

Aspiration's Best Practices for Hosted Data

TechSoup's Security Corner

Photo: Ben Scicluna