One of the biggest industry news stories in recent memory happened this past week when Twitter’s back office was ‘hacked’, causing an information leak of epic proportions. When the story broke many read in stunned amazement. What I found in most of the blogs and stories I read following TechCrunch publishing the confidential documents was just like an eye-witness account to a horrific train wreck. There were plenty of stories about the shock and horror of it all. But there were very few stories that got past that and began to deal with the real questions.
In my mind, here is a real question: What the *%@$ is Twitter doing using Gmail and Google Apps?!?!
The point of this whole sordid affair, in my opinion, is not that Twitter got hacked. Software systems get hacked every day. And no, it’s not that the Cloud failed, as many mainstream naysayers hinted. The cloud did not fail.
I could not believe Twitter, a company with billions on the line and a bull’s-eye painted on its chest, chose to trust their most sensitive trade secrets and corporate documentation in the hands of a software service for which Twitter management could only have had limited control. Nobody failed here except Twitter (or Twitter’s IT Management/Advisors).
The implications for the IT service channel are clear: You can’t trust your customer’s data in the hands of third party application providers for which you cannot ultimately guide and control security and compliance.
The Twitter leak underscores the importance of maintaining 100% control over your customer’s information when making the decision to recommend a ‘cloud computing’ solution. It also shines different light on the same argument I made for IT Service Providers to avoid the trap of the Google Apps Reseller model. In that blog post, I wrote that if you chose to align with Google Apps, “You are giving up the control over the operation of your customer most important applications: Productivity and Email. Opening up your IT Service practice to Google is nothing short asking the fox to guard the henhouse.”
At the time I was writing from the perspective of protecting the information assets of the IT Service Provider. But the same argument holds true for the information assets of their customers. As a trusted advisor to your customer’s business you would never recommend they store sensitive information on a shared application system (i.e., a SaaS product you can’t control or make a party to your customer SLA). Never. Period. End of discussion. It’s not only Compliance 101, it is pure common sense. SaaS has its place in the new paradigm of cloud computing and 6fusion is a huge proponent of the multi-tenant architecture. But it doesn’t mean companies should ever disregard the principles and best practices of Risk Management.
I’m not out to slam GOOG in particular. It just seems platforms like Google Apps, or even Microsoft’s hosted Exchange and Office suite, are only geared for home consumers. I think this model has a long way to go before it is considered optimal for IT Service Professionals and their real-life business clients. It’s not about how big Google or Microsoft are or how much money they can plough into security. It is about control over the systems and data.
Let’s pause for a bit of Channel introspection: Imagine for a moment what would happen if YOU were the consultant or Managed Service Provider that recommended to the CEO of Twitter that he trust his company’s most sacred information on the Google platform, trying to shoehorn security best practices into what is, at best, a consumer price-driven product. Then imagine you got the call when the breach happened. Forget about why or how this happened. And don’t even think about pointing the finger at Google. The why or how is a moot point.
Whose precious reputation is really on the line in situations like this? Yours or Google’s?
Here’s the simple truth: After an incident like this, it would be nearly impossible to recover from the reputational damage to your IT Service operation. And Google? Well to Google, your IT Service practice would be but minor collateral damage incurred on route to their seemingly relentless quest to topple Microsoft.
The message behind the unfortunate events at Twitter are clear: IT Service Providers must trust in themselves, and their own ability to harness the cloud, in order to earn the trust of their customer, which makes aligning your cloud strategy with the Google Apps of the world a very questionable step.