On 17 March 2011, new details emerged about the hacking of security firm HBGary's Google cloud e-mail service by the Anonymous group in February 2011. HBGary had gained high visibility after a high-ranking employee of a related company, HBGary Federal, made public statements about infiltrating the Anonymous group group in relation to the WikiLeaks incident in October 2010. An interview with HBGary CEO Greg Hoglund reveals that Anonymous gained access to HBGary's Google-hosted e-mail service through a stolen password. Hoglund became aware that the service was compromised, but was unable to prove his own identity to Google's help desk sufficiently quickly to have the service shut down before Anonymous had downloaded his e-mail.
This security incident was a successful attack against HBGary, not against Google's cloud-based e-mail. It exposed no vulnerabilities in Google's service. But it did expose the risk of "one size fits all" service-level agreements (SLAs), which many cloud service providers generally impose in order to reduce the price of their services. While enterprise providers invariably offer different tiers of service with higher-touch, faster-response support offered at a higher price, many consumer-oriented offerings do not. When HBGary's visibility skyrocketed after the public statements from HBGary Federal, its management should have realized attacks were likely and tested its incident-response processes.
Google's standard mechanism for authenticating a customer making service requests involves asking the customer to place a file on its own website. This works well in normal circumstances but failed when HBGary needed to immediately turn off access to its Google services after having already been forced to shut down its own website. No alternate or emergency response mechanisms had been defined in advance. Google had recently started offering two-factor authentication mechanisms, but HBGary had not taken advantage of that capability.
As a security company itself, HBGary should have realized the risk involved in using e-mail as a service in general, and in the potential pitfalls of the authentication approach for making emergency service changes when it signed the contract with Google. But cloud service providers such as Google should also offer either emergency access processes or higher-priced, higher-tier direct support for their enterprise customers, just as most enterprise product and service providers do.
Enterprises already using cloud-based services:
Enterprises evaluating cloud-based services:
Some documents may not be available as part of your current Gartner subscription.
|Resource Id: 1600315|