RSSMicrosoft should use Twitter data theft as hosted apps marketing FUD
By Joe Wilcox | Published July 16, 2009, 1:35 PM
Microsoft couldn't pay for counter marketing as good this. Twitter has officially admitted to a security breach, via personal e-mail account, and the pilfering of confidential documents stored in Google Apps. Can you say, "On-premise computing?"
Based on the cycle of renewals, an unusually large number of Microsoft volume-licensing subscribers must re-up by July 31 or not at all. Given the econolypse's impact on IT spending and, because of layoffs, number of seats to renew, those license renewals may come harder than ever. Then there are all those newfangled hosted applications, some from Microsoft, and Google's push into the enterprise with Google Apps Sync for Microsoft Outlook.
Microsoft talks about the "Apple Tax," but I've heard plenty of IT managers complain about the "Microsoft Tax" in reference to Software Assurance fees or CALs (client-access licenses). They see that off-premise hosting can cost loads less per employee, provide immediate software and feature upgrades and reduce management costs. It's to these businesses considering hosted services -- and not from Microsoft or one of its partners -- that the Twitter/Google Apps data breach could be used as effective counter marketing. Microsoft sales people can spin the story to emphasize the importance of on-premise software and to call out new security features coming in Windows 7.
Twitter cofounder Biz Stone blogged "Twitter: Even More Open Than We Wanted" yesterday. Sorry, I'm a day late putting perspective on this one. In fairness to Google and Twitter, there wasn't an overt security breach but pilfering of passwords that allowed unauthorized access. But details like that don't much matter in counter marketing, particularly when the audience is receptive, even if unsure about whether to stay with the Microsoft software they've got or embrace the next new thing.
Many enterprises -- some bound by regulatory obligations -- are wary of letting information outside the confines of the firewall. Hosted services are scary to them, because they don't want to lose control over data -- the corporate crown jewels. Yet off-premise hosting appeals to some businesses, for the aforementioned reasons.
Letting information outside corporate confines is really a fear factor thing, anyway. Major businesses let terabytes of data leave the firewall every day, on laptops, BlackBerries and other mobile devices. These are high-theft items that also are often used for personal and professional purposes. There is commingled personal-professional behavior and data. which creates huge risk of data loss or password pilfering.
Twitter's security breach really may be a woeful tale of what can happen when commingling goes awry. Biz Stone blogs:
"About a month ago, an administrative employee here at Twitter was targeted and her personal email account was hacked. From the personal account, we believe the hacker was able to gain information which allowed access to this employee's Google Apps account which contained Docs, Calendars, and other Google Apps Twitter relies on for sharing notes, spreadsheets, ideas, financial details and more within the company. Since then, we have performed a security audit and reminded everyone of the importance of personal security guidelines."
The red warning in that paragraph is "personal account." He continues:
"This attack had nothing to do with any vulnerability in Google Apps which we continue to use. This is more about Twitter being in enough of a spotlight that folks who work here can become targets. In fact, around the same time, Evan's wife's personal email was hacked and from there, the hacker was able to gain access to some of Evan's personal accounts such as Amazon and PayPal but not email. This isn't about any flaw in web apps, it speaks to the importance of following good personal security guidelines such as choosing strong passwords."
Evan refers to Twitter's CEO, Mr. Williams. Biz Stone doesn't reveal how the personal e-mail accounts were hacked. He doesn't have to. It's clear from the brief explanation that the hacker got access to passwords, some of which were likely the same across multiple accounts.
For Microsoft, the sales spin is obvious:
- Hosted applications are yet unproven compared to on-premise software. You get the security that you pay for.
- Microsoft software is the safer, known choice. You're in control of employee access and passwords, not some administrative assistant or unpaid summer intern.
- Windows 7 and Microsoft server software provide tools that allow IT organization to control who has access to what.
- Windows Vista and 7 encryption tools can protect information leaving the corporate confines from theft or loss.
Bottom-line sale pitch: Renew your contracts now.
Microsoft couldn't ask for better timing, right at the close of a big volume-licensing renewal cycle. There's fear in the air, or there will be plenty if Microsoft's sales force stirs up some marketing FUD -- fear, uncertainty and doubt -- around the security of hosted apps served up by Web companies without rich heritage of software development; or business model (e.g., not Microsoft or its partners).
Is it fair counter marketing? Well, no. Microsoft has got its own software security problems, and there was no hacking of Google Apps or Twitter -- just the pilfering of passwords. Marketing isn't about fairness but selling more stuff. Twitter's data loss is premo marketing ammo. Fire away, Microsoft.
This is not directly related to the article as the article is about MARKETING POTENTIAL, not technical realities...
The reality is that hosting 'stuff' on-premise vs. off-site is irrelevant. What's relevant is the increasing NEED to access same 'stuff' from anywhere.
So really your security question is do you trust yourself to provide access from anywhere more securely than say Google or not.
And your privacy/security question is do you trust an outside organisation more than your internal IT boys (aka. the human corporate rootkit) to not use/sell/whatever your precious 'stuff' or not.
One way or another, companies want and need access to their stuff from anywhere and this need isn't going to go away - it's going to keep dramatically increasing.
Score: 1
|Our users can access their stuff from anywhere, securely, and their "stuff" is not hosted by any third party company...crazy!!
Score: 1
|Very true. Of course, Microsoft will say this is horrible, that is until they can sell you some super expensive, proprietary product, to put all their, i mean, your information in the cloud....wait, that's right, they have Azturd coming.
Score: 1
|Your users have access to their stuff securely compared to what exactly...? or do you mean secure in an absolute sense, cause that would put the "crazy!!" at the end in context...
Sorry for the jibe... on-premise hosting is perfectly viable and often preferable, particularly if your IT systems are developed to the point of being truly a competitive advantage that of course needs to be kept internally and makes maintaining them valuable, but i believe the same can't be said for the avg. small business for instance, who have the same burning access-from-anywhere need, no IT differentiation so to speak and most definitely not a budget for lots of infrastructure ppl let alone security geeks.
Score: 0
|How many of these absurd Microsoft paid shill stories is Beta (I sold out to Microsoft) News going to run? These marketing points are beyond absurd...
"Hosted applications are yet unproven compared to on-premise software. You get the security that you pay for."
ROFL. Guess this guy never heard of a VPN? The last three companies i worked for had VPN access, which guess what? Required a username and password which could be guessed. Once logged in, you have complete access to the network. Or email access through that horrible Exchange web client. yeah, you can guess the username and password there too.
"Microsoft software is the safer, known choice. You're in control of employee access and passwords, not some administrative assistant or unpaid summer intern. "
Wow. What does this have to do with the Twitter email account user/password being guessed? Nothing. And calling Microsoft "safe" is hilarious.
"Windows 7 and Microsoft server software provide tools that allow IT organization to control who has access to what."
So does any hosting company. Google Docs provides this.
"Windows Vista and 7 encryption tools can protect information leaving the corporate confines from theft or loss."
Here is the kicker...further lock yourself into our proprietary super expensive tools and we will help make sure you can never migrate off our super expensive insecure software. Ever hear of a copy machine? Or a screen capture? USB drive? FTP? ROFL
Score: -2
|"ROFL. Guess this guy never heard of a VPN? The last three companies i worked for had VPN access, which guess what? Required a username and password which could be guessed. Once logged in, you have complete access to the network. Or email access through that horrible Exchange web client. yeah, you can guess the username and password there too."
If your network team has any idea what it's doing, then after a a couple of wrong guesses the account gets locked out and someone gets alerted...and the password should require complexity...I guess security is only as good as your network/security team...but nice try there buddy.
"Wow. What does this have to do with the Twitter email account user/password being guessed? Nothing. And calling Microsoft "safe" is hilarious. "
Uh...it's basically the ansewr to your previous nonsense paragraph...YOU'RE in control of access, not some company that you HOPE has proper security implementations.
"So does any hosting company. Google Docs provides this."
you're obviously missing the point...
"Here is the kicker...further lock yourself into our proprietary super expensive tools and we will help make sure you can never migrate off our super expensive insecure software. Ever hear of a copy machine? Or a screen capture? USB drive? FTP? ROFL"
I actually don't know why I bothered responding to your post...I've made it a point to not even read your posts, but this one was particularly funny...thanks. :)
Score: 1
|@fatty
Excepting OWA, every single one of your examples *requires* physical access to company hardware, and those using VPN don't need OWA.
Requiring physical access to hardware is *far* more secure than some 3rd party website where your "control" is limited to login credentials only.
Score: 0
|Nobody in my company is allowed to store / use Google for any official use except search. And we dissuade employees from logging into google for using search...
First off, we don't trust Google itself for privacy issues...all our docs remains in house or our off site backup.
Score: 0
|Yup...not to mention the easy ability to "leak" out potentially confidential company information without ANY internal record of it happening if you allow storing things on google.
Score: 0
|Brilliant article. Microsoft could say that these hosted applications are just toys - buy from Microsoft so that you can protect your own data.
But Microsoft would have to tread lightly: they haven't exactly got a great record when it comes to system security. And Microsoft is also pushing their own hosted applications (Azure, Office Web Applications) - which is at odds with a FUD campaign against hosted applications.
Score: 2
|No sane IT department is going to host anything off-site. The very idea is ludicrous. I cannot even *begin* to imagine the liability to be incurred when something will invariably go wrong in that scenario.
Yeah, lets' expose our employees personal emails and files to the "cloud"...what could possibly go wrong?
Comical. This is relevant and insightful reporting? To whom?
Score: -2
|What are you talking about? Most organizations already host things off-site, and are moving more and more in that direction every year as web services improve and evolve.
Do you know how many organizations already use Gmail for Domains or Google Docs to organize their work? Do you know how many organizations already use hosted collaboration services like those from 37Signals? Do you know how many companies use Salesforce.com?
The cloud is an inevitability, but security in the cloud hasn't yet been figured that. It's very valid and relevant.
Score: 2
|"security in the cloud hasn't yet been figured"
All those companies? Not top 500/enterprise. Guaranteed.
If it "hasn't been figured" it is not an option. Simple as that.
This is it. That's the problem. All these companies you speak of are going to have *huge* problems....it's a virtual guarantee. There is no way to secure your private data unless it's on-site or in a controlled off-site environment (back-up data center). Period. Anything else is *begging* for lawsuits and incredible liability.
Score: 0
|Many of the top companies use such services. Some from this list:
http://www.basecamphq.com/buzz
Adidas, Best Buy, USA Today, World Bank, etc.
And that's just one service.
Using Salesforce.com: Siemens, Starbucks, Qualcomm, Dell, Kaiser, etc.
Score: 0
|LOL. I work at a Fortune 50 company and we outsource many "personal" things. Then again, we also use Microsoft software for lots of stuff so yeah, not a "sane" IT department. Comical, PC_Tool says something stupid again.
waiting for the "sarcasm" reply
Score: -1
|@nate:
Both of those companies have plenty of useful "online" tools you can use *without* storing or transmitting any personally identifiable data. Linking to their "testimonials" page tells us nothing regarding *how* they use the service.
Score: 0
|