enterprise| enterpriseauthorTom KrazitNoneAre you keeping up with the latest cloud developments? Get Tom Krazit and Joe Williams' newsletter every Monday and Thursday.d3d5b92349
×

Get access to Protocol

I’ve already subscribed

Will be used in accordance with our Privacy Policy

People

Control issues: How Twitter is forcing companies to rethink security and access

For a few hours last week, Twitter lost control of its platform. While the outcome could have been much worse, it's a wake-up call for anyone managing information security and employee access to data.

An iPhone with the Twitter logo on the screen.

As more and more companies move critical applications to cloud services and use third-party enterprise software tools, modern identity management software has become a very important part of the tech department's toolkit.

Photo: Sara Kurfeß on Unsplash
Twitter's harrowing security incident last week is a good reminder that many companies need to reassess the internal controls governing access to their tools and data, because it's never been harder to stop the bad guys at the perimeter.

For administrators at a big, very visible company like Twitter, it's not if your network defenses will be penetrated; it's when. It took Twitter several hours to regain control of its systems Wednesday after a small group of hackers were able to obtain the login credentials of a Twitter staffer and commandeer its account tools.

Twitter's experience was an extreme one, and while we don't know exactly how much information was compromised, the outcome could have been much, much worse. But it's clear that steps taken to improve controls in the aftermath of two other high-profile incidents — a 2010 settlement with the Federal Trade Commission over account access issues and the 2018 indictment of two employees who were spying for the Saudi Arabian government — were not enough, and there are lessons for everyone in the aftermath.

In a blog post Monday, security expert Bruce Schneier called the Twitter incident a "class break," describing this category as "security vulnerabilities that break not just one system, but an entire class of systems." "Class breaks are endemic to computerized systems," he wrote, "and they're not something that we as users can defend against with better personal security."

As more and more companies move critical applications to cloud services and use third-party enterprise software tools, modern identity management software has become a very important part of the tech department's toolkit. This need has only accelerated in a pandemic, during which so many employees are working from their home networks and outside of the traditional defenses around corporate networks.

Software from companies like Okta allows workers to securely access the internal corporate applications they need to do their jobs with "single sign-on" technology, sort of like a password manager for work. Then, once workers pass that test, other tools are needed that grant certain people access only to specific data sets or controls, so that one breach doesn't open up the entire company to an attacker.

At Twitter, lots of employees have access to user accounts. Any attempt to provide customer service requires that, to some extent, but it's also clear that the company needs to consider additional controls, such as requiring two employees to sign off on proposed changes to prominent user accounts.

Companies also need to move past the idea that a user who has entered the proper login credentials is a valid user — the so-called "zero trust" approach. The central idea here is paranoia: No person or device should be automatically trusted outside or inside a network, and Google pioneered this line of thinking over the last decade with an internal service called BeyondCorp.

It's not clear what type of approach is in place at Twitter, but the company has been operating without a chief information security officer in 2020, according to The Wall Street Journal. That vacancy will likely be filled in short order, and like lots of companies re-evaluating their internal processes in the wake of this incident, one of that person's first jobs will be to rethink how Twitter manages identity and access to its systems.

People

Beeper built the universal messaging app the world needed

It's an app for all your social apps. And part of an entirely new way to think about chat.

Beeper is an app for all your messaging apps, including the hard-to-access ones.

Image: Beeper

Eric Migicovsky likes to tinker. And the former CEO of Pebble — he's now a partner at Y Combinator — knows a thing or two about messaging. "You remember on the Pebble," he asked me, "how we had this microphone, and on Android you could reply to all kinds of messages?" Migicovsky liked that feature, and he especially liked that it didn't care which app you used. Android-using Pebble wearers could speak their replies to texts, Messenger chats, almost any notification that popped up.

That kind of universal, non-siloed approach to messaging appealed to Migicovsky, and it didn't really exist anywhere else. "Remember Trillian from back in the day?" he asked, somewhat wistfully. "Or Adium?" They were the gold-standard of universal messaging apps; users could log in to their AIM, MSN, GChat and Yahoo accounts, and chat with everyone in one place.

Keep Reading Show less
David Pierce

David Pierce ( @pierce) is Protocol's editor at large. Prior to joining Protocol, he was a columnist at The Wall Street Journal, a senior writer with Wired, and deputy editor at The Verge. He owns all the phones.

About Protocol | Enterprise

‘It’s not OK’: Elastic takes aim at AWS, at the risk of major collateral damage

Elastic's long-running dispute with AWS entered a new chapter last week with big changes to two of its open-source projects. AWS now plans to take those projects under its wing.

"I don't know why this is surprising to people," Elastic CEO Shay Banon said in an interview with Protocol.

Photo: Michael Nagle/Getty Images

Fed up with what he sees as unfair competition from AWS, Elastic CEO Shay Banon felt he had no choice but to restrict the way third parties can use two important open-source projects developed by his company. Yet much of enterprise tech thinks he just threw the baby out with the bathwater.

Last Thursday, Elastic published a blog post — curiously titled "Doubling down on open, Part II" — announcing that Elasticsearch and Kibana, two widely used open-source projects in enterprise tech, would no longer be available under the permissive Apache 2.0 license. Instead, all subsequent releases to those projects will only be available under either a controversial new license known as the SSPL, or the Elastic License, both of which were designed to make it difficult for cloud companies to sell managed versions of the open-source projects they're applied to.

Keep Reading Show less
Tom Krazit

Tom Krazit ( @tomkrazit) is a senior reporter at Protocol, covering cloud computing and enterprise technology out of the Pacific Northwest. He has written and edited stories about the technology industry for almost two decades for publications such as IDG, CNET, paidContent, and GeekWire. He served as executive editor of Gigaom and Structure, and most recently produced a leading cloud computing newsletter called Mostly Cloudy.

Doxxing insurrectionists: Capitol riot divides online extremism researchers

The uprising has sparked a tense debate about the right way to stitch together the digital scraps of someone's life to publicly accuse them of committing a crime.

Rioters scale the U.S. Capitol walls during the insurrection.

Photo: Blink O'faneye/Flickr

Joan Donovan has a panic button in her office, just in case one of the online extremists she spends her days fighting tries to fight back.

"This is not baby shit," Donovan, who is research director of Harvard's Shorenstein Center on Media, Politics and Public Policy, said. "You do not fuck around with these people in public."

Keep Reading Show less
Issie Lapowsky
Issie Lapowsky (@issielapowsky) is a senior reporter at Protocol, covering the intersection of technology, politics, and national affairs. Previously, she was a senior writer at Wired, where she covered the 2016 election and the Facebook beat in its aftermath. Prior to that, Issie worked as a staff writer for Inc. magazine, writing about small business and entrepreneurship. She has also worked as an on-air contributor for CBS News and taught a graduate-level course at New York University’s Center for Publishing on how tech giants have affected publishing. Email Issie.
Protocol | Enterprise

Twilio CEO Jeff Lawson explains how he decided to face off with Parler

Also, why he thinks the $3.2 billion purchase of Segment will help Twilio's customers help their customers and why he's OK with being reliant on AWS.

"I think in a society, words matter, actions matter," Twilio CEO Jeff Lawson said. "That's why companies have things like Terms of Service and acceptable use policies."

Photo: Twilio

Cloud computing companies were one of the few segments of society that enjoyed 2020. But even companies like Twilio, whose stock price tripled over the last 12 months, have had enough of 2021 already.

Last Friday, in the wake of the deadly attack on the Capitol, Twilio sent a letter to the right-wing social media app Parler notifying the company that it was violating Twilio's acceptable use policy for two of its authentication services. Parler decided to turn off Twilio's services rather than moderate calls for violence against elected officials on its app, which became a moot point after AWS cut Parler off from its own computing and storage services Sunday evening.

Keep Reading Show less
Tom Krazit

Tom Krazit ( @tomkrazit) is a senior reporter at Protocol, covering cloud computing and enterprise technology out of the Pacific Northwest. He has written and edited stories about the technology industry for almost two decades for publications such as IDG, CNET, paidContent, and GeekWire. He served as executive editor of Gigaom and Structure, and most recently produced a leading cloud computing newsletter called Mostly Cloudy.

Politics

Trump got all he needed from Twitter. Now, he still has all the power.

President Trump used Twitter to become the most powerful man in the world. Now, that power is his to keep.

Trump became the most powerful man in the world thanks to Twitter. Now that he's banned, he'll take that power with him.

Photo: Joshua Hoehne/Unsplash

On Friday night, Twitter announced that it was forever banning President Trump from the digital podium where he conducted his presidency and where, for more than a decade, he built an alternate reality where what he said was always the truth.

There are moral arguments for not doing business with the guy who provoked a violent mob to invade the U.S. Capitol, leaving several people dead. There have been moral arguments for years for not doing business with the guy who spent most of his early mornings and late nights filling the site with a relentless stream of pithy, all-caps conspiracy theories about everything from Barack Obama's birthplace to the 2020 election. There are also moral arguments against tech companies muzzling the president of the United States at all.

Keep Reading Show less
Issie Lapowsky
Issie Lapowsky (@issielapowsky) is a senior reporter at Protocol, covering the intersection of technology, politics, and national affairs. Previously, she was a senior writer at Wired, where she covered the 2016 election and the Facebook beat in its aftermath. Prior to that, Issie worked as a staff writer for Inc. magazine, writing about small business and entrepreneurship. She has also worked as an on-air contributor for CBS News and taught a graduate-level course at New York University’s Center for Publishing on how tech giants have affected publishing. Email Issie.
Latest Stories