People

Control issues: How Twitter is forcing companies to rethink security and access

For a few hours last week, Twitter lost control of its platform. While the outcome could have been much worse, it's a wake-up call for anyone managing information security and employee access to data.

An iPhone with the Twitter logo on the screen.

As more and more companies move critical applications to cloud services and use third-party enterprise software tools, modern identity management software has become a very important part of the tech department's toolkit.

Photo: Sara Kurfeß on Unsplash
Twitter's harrowing security incident last week is a good reminder that many companies need to reassess the internal controls governing access to their tools and data, because it's never been harder to stop the bad guys at the perimeter.

For administrators at a big, very visible company like Twitter, it's not if your network defenses will be penetrated; it's when. It took Twitter several hours to regain control of its systems Wednesday after a small group of hackers were able to obtain the login credentials of a Twitter staffer and commandeer its account tools.

Twitter's experience was an extreme one, and while we don't know exactly how much information was compromised, the outcome could have been much, much worse. But it's clear that steps taken to improve controls in the aftermath of two other high-profile incidents — a 2010 settlement with the Federal Trade Commission over account access issues and the 2018 indictment of two employees who were spying for the Saudi Arabian government — were not enough, and there are lessons for everyone in the aftermath.

In a blog post Monday, security expert Bruce Schneier called the Twitter incident a "class break," describing this category as "security vulnerabilities that break not just one system, but an entire class of systems." "Class breaks are endemic to computerized systems," he wrote, "and they're not something that we as users can defend against with better personal security."

As more and more companies move critical applications to cloud services and use third-party enterprise software tools, modern identity management software has become a very important part of the tech department's toolkit. This need has only accelerated in a pandemic, during which so many employees are working from their home networks and outside of the traditional defenses around corporate networks.

Software from companies like Okta allows workers to securely access the internal corporate applications they need to do their jobs with "single sign-on" technology, sort of like a password manager for work. Then, once workers pass that test, other tools are needed that grant certain people access only to specific data sets or controls, so that one breach doesn't open up the entire company to an attacker.

At Twitter, lots of employees have access to user accounts. Any attempt to provide customer service requires that, to some extent, but it's also clear that the company needs to consider additional controls, such as requiring two employees to sign off on proposed changes to prominent user accounts.

Companies also need to move past the idea that a user who has entered the proper login credentials is a valid user — the so-called "zero trust" approach. The central idea here is paranoia: No person or device should be automatically trusted outside or inside a network, and Google pioneered this line of thinking over the last decade with an internal service called BeyondCorp.

It's not clear what type of approach is in place at Twitter, but the company has been operating without a chief information security officer in 2020, according to The Wall Street Journal. That vacancy will likely be filled in short order, and like lots of companies re-evaluating their internal processes in the wake of this incident, one of that person's first jobs will be to rethink how Twitter manages identity and access to its systems.

Enterprise

How I decided to leave the US and pursue a tech career in Europe

Melissa Di Donato moved to Europe to broaden her technology experience with a different market perspective. She planned to stay two years. Seventeen years later, she remains in London as CEO of Suse.

“It was a hard go for me in the beginning. I was entering inside of a company that had been very traditional in a sense.”

Photo: Suse

Click banner image for more How I decided seriesA native New Yorker, Melissa Di Donato made a life-changing decision back in 2005 when she packed up for Europe to further her career in technology. Then with IBM, she made London her new home base.

Today, Di Donato is CEO of Germany’s Suse, now a 30-year-old, open-source enterprise software company that specializes in Linux operating systems, container management, storage, and edge computing. As the company’s first female leader, she has led Suse through the coronavirus pandemic, a 2021 IPO on the Frankfurt Stock Exchange, and the acquisitions of Kubernetes management startup Rancher Labs and container security company NeuVector.

Keep Reading Show less
Donna Goodison

Donna Goodison (@dgoodison) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.

Sponsored Content

Great products are built on strong patents

Experts say robust intellectual property protection is essential to ensure the long-term R&D required to innovate and maintain America's technology leadership.

Every great tech product that you rely on each day, from the smartphone in your pocket to your music streaming service and navigational system in the car, shares one important thing: part of its innovative design is protected by intellectual property (IP) laws.

From 5G to artificial intelligence, IP protection offers a powerful incentive for researchers to create ground-breaking products, and governmental leaders say its protection is an essential part of maintaining US technology leadership. To quote Secretary of Commerce Gina Raimondo: "intellectual property protection is vital for American innovation and entrepreneurship.”

Keep Reading Show less
James Daly
James Daly has a deep knowledge of creating brand voice identity, including understanding various audiences and targeting messaging accordingly. He enjoys commissioning, editing, writing, and business development, particularly in launching new ventures and building passionate audiences. Daly has led teams large and small to multiple awards and quantifiable success through a strategy built on teamwork, passion, fact-checking, intelligence, analytics, and audience growth while meeting budget goals and production deadlines in fast-paced environments. Daly is the Editorial Director of 2030 Media and a contributor at Wired.
Enterprise

UiPath had a rocky few years. Rob Enslin wants to turn it around.

Protocol caught up with Enslin, named earlier this year as UiPath’s co-CEO, to discuss why he left Google Cloud, the untapped potential of robotic-process automation, and how he plans to lead alongside founder Daniel Dines.

Rob Enslin, UiPath's co-CEO, chats with Protocol about the company's future.

Photo: UiPath

UiPath has had a shaky history.

The company, which helps companies automate business processes, went public in 2021 at a valuation of more than $30 billion, but now the company’s market capitalization is only around $7 billion. To add insult to injury, UiPath laid off 5% of its staff in June and then lowered its full-year guidance for fiscal year 2023 just months later, tanking its stock by 15%.

Keep Reading Show less
Aisha Counts

Aisha Counts (@aishacounts) is a reporter at Protocol covering enterprise software. Formerly, she was a management consultant for EY. She's based in Los Angeles and can be reached at acounts@protocol.com.

Workplace

Figma CPO: We can do more with Adobe

Yuhki Yamashita thinks Figma might tackle video or 3D objects someday.

Figman CPO Yuhki Yamashita told Protocol about Adobe's acquisition of the company.

Photo: Figma

Figma CPO Yuhki Yamashita’s first design gig was at The Harvard Crimson, waiting for writers to file their stories so he could lay them out in Adobe InDesign. Given his interest in computer science, pursuing UX design became the clear move. He worked on Outlook at Microsoft, YouTube at Google, and user experience at Uber, where he was a very early user of Figma. In 2019, he became a VP of product at Figma; this past June, he became CPO.

“Design has been really near and dear to my heart, which is why when this opportunity came along to join Figma and rethink design, it was such an obvious opportunity,” Yamashita said.

Keep Reading Show less
Lizzy Lawrence

Lizzy Lawrence ( @LizzyLaw_) is a reporter at Protocol, covering tools and productivity in the workplace. She's a recent graduate of the University of Michigan, where she studied sociology and international studies. She served as editor in chief of The Michigan Daily, her school's independent newspaper. She's based in D.C., and can be reached at llawrence@protocol.com.

Climate

Microsoft lays out its climate advocacy goals

The tech giant has staked out exactly what kind of policies it will support to decarbonize the world and clean up the grid.

Microsoft published two briefs explaining what new climate policies it will advocate for.

Photo by Jeremy Bezanger on Unsplash

The tech industry has no shortage of climate goals, but they’ll be very hard to achieve without the help of sound public policy.

Microsoft published two new briefs on Sept. 22 explaining what policies it will advocate for in the realm of reducing carbon and cleaning up the grid. With policymakers in the U.S. and around the world beginning to weigh more stringent climate policies (or in the U.S.’s case, any serious climate policies at all), the briefs will offer a measuring stick for whether Microsoft is living up to its ideals.

Keep Reading Show less
Brian Kahn

Brian ( @blkahn) is Protocol's climate editor. Previously, he was the managing editor and founding senior writer at Earther, Gizmodo's climate site, where he covered everything from the weather to Big Oil's influence on politics. He also reported for Climate Central and the Wall Street Journal. In the even more distant past, he led sleigh rides to visit a herd of 7,000 elk and boat tours on the deepest lake in the U.S.

Latest Stories
Bulletins