People

Control issues: How Twitter is forcing companies to rethink security and access

For a few hours last week, Twitter lost control of its platform. While the outcome could have been much worse, it's a wake-up call for anyone managing information security and employee access to data.

An iPhone with the Twitter logo on the screen.

As more and more companies move critical applications to cloud services and use third-party enterprise software tools, modern identity management software has become a very important part of the tech department's toolkit.

Photo: Sara Kurfeß on Unsplash
Twitter's harrowing security incident last week is a good reminder that many companies need to reassess the internal controls governing access to their tools and data, because it's never been harder to stop the bad guys at the perimeter.

For administrators at a big, very visible company like Twitter, it's not if your network defenses will be penetrated; it's when. It took Twitter several hours to regain control of its systems Wednesday after a small group of hackers were able to obtain the login credentials of a Twitter staffer and commandeer its account tools.

Twitter's experience was an extreme one, and while we don't know exactly how much information was compromised, the outcome could have been much, much worse. But it's clear that steps taken to improve controls in the aftermath of two other high-profile incidents — a 2010 settlement with the Federal Trade Commission over account access issues and the 2018 indictment of two employees who were spying for the Saudi Arabian government — were not enough, and there are lessons for everyone in the aftermath.

In a blog post Monday, security expert Bruce Schneier called the Twitter incident a "class break," describing this category as "security vulnerabilities that break not just one system, but an entire class of systems." "Class breaks are endemic to computerized systems," he wrote, "and they're not something that we as users can defend against with better personal security."

As more and more companies move critical applications to cloud services and use third-party enterprise software tools, modern identity management software has become a very important part of the tech department's toolkit. This need has only accelerated in a pandemic, during which so many employees are working from their home networks and outside of the traditional defenses around corporate networks.

Software from companies like Okta allows workers to securely access the internal corporate applications they need to do their jobs with "single sign-on" technology, sort of like a password manager for work. Then, once workers pass that test, other tools are needed that grant certain people access only to specific data sets or controls, so that one breach doesn't open up the entire company to an attacker.

At Twitter, lots of employees have access to user accounts. Any attempt to provide customer service requires that, to some extent, but it's also clear that the company needs to consider additional controls, such as requiring two employees to sign off on proposed changes to prominent user accounts.

Companies also need to move past the idea that a user who has entered the proper login credentials is a valid user — the so-called "zero trust" approach. The central idea here is paranoia: No person or device should be automatically trusted outside or inside a network, and Google pioneered this line of thinking over the last decade with an internal service called BeyondCorp.

It's not clear what type of approach is in place at Twitter, but the company has been operating without a chief information security officer in 2020, according to The Wall Street Journal. That vacancy will likely be filled in short order, and like lots of companies re-evaluating their internal processes in the wake of this incident, one of that person's first jobs will be to rethink how Twitter manages identity and access to its systems.

Enterprise

Why Thomas Kurian thinks cloud computing is on the brink of a new era

Kurian tapped his enterprise experience from 22 years at Oracle to reshape Google Cloud as an open, hybrid and multicloud player. What comes next?

Google Cloud CEO Thomas Kurian spoke with Protocol.

Photo courtesy of Google/Weinberg-Clark Photography

When Thomas Kurian landed the CEO role at Google Cloud, he was welcomed as a respected technologist and executive bringing 22 years of needed enterprise chops from Oracle for a substantial undertaking: turning an underdog into a heavyweight contender for meeting major corporations’ cloud needs.

At the Google Cloud Next conference in early 2019, Alphabet and Google CEO Sundar Pichai introduced Kurian, then about three months into his tenure, as a “tremendous leader with a powerful vision” who already had met with hundreds of customers and partners and whose “personal productivity is testing the limits of G Suite and Calendar.”

Keep Reading Show less
Donna Goodison

Donna Goodison (@dgoodison) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.

Now that most organizations are returning to the office, there are varying extremes – some leaders demand that employees return to the office, with some employees revolting and some rejoicing to be together again. On the other hand, some companies have closed physical offices and made remote work permanent; creating a sigh of relief for some employees and creating frustration for others.

Most of us are somewhere in between, trying our best to take a measured approach at building the right hybrid strategy tailored to company culture. Some seemingly have begun to crack the code, while the majority are grappling with the when, how, why, and who of this new hybrid work reality.

Keep Reading Show less
Nathan Coutinho

Nathan Coutinho leads Logitech's global conferencing business strategy and analyst relations. A Swiss company focused on innovation and quality, Logitech designs products and experiences that have an everyday place in people's lives.Coutinho leads strategy and execution of Logitech's video conferencing solutions, from personal solutions to highly-scalable conference rooms.Coutinho has more than 25 years of experience in the IT industry with various roles in executive leadership, consulting, engineering, marketing and technical sales.

Enterprise

AWS employees say evidence of misconduct hides in plain sight

Such is the reality of today’s corporate environment.

There was hope this report would be the catalyst to institute more systemic change within both ProServe and the whole of AWS.

Image: Henrique Casinhas/SOPA Images/LightRocket via Getty Images

It’s a tale as old as, well, the last few years. And this month, it’s AWS that got to live it.

The company recently outlined to employees the findings of an external probe conducted by Oppenheimer Investigations Group into a troubled division of the sprawling cloud giant. Known shorthand as ProServe, it’s the unit that helps customers make the most of AWS products.

Keep Reading Show less
Joe Williams

Joe Williams is a writer-at-large at Protocol. He previously covered enterprise software for Protocol, Bloomberg and Business Insider. Joe can be reached at JoeWilliams@Protocol.com. To share information confidentially, he can also be contacted on a non-work device via Signal (+1-309-265-6120) or JPW53189@protonmail.com.

Climate

Sealed finds a market in home decarbonization

Sealed offers homeowners the chance to save money and help protect the planet.

Sealed is convincing homeowners to look at their HVAC systems and insulation in order to save energy and money.

Photo: Gabe Souza/Portland Portland Press Herald via Getty Images

Shiny silver panels hug the walls of Andy Frank’s attic; they vaguely remind me of a child’s robot Halloween costume. A sticky-looking foam lines both the gaps in the attic’s floorboards and the roof, plugging up holes where squirrels could have once taken shelter.

The space is positively sweat-inducing, even for the mere minute I have my head poking above the trapdoor.

Keep Reading Show less
Lisa Martine Jenkins

Lisa Martine Jenkins is a senior reporter at Protocol covering climate. Lisa previously wrote for Morning Consult, Chemical Watch and the Associated Press. Lisa is currently based in Brooklyn, and is originally from the Bay Area. Find her on Twitter ( @l_m_j_) or reach out via email (ljenkins@protocol.com).

Workplace

Experts say tech companies need to prepare for the next SCOTUS decision

HR experts said companies need to be proactive about protections for contraception, privacy and LGBTQ+ rights.

Experts say tech leaders need to start thinking about future Supreme Court rulings.

Photo: Anna Moneymaker/Getty Images

Tech companies are still trying to prepare for a post-Roe world. But it might already be time to think about what the Supreme Court is planning next.

When the Supreme Court overturned Roe v. Wade Friday, Justice Clarence Thomas wrote in a concurring opinion that the court should also reconsider rulings protecting contraception and same-sex relationships, citing Griswold, Lawrence and Obergefell. If those decisions were ever overruled, it would have massive implications for everyone, but especially for employees living in states where same-sex marriage is at risk of becoming illegal without a federal shield.

Keep Reading Show less
Lizzy Lawrence

Lizzy Lawrence ( @LizzyLaw_) is a reporter at Protocol, covering tools and productivity in the workplace. She's a recent graduate of the University of Michigan, where she studied sociology and international studies. She served as editor in chief of The Michigan Daily, her school's independent newspaper. She's based in D.C., and can be reached at llawrence@protocol.com.

Latest Stories
Bulletins