Brute-force attacks and hacking of corporate passwords is a pain but a challenge solved with cloud computing. Masses of compute power, example based on Azure og any elastic cloud infrastructure simply cracks passwords and encrypted content within minutes and at a fair price.
Looking at this we could say that cloud computing is the source of those breaches, but normally server parks for hackers would have made this solution optional anyhow. On a more pragmatic level, the CIOs of corporate and enterprise firms, clearly can state to top-management what the cost/risk of not implementing a security policy and more tight password policies may impact business performance. Online discussion boards indicate that cracking a simple password between 3-9 characters would cost around USD 80, while a long typed password with complex letters would cost USD 1.2 mio. Adding complexity with a 8 character password has an estimated cost of USD 100.000 while same complexity with 9 characters would cost in the area og USD 10 mio!
The only breach in cloud computing viable to find, is often the mistake for major companies when launching their SaaS services, without the required complexity of passwords (Microsoft BPOS requires at least 7 characters – one capitalized and one non-alfanumeric = simple).
Take-away for ISVs
Implement a more strong and solid security policy in the applications. Although clients may complain around the complex nature of this enhanced policy, the wording to that is stated somewhat above. Even turn towards two-factor security or certificate based policies.
Take-away for COIs
Look at your vendor and corporate security policy. Require a strong or managed type policy where you as a company can determine the security levels. Running services form providers like Google does add a high risk, as identity and security is accessed through APIs and even Postini Service Levels indicate that Google may or may not index content in non-secured manner. Dealing with personale- og confidential information, remember that in hand.
rasmus foged blog 