As regular readers know I don't usually quote the New York Times, however an April 19th article by John Markoff seems worth reading - the two opening paragraphs:
Cyberattack on Google Said to Hit Password SystemEver since Google disclosed in January that Internet intruders had stolen information from its computers, the exact nature and extent of the theft has been a closely guarded company secret. But a person with direct knowledge of the investigation now says that the losses included one of Google's crown jewels, a password system that controls access by millions of users worldwide to almost all of the company's Web services, including e-mail and business applications.
The program, code named Gaia for the Greek goddess of the earth, was attacked in a lightning raid taking less than two days last December, the person said. Described publicly only once at a technical conference four years ago, the software is intended to enable users and employees to sign in with their password just once to operate a range of services.
The article reprises an unnamed insider's view on how this happened, how google responded, and what it all means; but the real bottom line is simple: it happened - and because it happened people deluding themselves that Microsoft's early troubles with single sign-on resulted entirely from preventable error instead of a fundamental design flaw should now consider themselves corrected.
The basic problem is that the more eggs you bounce into a single basket, the more likely it is that some will break. Or, in our context here: google overloaded the basket because the more users a cloud tool has, the greater the provider incentive to seek savings through unified infrastructure and administration - but growth in the user base makes failure more likely and systems unification makes each failure affect more users.
For most people a google email breach, whether by the Chinese communists or someone else, really doesn't amount to much because you have to be really stupid to do things like use the same passwords for gmail and your bank account or emailing your girlfriend video of you watching porn while thinking of her.
On the other hand, using a cloud service to outsource something, like email, that you should be handling internally is a whole different game because in that situation you have a responsibility to protect the privacy and business interests of your users -and the cloud, as google has just demonstrated again, doesn't do that.
So if you're one of those who did this and no-one's come to fire you yet, here's some free advice: say a quick thank you to whatever Gods you favor that your bosses are too clued out to notice how badly you've exposed them - and change that cloud strategy right now.