Root Cause Analysis: Management at fault
This is just the tip of the iceberg and likely still just the beginning. Having been involved in tracking down some of the first attacks back in the 90s, (the Chinese railway hacker was likely simply exploiting an unsecured workstation), this is nothing new. From what I've seen, it's not because IT folks don't know what to do to solve these problems of security, but because of an inability to really convince management in these cloud companies to spend the money, both in tools and manpower, to actually secure these sites properly. It's not cheap and it's about having people who really know their stuff and don't directly contribute to the bottom line.
Having left Big IT I can't tell you how many small businesses I've seen that don't even understand the rudiments of security on their sites. Like even getting passwords right, or using directory services, or even putting in basic firewalls!
It also plays, once again, into the hand of large corporations, like Google, Amazon and MSFT who have so much more to lose by not getting it "right", and actually have the resources to do so. That's why I end up using them for cloud storage, but still store sensitive information locally, and wait on the day when we will see this 'cloud' thing done with an infrastructure that is finally secured. I think it's possible to be vastly more secure (think of how long we *could* have really secured email if the solution wasn't so onerous for the average consumer). My feelings is that getting it *good enough* and really securing the backbone properly, will create an 80/20 rule. But there is so much more to do, and sadly, will only happen after the equivalent of a 911 attack on the Internet. As we know, the stealing of millions of passwords over the years has not gotten our Congress to do anything of value to force more support. Or did I miss something?
