--- On Sat, 7/25/09, security curmudgeon <[email protected]> wrote:
> I'd be happy to bet against you on this.
> Incident occurred. Lesson: Single factor SSO authentication
> can bite you in the ass (access to mail, calendar, docs, apps, more).
I did at least qualify my comment. I allow it is possible that due to typical
organizational FUBAR they can avoid learning lessons, too.
> I bet we don't see them change this to require (or even
> allow) unique passwords for each part. I bet we don't see them change to
> two-factor authentication, even if it remains SSO.
I wouldn't bet either way, but two-factor remains something they should be
motivated to provide for paying customers so they (or a competitor) could
implement it once and thereby increase security for N sites, as opposed to the
same N sites all managing to implement two-factor spontaneously.
> If they spend a portion of those billions of dollars on
> security, sure. But like most companies, security doesn't seem to be any
> more 'built in from the ground up' than the next company.
They don't need to spend billions, just a tiny fraction. Having the potential
to afford the budget makes it more likely than all those N sites all managing
to come up with the individual budgets (which, of course, would add up to way
more than Google would spend doing it once). For Google it is a Cost Of Goods
Sold line item, for LA etc it is an additional expense. Unlike LA, Google
could make money by spending those few bucks.
More than an argument in favor of Google (or any other single company) the
point in support is in support of off-siting instead of hosting locally. The
best argument against is the "monoculture" argument which - while it stands
pretty well regardless - can be mitigated by diligence and best practices.
-chris
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
