The anatomy of the Twitter breach as detailed in TechCrunch speaks clearly to the lengths that a determined attacker will go to gain access to proprietary information. The specifics of the attack are complex and involve a number of ingenious inter-related actions on the part of the attacker who did ultimately gain access to a single user credential at Twitter. Although the methods used are complex and much of the post game discussion has focused on high level security risks associated with Google Apps, the fundamental architectural characteristic that makes this type of attack possible at all is the publicly available web form for collecting user names and passwords.

The attacker was able to manipulate all of the publicly available functionality that is set up to support web form authentication and gain access to sensitive information as a result. Exposing password resets, question based authentication, email notification – (i.e. all of the machinery required to support the public web form) to anyone with a browser is an invitation to serious mischief.

The Twitter breach is a teachable moment for companies adopting cloud applications. In simple terms – since the fundamental risk is having web authentication forms on the public Internet, it follows that the best place for authentication of enterprise users to occur is behind the firewall. Technology designed to make it simple for companies to leverage an existing secure authentication (that happens on a secure network ) to provide access to cloud based applications is the most secure, least intrusive, and most cost effective way of addressing security risks like the ones that were exposed at Twitter.

In my five years and counting at Ping Identity we’ve built from zero to a customer roster of over 370 companies around the world, including 42 of the fortune 100. To a large extent, the credit for Ping’s growth goes to the simple premise that there is inevitable trend that continues to move credential collection to the most secure location available. The recent news about Twitter and their struggle with authentication to Google Apps fits this pattern perfectly.

The implications of this trend for emerging cloud based Identity Provider solutions are an interesting related topic. Ultimately, credential collection can be done securely on the public Internet - but it requires well thought out layering of single sign on, monitoring, and strong forms of authentication. More on the best practices developing around Cloud based Identity Providers in a future post...

I attended the Google Enterprise CIO Summit at the Google offices in Cambridge yesterday. Dave Girouard, Rajen Sheth and Alex Diacre presented. Couple of interesting takeaways/quotes:

• Google is the worlds 4th largest manufacturer of servers – behind Dell, HP, IBM. They build them to run in their own data centers. It’s the kind of overlooked data point that helps people understand the vast resources Google can/will put behind their Enterprise IT business.

• Google Enterprise is currently profitable as a standalone business.

• Dave Girouard did an excellent job of explaining why continuous innovation is the key to Google’s future in the Enterprise. Right now they are innovating to make email and calendar migrations meet Enterprise requirements – but in the near near future they will be delivering differentiated apps and features and platform capabilities that will drive adoption of Google as a core Enterprise vendor. Today they differentiate primarily on ROI  – and they have a strong story there – but in the not too distant future Google will differentiate on feature/functionality (think of the role Wave can potentially play in changing enterprise communications). This should scare Microsoft.

• The customer stories and case studies show that Google Enterprise is still in an early adopter phase. Lots of patterns and best practices are yet to be sorted out.

• Money quote from a large customer that recently migrated from exchange to Gmail – “dumping Exchange/Outlook was a big step towards getting everything into the browser”.  “Everything into the browser” is a good way of thinking about where cloud computing is taking Enterprise IT and if Enterprise IT is moving to an “everything into the browser” world – that’s a world where Google is, without doubt, one of the winners.

The momentum around the migration of enterprise IT architecture to On Demand models is undeniable...and likely to accelerate in the forecasted IT spending climate.We started planting mustard seeds in the SaaS community two years ago - it is nice to look at a snapshot now and see what we've accomplished - 130 SaaS/BPO vendors adopting Ping for internet SSO.