In its efforts to extend its empire outside the online search and advertising realm, Google is wooing businesses of all sizes with a spate of software productivity tools and services. These software as a service (SaaS) and in-the-cloud offerings make it easy for both workers and managers to put lots of company data in the cloud, but they also pose risks that worry IT security experts.

Most security practitioners have spent years building up defenses around corporate data, only to find that employees are now bypassing the IT ecosystem and its protections by using Google Apps. “IT security has struggled to apply policies and practices in the infrastructure,” says Robert Ayoub, an IT security analyst for Frost & Sullivan, a global research firm headquartered in San Antonio. “By circumventing that, we’re defeating something we’ve worked toward for so long.”

Google has tried to reassure businesses by instituting a company culture and coding practices built around security. It has backed this up with some key security acquisitions, snapping up players like Postini and Greenborder, and by bolstering its staff with a growing cadre of security professionals

“We have taken an in-depth approach to security, with lots of different layers that build on each other,” says Eran Feigenbaum, senior security manager for Google and a recent hire who has years of experience in the security world, including a stint as a security consultant for Pricewaterhouse Coopers.

The difficulty is that Menlo Park, Calif.-based Google has been less than transparent about its security practices for fear of opening itself up to attacks. “One of the things we’re looking at is how we can offer the right amount of transparency while still balancing security,” Feigenbaum says.

While many businesspeople understand Google’s reluctance to disclose details about its security practices, the vagueness of the company’s reassurances about security leaves many managers too unsure of offerings such as Google Apps to officially sanction their use in the enterprise. Many security professionals are taking a wait-and-see approach, hoping to find out more before green-lighting the use of Google software in their organizations.