Making StridesBy Ericka Chickowski | Posted 2008-06-26 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
Although Google has made some key security acquisitions and added talented security pros to its team, many IT and security managers still won’t trust their enterprise applications to the company’s cloud offerings.
Google has made visible strides with the security of Google Apps since it rolled out the first iteration. “Using these tools does represent a risk, but Google has gotten better with security,” says Vern Cole, chief security officer at Varolii, a Seattle human resources software development firm. “When Google Desktop initially rolled out, you weren’t able to block certain areas that you didn’t want to index. Now they have added a feature so you can do that.”
The company has also been responsive to security vulnerabilities that have recently cropped up in Gmail and other software it has developed. For example, when security researchers found a nasty back-door vulnerability in Gmail last fall, the Google team acted to close the gap in a matter of days.
In another instance, Core Security Technologies, a Boston-based company specializing in penetration testing products, found a bug in Google’s Android SDK. “Our relationship with Google has been brief so far, but they were quite responsive, even though the vulnerability we found was not that relevant to many people,” says Ivan Arce, CTO at Core Security. “They addressed the problem quickly.”
These efforts seem to provide enough assurance for the thousands of users who have signed up with Google so far. This is especially true for small and midsize businesses, which may not have IT resources equivalent to those Google provides as a service.
“We have millions of active users of Google Apps,” Feigenbaum says. “Thousands of university users are deploying Apps, and more than 2,000 businesses are signing up every day.”
Nevertheless, many security and IT managers say there is a fundamental control problem that makes the migration of data to the cloud a risk they are not willing to assume.
“It gets back to a lack of control,” says Randall Gamby, a security analyst for Burton Group, a research and advisory firm based in Midvale, Utah. “Businesses are hoping Google will pick the right tools to secure the infrastructure, but they have no assurances and no say in what it will pick. Plus, many of these organizations have to ensure regulatory compliance, and a lack of control makes them wonder whether Google can support their compliance needs.”
According to Craig Balding, author of the CloudSecurity.org blog and a security practitioner at a Fortune 500 bank, enterprises need to figure out how to balance productivity with security when it comes to trusting in cloud solutions, including those offered by Google. He says part of that balancing act may involve learning how to classify data and educating users on which data and functions are—or are not—appropriate to put on Google Apps.
“I think the issue will be what kind of data is being put in the cloud,” Balding says. “If you are a bank and have transaction information up there, that’s a problem. But if the data is for a marketing Web site, that might be a different story.”
Balding suggests that enterprises might put their toes in the water with less risky segments of their data to establish trust in Google before using its software for more substantial products.
On the other hand, some organizations may not be comfortable using any of the offerings until they get a better view of Google’s security practices.
Cole of Varolii believes education is critical in these cases because users may be adamant about the usefulness of Google’s offerings and may try to sneak them under the radar if they don’t understand the risks. He believes users are more likely to comply if the business reasons for such a ban are explained to them.
“User education is very important,” Cole says. “If you just come out with an edict of ‘Thou shall not,’ you will have problems because people like their tools and feel they need them to do their jobs. Employees have to be made aware of the risk assessment. You’ll get more compliance when they see you are trying to work with them.”