Google Apps Set Off Security Alarms
In its efforts to extend its empire outside the online search and advertising realm, Google is wooing businesses of all sizes with a spate of software productivity tools and services. These software as a service (SaaS) and in-the-cloud offerings make it easy for both workers and managers to put lots of company data in the cloud, but they also pose risks that worry IT security experts.
Most security practitioners have spent years building up defenses around corporate data, only to find that employees are now bypassing the IT ecosystem and its protections by using Google Apps. “IT security has struggled to apply policies and practices in the infrastructure,” says Robert Ayoub, an IT security analyst for Frost & Sullivan, a global research firm headquartered in San Antonio. “By circumventing that, we’re defeating something we’ve worked toward for so long.”
Google has tried to reassure businesses by instituting a company culture and coding practices built around security. It has backed this up with some key security acquisitions, snapping up players like Postini and Greenborder, and by bolstering its staff with a growing cadre of security professionals
“We have taken an in-depth approach to security, with lots of different layers that build on each other,” says Eran Feigenbaum, senior security manager for Google and a recent hire who has years of experience in the security world, including a stint as a security consultant for Pricewaterhouse Coopers.
The difficulty is that Menlo Park, Calif.-based Google has been less than transparent about its security practices for fear of opening itself up to attacks. “One of the things we’re looking at is how we can offer the right amount of transparency while still balancing security,” Feigenbaum says.
While many businesspeople understand Google’s reluctance to disclose details about its security practices, the vagueness of the company’s reassurances about security leaves many managers too unsure of offerings such as Google Apps to officially sanction their use in the enterprise. Many security professionals are taking a wait-and-see approach, hoping to find out more before green-lighting the use of Google software in their organizations.
Google has made visible strides with the security of Google Apps since it rolled out the first iteration. “Using these tools does represent a risk, but Google has gotten better with security,” says Vern Cole, chief security officer at Varolii, a Seattle human resources software development firm. “When Google Desktop initially rolled out, you weren’t able to block certain areas that you didn’t want to index. Now they have added a feature so you can do that.”
The company has also been responsive to security vulnerabilities that have recently cropped up in Gmail and other software it has developed. For example, when security researchers found a nasty back-door vulnerability in Gmail last fall, the Google team acted to close the gap in a matter of days.
In another instance, Core Security Technologies, a Boston-based company specializing in penetration testing products, found a bug in Google’s Android SDK. “Our relationship with Google has been brief so far, but they were quite responsive, even though the vulnerability we found was not that relevant to many people,” says Ivan Arce, CTO at Core Security. “They addressed the problem quickly.”
These efforts seem to provide enough assurance for the thousands of users who have signed up with Google so far. This is especially true for small and midsize businesses, which may not have IT resources equivalent to those Google provides as a service.
“We have millions of active users of Google Apps,” Feigenbaum says. “Thousands of university users are deploying Apps, and more than 2,000 businesses are signing up every day.”
Nevertheless, many security and IT managers say there is a fundamental control problem that makes the migration of data to the cloud a risk they are not willing to assume.
“It gets back to a lack of control,” says Randall Gamby, a security analyst for Burton Group, a research and advisory firm based in Midvale, Utah. “Businesses are hoping Google will pick the right tools to secure the infrastructure, but they have no assurances and no say in what it will pick. Plus, many of these organizations have to ensure regulatory compliance, and a lack of control makes them wonder whether Google can support their compliance needs.”
According to Craig Balding, author of the CloudSecurity.org blog and a security practitioner at a Fortune 500 bank, enterprises need to figure out how to balance productivity with security when it comes to trusting in cloud solutions, including those offered by Google. He says part of that balancing act may involve learning how to classify data and educating users on which data and functions are—or are not—appropriate to put on Google Apps.
“I think the issue will be what kind of data is being put in the cloud,” Balding says. “If you are a bank and have transaction information up there, that’s a problem. But if the data is for a marketing Web site, that might be a different story.”
Balding suggests that enterprises might put their toes in the water with less risky segments of their data to establish trust in Google before using its software for more substantial products.
On the other hand, some organizations may not be comfortable using any of the offerings until they get a better view of Google’s security practices.
Cole of Varolii believes education is critical in these cases because users may be adamant about the usefulness of Google’s offerings and may try to sneak them under the radar if they don’t understand the risks. He believes users are more likely to comply if the business reasons for such a ban are explained to them.
“User education is very important,” Cole says. “If you just come out with an edict of ‘Thou shall not,’ you will have problems because people like their tools and feel they need them to do their jobs. Employees have to be made aware of the risk assessment. You’ll get more compliance when they see you are trying to work with them.”
Google Fights Back
Google’s team believes there’s no need for businesses to boycott its software offerings due to security concerns. First, the company claims it has done a sufficient job hardening its software and its service infrastructure with enterprise-class security. Even though Google has chosen not to disclose security details—including where its data centers reside, how many people it employs in its security department and specifically how it protects its server farms against attack—its security bigwigs say appropriate steps have been taken.
“Security is a philosophy here at Google,” Feigenbaum says. “The way we develop applications is through a security process whereby one person develops it, then the code goes through a security tool to look for vulnerabilities, and another person QAs that and looks for common vulnerabilities.
“Your grandma says you don’t put all your eggs in one basket, but here, we do put all our eggs in one basket—but we guard that basket really well.”
Feigenbaum hopes that in the future, Google will be able to work with other SaaS vendors, such as Salesforce.com and Amazon, to develop security standards or accreditations to assure users that Google is taking the right steps. In the interim, he says, Google is doing its best to give business customers peace of mind through alternative means. For example, the company brought in a third-party auditor to look over its practices in detail and come up with a report Google can provide to potential customers in lieu of giving them access to conduct their own audits.
“We can’t let everyone audit us,” Feigenbaum says. “Most Googlers don’t even know where our data centers are, let alone visiting one. We don’t open up our doors and share that, but we did bring in an independent third party to look at what we do, and we are offering those reports to our customers or prospective customers.”
Even though Google doesn’t publish any details about its data centers, Feigenbaum says its application uptime should speak for itself. “Our uptime rivals the uptime most organizations have for their in-house e-mail,” he says. “Every single bit of data Google gets from an Apps customer is replicated multiple times within a single data center and multiple times within another data center. So it already has a built-in backup and recovery. Even if an entire data center went down, a user wouldn’t know.”
In some ways, Feigenbaum says, putting company data in the cloud is more secure than the existing model. “Since we’re a multitenant environment, Company A’s data is literally spread out and shared across the entire Google infrastructure,” he explains. “So, even if you managed to make it into our secret data centers and penetrate all our physical security, you’d still be searching for a needle in a haystack.”
In addition, Feigenbaum says Google is able to turn one of its biggest risks into a security team asset. “Regardless of Apps, Google had a big target on its back from the search businesses,” he says. “It’s a very sexy thing to attack and break, which is really great, believe it or not. I can say there’s a whole bunch of criminals out there doing really bad stuff, or I can say there’s a whole bunch of security researchers that allow me to make my team smarter. We can learn from any attack against Google.com or our other businesses and use that knowledge to protect our infrastructure.”
Feigenbaum adds that Google has been able to prove the security of its offerings by relying on them for its own day-to-day business operations. “If an offering can’t work and run in a complex environment like Google, we can’t expect our customers to use it,” he says. “All our classified, confidential information is stored in the same way on the same machine we’re using to store our customers’ information. That’s why everything goes through extensive testing and internal deployment before we release it. Security is baked in from Day 1.”
Wait and See
Despite Google’s assurances, the transparency issue remains a big sticking point with security professionals. Many, such as Arce of Core Security, believe that being open about security practices is not only reassuring, but also adds a greater level of peer review and security robustness that can’t be developed in a secretive environment—even among the talented pool of workers Google employs.
“Transparency is what helps you improve,” Arce says. “It allows other people to help identify problems so you can fix them. We favor transparency as a practice as much as possible, and we think it should be embraced by Google.”
Balding of CloudSecurity.org agrees, noting that Google needs to open a dialogue with the security community. “There is not enough security dialogue going on, and as a security guy, I find that scary,” he says. “Where is the accountability? I’m sure they’ll solve this problem because they have a lot of smart people at Google, but I don’t think big business will move on this until they are certain the risks are being addressed.”
Core Security’s Arce believes it’s too early to pass judgment on Google’s security practices and its transparency issues. He is hopeful, though, that Google will come around to the security industry’s perspective. “Google has a unique opportunity to change the security mindset of the big security vendors, and I think they can push that change,” he says. “It would be great if they actually did it.”