Google Security: Fundamental Control IssueBy Ericka Chickowski | Posted 2008-05-23 Email Print
Although Google has made some key security acquisitions and added talented security pros to its team, many IT and security managers still won’t trust their enterprise applications to the company’s cloud offerings.
Nevertheless, many security and IT managers say there is a fundamental control problem that makes the migration of data to the cloud a risk they are not willing to assume.
“It gets back to a lack of control,” says Randall Gamby, a security analyst for Burton Group, a research and advisory firm based in Midvale, Utah. “Businesses are hoping Google will pick the right tools to secure the infrastructure, but they have no assurances and no say in what it will pick. Plus, many of these organizations have to ensure regulatory compliance, and a lack of control makes them wonder whether Google can support their compliance needs.”
According to Craig Balding, author of the CloudSecurity.org blog and a security practitioner at a Fortune 500 bank, enterprises need to figure out how to balance productivity with security when it comes to trusting in cloud solutions, including those offered by Google. He says part of that balancing act may involve learning how to classify data and educating users on which data and functions are—or are not—appropriate to put on Google Apps.
“I think the issue will be what kind of data is being put in the cloud,” Balding says. “If you are a bank and have transaction information up there, that’s a problem. But if the data is for a marketing Web site, that might be a different story.”
Balding suggests that enterprises might put their toes in the water with less risky segments of their data to establish trust in Google before using its software for more substantial products. On the other hand, some organizations may not be comfortable using any of the offerings until they get a better view of Google’s security practices.
Cole of Varolii believes education is critical in these cases because users may be adamant about the usefulness of Google’s offerings and may try to sneak them under the radar if they don’t understand the risks. He believes users are more likely to comply if the business reasons for such a ban are explained to them.
“User education is very important,” Cole says. “If you just come out with an edict of ‘Thou shall not,’ you will have problems because people like their tools and feel they need them to do their jobs. Employees have to be made aware of the risk assessment. You’ll get more compliance when they see you are trying to work with them.”