Are Googles Security Practices Up to Snuff?

In its efforts to extend its empire outside the online search and advertising realm, Google is wooing businesses of all sizes with a spate of software productivity tools and services. These software as a service (SaaS) and in-the-cloud offerings make it easy for workers and managers to put lots of company data in the cloud, but they also pose risks that worry IT security experts.

Most security practitioners have spent years building up defenses around corporate data, only to find that employees are now bypassing the IT ecosystem and its protections by using Google Apps. “IT security has struggled to apply policies and practices in the infrastructure,” says Robert Ayoub, an IT security analyst for Frost & Sullivan, a global research firm headquartered in San Antonio, Texas. “By circumventing that, we’re defeating something we’ve worked toward for so long.”

Google has tried to reassure businesses by instituting a company culture and coding practices built around security. It has backed this up with some key security acquisitions, snapping up players like Postini and Greenborder, and by bolstering its staff with a growing cadre of security professionals

“We’ve taken an in-depth approach to security, with lots of different layers that build on each other,” says Eran Feigenbaum, senior security manager for Google and a recent hire who has years of experience in the security world, including a stint as a security consultant for Pricewaterhouse Coopers.

The difficulty is that Menlo Park, Calif.-based Google has been less than transparent about its security practices for fear of opening itself up to attacks. “One of the things we’re looking at is how we can offer the right amount of transparency while still balancing security,” Feigenbaum says.

While many businesspeople understand Google’s reluctance to disclose details about its security practices, the vagueness of the company’s reassurances about security leaves many managers too unsure of offerings such as Google Apps to officially sanction their use in the enterprise. Many security professionals are taking a wait-and-see approach, hoping to find out more before giving the green light to use Google software in their organizations.

Making Strides
Google has made visible strides with the security of GoogleApps since it rolled out the first iteration. “Using these tools does represent a risk, but Google has gotten better with security,” says Vern Cole, chief security officer at Varolii, an on-demand interactive communication solutions company. “When Google Desktop initially rolled out, you weren’t able to block certain areas that you didn’t want to index. Now they have added a feature so you can do that.”

The company has also been responsive to security vulnerabilities that have recently cropped up in Gmail and other software it has developed. For example, when security researchers found a nasty back-door vulnerability in Gmail last fall, the Google team acted to close the gap in a matter of days.

In another instance, Core Security, a company specializing in penetration testing products, found a bug in Google Android’s SDK. “Our relationship with Google has been brief so far, but they were quite responsive, even though the vulnerability we found was not that relevant to many people,” says Ivan Arce, CTO at Core Security in Boston. “They addressed the problem quickly.”

These efforts seem to provide enough assurance for the thousands of users who have signed up with Google so far. This is especially true for small and midsize businesses, which may not have IT resources equivalent to those provided as a service.

“We have millions of active users of Google Apps,” Feigenbaum says. “Thousands of university users are deploying Apps, and more than 2,000 businesses are signing up every day.”