When deciding to outsource their business applications to any third party, including Google, companies need to ascertain how that third party would manage the confidentiality, integrity and availability of their business applications.
Firstly, companies need to decide their level of trust in Google applications' abilities to secure confidential information, and then the level of confidential information that is to be entrusted.
As part of what has come to be known as Operation Aurora, Google was reportedly successfully attacked in December 2009 when an employee clicked on a messenger attack and was connected to a poisoned website. This gave the attackers access to Google's network and some of Google's source code, including the Gaia program, which controls user access to the various Google Web services. Having access to the Gaia program's source code might conceivably be used in the future to gain unauthorized access to Google's Web-based applications, perhaps even gaining access to sensitive data of Google's customers. Take this into account when considering moving sensitive data to Google cloud applications.
Secondly, companies need to ensure their data storage and recovery is both fast and reliable, and that data cannot be modified or deleted without adequate permissions. Modern server operating systems have evolved over decades, providing different security mechanisms, including comprehensive access logs and data rollback to ensure this sort of storage and recovery are possible. For example, I would expect notification when third parties access any of the organisation's personal data (permissions or not), and that, if personal data is modified, ownership has to be changed first with user notification and logging of the action. Another concern is the ownership of data: Can the user agreement be changed without your organisation's consent? Also, as the data is hosted, can it then be accessed or blocked by other authorities (federal and tax) using laws intended for ISPs, as, at present, there exists little protective legislation for cloud computing?
Finally the fraught subject of providing data availability: By carefully selecting multiple independent service providers and using monitoring and network switchover devices, high availability becomes possible. Though how vulnerable are the provided services to takedown by distributed denial-of-service (DDoS) or Domain Name Service (DNS) attacks? These are also questions to consider before committing your organizational data to any cloud applications.
Related Q&A from Richard Brain
Managing vulnerabilities involves a wide array of security testing, including both dynamic and static source code analysis. Learn how the two differ,... Continue Reading
Which browsers are secure enough for enterprise use, and which should be avoided at all costs? In this expert response, Richard Brain examines the ... Continue Reading
Are Web application firewalls the best choice for securing Web applications? In this expert response, find out what other Web application security ... Continue Reading