Google cloud applications: Secure enough for the enterprise?

Google cloud applications aren't necessarily known for their security. In this expert response, learn what to watch out for when considering using such apps in the enterprise.

Are Google applications, such as Google Docs, Google Calendar and Google Buzz, secure?

When deciding to outsource their business applications to any third party, including Google, companies need to ascertain how that third party would manage the confidentiality, integrity and availability of their business applications.

Firstly, companies need to decide their level of trust in Google applications' abilities to secure confidential information, and then the level of confidential information that is to be entrusted.

As part of what has come to be known as Operation Aurora, Google was reportedly successfully attacked in December 2009 when an employee clicked on a messenger attack and was connected to a poisoned website. This gave the attackers access to Google's network and some of Google's source code, including the Gaia program, which controls user access to the various Google Web services. Having access to the Gaia program's source code might conceivably be used in the future to gain unauthorized access to Google's Web-based applications, perhaps even gaining access to sensitive data of Google's customers. Take this into account when considering moving sensitive data to Google cloud applications.

Secondly, companies need to ensure their data storage and recovery is both fast and reliable, and that data cannot be modified or deleted without adequate permissions. Modern server operating systems have evolved over decades, providing different security mechanisms, including comprehensive access logs and data rollback to ensure this sort of storage and recovery are possible. For example, I would expect notification when third parties access any of the organisation's personal data (permissions or not), and that, if personal data is modified, ownership has to be changed first with user notification and logging of the action. Another concern is the ownership of data: Can the user agreement be changed without your organisation's consent? Also, as the data is hosted, can it then be accessed or blocked by other authorities (federal and tax) using laws intended for ISPs, as, at present, there exists little protective legislation for cloud computing?

Finally the fraught subject of providing data availability: By carefully selecting multiple independent service providers and using monitoring and network switchover devices, high availability becomes possible. Though how vulnerable are the provided services to takedown by distributed denial-of-service (DDoS) or Domain Name Service (DNS) attacks? These are also questions to consider before committing your organizational data to any cloud applications.

Read more on Cloud security