Google willing to customise security for cloud apps

Would-be users of Google' s hosted applications deterred by security concerns can negotiate with the company to arrange bespoke security settings.

Enterprises often reject Gmail and Google Docs because they can't control crucial security aspects such as where data is stored or how email is used, but despite appearances Google is open to a little quiet negotiation.
Google's approach to building the user base for Gmail and Google Docs has been to promote the software to individual users while largely neglecting the more complex needs of business users. As such, the services allow relatively few options in the area of defining security controls, with a clear emphasis on open access rather than meeting business or regulatory needs.
"Google is looking to capture the next 2 billion users and it has to have a very consumer-oriented strategy," Gartner analyst David Mitchell Smith said at a presentation at Gartner Symposium in Cannes last week.
"Part of what they're doing here in general is trying to be the champion of the individual as opposed to the establishment. It is a critical part of what Google is doing and it's part of the pattern of them providing value to the user and not worrying about the impact on the enterprise.
Whatever you think of that as a business development strategy, it's not very helpful when you're trying to maintain and enhance existing IT security policies.
"The cavalier attitude is a big issue," fellow Gartner analyst Tom Austin said. "If you go with Microsoft, you know that there's a waterfall design process. What do you get when you go to Google? Fortnightly you check the blogs. You have a little bit of control over the way new features emerge for your users, but very little."
However, despite appearances, Google will sometimes negotiate additional security features for large enterprise customers using Google Apps Premium Edition (GAPE).
"We hear tales from clients about little things they'll do," said Austin. "In some places, they're essentially limiting all mail read traffic to specified addresses only so you have a higher level of security." Other customers have managed to negotiate data storage rules so that information is not taken offshore, he said. "That's not a standard offering, but our indicators say that they're doing it.
Austin also points to Google's recent move to provide a "government cloud" to attract US federal government business as evidence of a slight shift in mindset.
Nonetheless, there are definite limits to what you might persuade Google to alter. "There's not a lot of negotiation going on with regard to service level agreements," Austin said. "There is negotiation with regard to special features."
While Gartner argues that security and functionality concerns mean that Google is unlikely to replace on-premises services in any of these areas in the near future, it does recommend running pilots to assess their usefulness in specific areas.
"We are at a point where a lot of the web versions of software are as good and in some ways better," Smith said. "You want to have a bit more of an open mind around these things. A lot of these approaches are good enough."


Read more on Security policy and user awareness