Tuesday, 12 August 2008

Are Google Apps secure?

I've really been impressed to date with the quality of Googles' output in terms of applications. I've been using Google Docs for a while now and I am really impressed with what it can do already. I can accept the limitations it has mainly because so much is provided for free and it offers things that other mainstream office products don't, the ability to work on the same document from any machine only using a web browser and nothing else. Adding to this it's so easy to collaborate on documents.

That said, given that I'm using Googles tools more and more I got to wondering just how secure it is. Obviously the more I use it and the more I encourage others to use it, the more vulnerable we all are to any particular security hole. Given that I work in IT as a software developer I'm acutely aware of the constant challenge of producing leading edge technology while preventing all security holes. It's a seriously tough task. Plenty of large corporations have failed to take security seriously enough in the past but so far I haven't heard of any major complaints with Google. To be fair though it's only relatively recently that Google has branched out into building applications other than it's search engine and most, if not all, are provided completely free so even if there where serious holes. to what degree would people complain given that they haven't paid anything to use the tool.

So these are some of the questions I had when I decided to look into googles reputation on security. I've listed the articles I found on the subject. To be fair it was just a quick browse to see if there are lots of stories or just rumours. What I found was more rumour than fact until I found the first article listed below. Until that point I'd found a few people suggesting they'd found problems but others pointing out that if there were major issues then surely this would have made news so far. Maybe no one's really using it seriousy and therefore all breaches that have occurred haven't resulted in serious losses. I can imagine that being the case for now but as the tools get better and more robust I can imagine the usage profiles changing.

Google security vulnerabilties stack up
This article presents, in my view, a balanced overview of the security approach Google takes. I think they're big enough now that people view them with enough cynicism whilst still loving their apps. Therefore if they were focused on patching vulnerabilities and actively testing security we'd know about it.

Google Docs security serious compromised
This article is by someone who believes he has access via google docs to documents that he has never written or seen before. He believes some one has saved them in Google docs and he google docs itself has given him access. It's pretty much the worst case scenario you could think of. Unfortunately there's no proof that this is actually what happened but it does highlight the point that you should still never put anything up there that you really don't want others to see.

Warning: Goggle Docs is NOT safe
Ok, this article isn't specifically about security breaches but I think anyone using googles tools would be interested in googles attitude to privacy, copywright protection and the like since pretty much all data stored by its tools are stored on Googles own servers. So even if there are none or few security holes, what if you found your personal content available through other google interfaces.

Conclusion
Overall, given that the tools provided are generally free and very user friendly I'm actually relatively happy with what I've found. I didn't expect perfection. Google Docs is still in beta and if it carries on this way for a long time then atleast Google is being clear that it isn't perfect. Many other corporations aren't so honest. Atleast you know that they don't commit to an absolute failsafe. Since I know this going in I don't expect it and I can change my usage to suit. Don't kid yourself that other software vendors are any better.

What was good to hear is that Google has purchaed a sandboxing technology to help improve security. What I like is that it's putting it's money where it's mouth is and spending on security which is more than many other players have done in the past. So far I've seen constant improvement in the google tools and an active effort to listen to users like me. I've already submitted a couple of feature requests to google docs and I found it as easy as 3-4 clicks to find out how to do it.

It does unnerve me a little to find out that there are some security flaws and that the response Google appears to give when these are highlighted is very much like all large corporations. That's a shame. I do feel that as the applications are taken more seriously other flaws will surface and gain publicity. However I feel that is the case with all software manufacturers and there are plenty out there with worse records. I jst wrote this article to remind myself and others to apply a little common sense to what we post online.

I'll still keep using Googles tools though. Just while writing this entry I was glad I was using Google. I noticed the autosave feature had stopped working indicating that I might lose my post if I submitted it. So I just opened my blog in another tab and found e3asily the last saved draft of this post. Then I copied and pasted into this latest saved version and continued my merry way. I know that my work is constantly saved. On other systems I have lost plenty of work for simple things like this. at least with the new web 2.0 approach simple concepts like autosaving and telling the user if there's a problem have become important and I find Google does what it can to think of these features and provide them for free.

I'm probably just biased on Google at this point. Maybe it's because I haven't been burned by them yet. though I do feel that a company that's willing to provide so many high quality apps completely free and host them for free too deserves a little credit given that very few companies of its size are following the same path.

No comments: