Tuesday, November 5, 2024

Google Apps and Risk Management

Risk management is a huge portion of information security; we gauge risk and in many cases accept risk because we can’t build a ROI on the technology or issue.

However, Google Desktop Applications, or Google Apps is a risky decision to be making, small company or big company it does not matter, it’s a risk, and here are the risks involved.

Information Security – Google has a lot of money to spend on information security, but Google also has a track record like every other software maker, of having code with bugs. The recent Google Desktop bug is just one example, then there are XSS errors in Gmail, and a host of other things. If you use Google apps, you have to trust their code over the internet, and you have to trust them to patch their code in a timely manner. You should be weighing the risks of bad code against open days where the code is not patched, against the damage that could happen if your commercial or intellectual property is stolen, viewed, or otherwise over the internet.

Legal Discovery – so far the law has worked in this fashion, ISP or Company gets a discovery notice, the ISP or Company is not obligated to inform you, rather they usually make a copy of all the data and send it to the legal group requesting the information. I do not know what is in the Google Apps EULA, but would lay odds that they will comply with any legal request for information. And they would be obligated to turn over information, and they may not be obligated to inform your legal counsel first. Your legal counsel might not have enough time to put in a blocking motion, or otherwise. Since all your data is hosted outside the company on a 3rd party server system, ownership is most likely not going to be efficiently defined until there is a series of lawsuits to determine who owns information on 3rd party service providers. Technically, it should already all belong to Google.

Control
– usually when working with technology and 3rd party outsource, only “authorized” people are allowed to call for support. Control of the help desk, and the services that the help desk provides for lost information, e-mail support, password reset support, and other low level support functions are now being taken over by Google. The weight here is can Google do better than your help desk. And how will Google verify that the person calling is really an authorized caller and not someone on a pretexting mission?

Other Legalities – Have you engaged legal counsel before signing up? This is a big one, what do the company lawyers say about the issue? Will they be involved in the decision, and will management listen to what legal counsel is saying, and what the legal liabilities are.

Federal/State Mandates – if you are covered under HIPAA, SOX, GLB, HB1386, or otherwise, how does using Google Apps help you gain compliance, or remain in compliance if you use their system? From the legal mandates and laws side, unless Google can provide a statement of compliance that will stand up in court, anyone who is under any federal or state law for information security compliance might want to think twice before using this service.

Anyone else remember hailstorm?

For every user you will pay 50 dollars a month, and you get 10 gigs of disk space. For Open Office you pay Zero dollars per year, and have a whole hard drive to use for storage. There are better ROI investments out there that are compatible with your end users.

Need collaborative environments, get Linux, Drupal, and a hosted site for 5 dollars a month (Linux and Drupal are free), and you can do a ton of collaboration. And put everything behind a password system. A tech will probably spend a day putting Drupal together with all the neatest modules, and then spend about 1 hour a day making sure everything works the way it should be. After that, it keeps your help desk employed. And yes, Drupal can be distributed across a cluster as well.

Think long and hard before using Google Apps, make sure there are legal protections and someone can not just randomly request data without talking to legal council first. Make sure that the bases are covered, and if you are in a regulated industry that you get a certificate of compliance from Google. Otherwise, there is a ton of free or low cost software out there that will allow you to do the same things, do them in an equal or like manner.

Comments

Tag:

Add to Del.icio.us | Digg | Reddit | Furl

Bookmark murdok:

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles