Others outside of Google are not so sure. Yale University recently put plans to deploy Google Apps on hold after concerns around privacy and security were raised by faculty. Google's credibility also came under fire with the revelation that the Gmail accounts of Chinese activists were compromised by phishing attacks (something not under Google's control) and the possibility that Chinese crackers had actually penetrated Google systems.
But Feigenbaum notes that Google is working to obtain Federal Information Security Management Act (FISMA) certification for its entire Google Apps deployment, and Google Apps will also now honor European Union (EU) safe harbor limits on where data can be stored internationally. Feigenbaum adds, moreover, that the proof is in the pudding: the success of Google Apps proves that the cloud can be safe…if Google is running it.
Why should anyone believe that giving up direct control over their data will make it more secure, not less? How can an enterprise possibly see giving up control as a security benefit?
Eran Feigenbaum: Part of it is a mindset shift. One hundred years ago, my grandmother would have felt safer putting her money in a mattress! Take a look and see if it's still there. My generation feels more comfortable putting it in a bank; the bank has armed guards, safes, 24/7 surveillance, etc.
We have economies of scale that most organizations, even the large ones, don't have. They can't afford to have a security team the size of what we have. They can't afford to be looking at sterilizing the newest threats. They're very much dependent on other providers along the supply chain to give them that information.
At the scale that we have, on virus[es], for example, we often see [new] viruses affect our users hours before the antivirus vendors even see them, let alone issue a signature. If I'm a traditional IT shop, now I have to go take that signature from a vendor to the antivirus installed on my machines. In [Google's] type of environment, it happens automatically for without you having to do anything. It's really changing the way we think about security.
People have a perception basically like my grandma with the money, because they know its sitting on that one server, that its more secure.
[But Google has] chopped it up into many pieces, spread it into so many places built on hyper redundancy and availability in ways that even our largest customers can't do. We have local copies of that data, replicated in real time.
Think of our bank accounts: just because I don't see my money every day doesn't mean it's not safe.
But money is a fixed unit, one dollar is the same as the rest. That's not so with sensitive emails and documents: Each one has intrinsic value, you can't replace a stolen company document with any other one with the same number of words.
EF: It's the same, then, with my wife's jewelry, my wife's diamond earrings -- I'll put them in a safe deposit box. I'll bet on that instead of keeping them at my house. I don't know that the bank president isn't wearing them at night when I'm not there, but again, I trust the bank, because the bank has certain controls, because the bank has been in business, because the bank has independent auditors very similar to the way we're operating.
Also, not to belabor the bank analogy, but not all banks are created equal and not all cloud computing vendors are created equal. As cloud computing is becoming more and more popular and a great buzz phrase, we see people not really in the cloud computing world label their products as cloud, as well as smaller providers that may not have the same type of security controls that we have in place.
How is that going to reassure a chief information security officer (CISO) who is used to being able to audit and control his own infrastructure, from the rack bolts all the way up to system logs?
EF: Yes, you do have to relinquish some control, but it doesn't mean you're making it less secure. You're actually making it more secure. We have 25 million users using the system. How many IT shops have that kind of scale? We want to make it very clear that while we're the custodians of the data, while we're storing that data, processing that data; you're still the owner of that data. It doesn't belong to Google; we're only going to use that data in a way to serve you, the user. If it's Edu or Apps Premier, we're not serving ads against that data, either.
It's one thing to take our word for it -- I could sit here and tell you all the wonderful things we do, but every year an independent auditor comes in and takes a look at all the confidentiality, integrity and availability controls that we have in place in Apps. They offer an independent opinion that they're in place and operating sufficiently, and that comes in terms of a SAS 70 report. And we're going further: we've announced that we're in the process of getting FISMA-certified and accredited at a moderate level. That involves some 250 criteria controls created by NIST that we're showing we meet.
Certain data has to stay in the EU unless you have safe harbor, and because of that Google has filed for safe harbor and practiced the safe harbor principles of notice and onward transfer. We run a very robust privacy center that details specific controls around each one of our products.
How do you do satisfy a potential customer with the knowledge that Google Apps is secure?
EF: I think it's our job to provide enough details to customers to make informed, technical decisions. A couple months ago, I spent a day and a half with a US intelligence agency; after that time, they said, "Wow, that is actually more secure that what we offer. We wish we could do what you do."
We are in a very unique situation, in that we control the entire stack. For one, we build our own servers, we design our own chips, we write our own operating system, we write our own applications etc. So that gives us tremendous security advantages. And two, just the way our architecture works is fundamentally different! I use mail as an example…the Apps technical method of doing it [is] taking all my mail [for example], chopping it up into lots of small pieces, spreading that throughout the entire environment, so trying to compromise a single user becomes, statically speaking, harder than winning the lottery.
Put that on top of other things it's really hard for organizations to do, like role-based security and least-privileged access.
I think it's our job to inform them; I went to Google just under just three years ago from a financial services company where I was the chief security officer. I completely understand where they're coming from, right? It's still their data, it's going to be their head on the chopping block if something happens to it. It is their responsibility to understand how it's being protected, and it's our responsibility to give them that information to make a risk-based decision.