An email snooping scandal at Google has prompted fierce criticism and has worried some enterprise users of its Google Apps service into silence. Google says it takes great pains to reassure customers that it has proper controls over sensitive email data.
Disgraced Google site reliability engineer (SRE) David Barksdale was fired after parents complained to Google that he was harassing their teenage children. An internal investigation revealed that he had viewed personal messages in the youths' Google accounts for an extended period of time.
Of the Google Apps customers contacted for this story -- including the City of Los Angeles, the City of Orlando, FL, the District of Columbia, and camera maker Konica Minolta, collectively around 50,000 mailboxes -- only North Carolina State University (NCSU) offered a response.
"Obviously, we're not pleased," said Dr. Marc Hoit, CIO of NCSU.
Dr. Marc HoitCIO, NCSU
Hoit was instrumental in starting the switch to Google Apps and Gmail for the university. Currently, NCSU students are on Gmail and administrators on legacy systems. Hoit said the university will eventually switch everyone to Gmail, despite the disturbing incident.
Hoit said that Google had, in fact, covered this issue during negotiations; the company is not supposed to access personal data without permission. He said that a bad apple such as Barksdale could happen in any firm, and security was never going to be free from that worry.
"We obviously have privacy statements and contracts that say they're not allowed to do that," he said.
Email is not considered secure communication by NCSU anyway, Hoit said, because the state has open records laws that make emails by public employees available on request to anyone. A misbehaving Google employee simply has a much easier time doing what a reporter or citizen can request anyway.
"We don't send social security numbers, personal identifiers, nothing, by email," Hoit said.
Hoit expressed sharp disappointment that Google had allowed the breach, but added that Google had promised to update procedures to stifle further privacy breaches by employees. He said that overall, with business customers, Google was reasonably open about its operations, and that helped him understand the risks.
"They're about as open as any outsourcing or third-party that is doing [IT services]," he said. But many enterprises do use email for secure communication, some are required by law to do so. Do Google's security claims hold up for them?
Analyzing Google's cloud security
"If these accusations are true, Gmail would fail a SAS 70 audit," said Ron Herardian, chief system architect at Global Systems Services (GSS). "If that were to happen, it would suggest that Gmail is not yet an enterprise solution."
Herardian specializes in transitioning email platforms from in-house to Software as a Service (SaaS) platforms and has extensive experience with regulatory compliance needs.
SAS 70 II audits require that the description and practice of security controls in place be both accurate and effective. An engineer with long-term, unauthorized, undetected access to user emails could be seen as a failure for a SAS 70 II audit.
Google makes no claims about its personal email services, but its "Security White Paper: Google Apps Messaging and Collaboration Products" says that Google administrators have "granular" control of data access and that logs of administrator access are reviewed on an "as needed" basis. That has apparently been changed as a result of the Barksdale incident.
"We are significantly increasing the amount of time we spend auditing our logs to ensure those controls are effective," said Bill Coughran, senior vice president of engineering at Google, in a statement.
A Google spokesman said via email that Google applied its main security policy across the board, and it did not differentiate Google Apps business data. Google does claim that the Google Apps infrastructure is SAS 70 II compliant, but not necessarily the whole of Gmail.
Is Google overselling itself?
"What's so sad about this is that it's so predictable," said Kevin McDonald, vice president at Alvaka Networks, a managed services provider. McDonald said that Google had been overselling itself as enterprise-ready and pointed to the rocky rollout of Gmail for the City of Los Angeles. A vocal critic when the project was approved last year, McDonald said cheerleading for Google obscured obvious planning flaws.
Recently, contractor CSC and Google had to pay back $145,000 when the project stalled due to security concerns with the Los Angeles Police Department (LAPD). Now the project is delayed until plans can be finalized between Google, the City and the LAPD, which wants approval from the California Department of Justice (DOJ) for the plan.
The LAPD said that Google had not delivered stated security requirements for the department. Google responded by claiming the city's requirements were "evolving" and "not in the original contract."
Google announced the creation of a dedicated infrastructure for government agencies last fall in conjunction with the Los Angeles deal, but the system wasn't certified by any government entities until July 26, 2010, almost a full month after the June 30 deadline in the L.A. contract was missed.
It is still unclear if Google Apps for Government will resolve the issue. The LAPD, CSC, Google and the California DOJ are currently negotiating a solution, and Google is paying operational costs for the existing email system until at least November. In many respects, it's a far more telling situation than the Barksdale incident about Google's approach to email security.
Still better than in-house security
Others are more charitable, pointing out that any company is vulnerable to a bad apple and that Google had, in fact, caught and summarily terminated Barksdale. Calum Murray, global head of cloud strategy at Capgemini, said Google was still far better protected than a standard enterprise setup.
"Any IT service is vulnerable to a disgruntled employee that will find a route into the service, but cloud services are intrinsically less prone to hacking than on premise applications," Murray said. "For example, there are probably far more employees at Capgemini that have access to our email system than Google employees that have access to Gmail."
Kevin McDonaldvice president, Alvaka Networks
Sam Lowe, head of eBusiness for Capgemini UK, said this kind of story was indicative of growing pains for the cloud computing model, and providers should look at ways to automate security as they had automated service delivery.
Lowe said it would be "immensely helpful" if the cloud industry as a whole could come up with something akin to the standards within the payment card industry that specify sys admin policies and procedures around access.
"This would make people feel more comfortable about using cloud services," he said.
Otherwise, Lowe said, this was small potatoes when put in the proper perspective.
"There are holes all over Microsoft and Oracle and SAP applications, but we don't get to hear about these security flaws as they happen inside a company's four walls; other enterprises don't get to hear about it."
Other email service providers offer better security options
But other email service providers offer an upgraded suite of options in regards to security and compliance needs. Companies like Sonian, for instance, let users manage their own encryption keys, ensuring that the company couldn't access email message content if it wanted to.
Microsoft, Google's chief competition, offers Exchange Hosted Encryption as a service specifically to satisfy the needs of business customers under regulatory burden. Microsoft says that it encrypts the data automatically and can pass any HIPAA or Gramm-Leach-Bliley Act (GLBA) audit with ease.
Bruce Cowper, head of trustworthy computing for Microsoft, said the company was well aware of enterprise requirements around data protection.
"We take our responsibility to safeguard customer data very seriously, whether the customer is using our cloud service or our desktop and server software. Our services are built to adhere to strict privacy standards," Cowper said via email. The company would not comment directly on the Barksdale incident.
Microsoft also publishes its internal security guidelines for all to see. It's ironic that Microsoft may be showing up Google, since Redmond was, and still is, widely considered to be the motherlode of bad bad practices from top to bottom. Its cloud services haven't suffered any major breach yet.
"In the old days, we bashed Microsoft, we bashed IBM; these days we bash Google, since they're the leader," said NCSU's Hoit.
Overall, this breach won't mean much for existing Google Apps users. After all, they're stuck; they can't switch systems overnight, and on balance, Google probably is a more manageable security risk than doing it themselves. But unless Google, much like its cloud cousin Amazon, can figure out how to balance real accountability with highly automated cloud-service delivery, they may end up taking a back seat to companies like Microsoft that have a more thorough understanding of the enterprise market.
Carl Brooks is the Technology Writer at SearchCloudComputing.com. Contact him at firstname.lastname@example.org.
Cloud security fears delay L.A. deal with Google
Security issues in cloud computing
What does Amazon's cloud security really do?