The Security Catalyst

Well, the big announcement last week and through the weekend was that Google Apps Premier launched. This is a chance for companies to leverage the power of “office tools” from anywhere and is set to foster more effective collaboration. On a personal level, I use (and like) Google docs, so I can see the draw. If you want more information, here are some great overviews:

Read/Write Web: Google Apps Premier Edition Launches - One Small Step Towards Google Office

eWeeks’ Google Apps Premier Edition Takes Aim at the Enterprise
What I found interesting, though, is a general lack of discussion around the “security” of the application. If you’ve been reading this blog for a while, you may have picked up on how I’m focusing less on the word “security” and more on the concept of “protection of information.” I would posit the same holds true here. My colleagues in the security profession hopefully realize that the difference is largely semantics, but the concept of how to communicate what we do is much clearer when explained as “helping to protect sensitive information.”

So back to Google. Well, the focus is Google (today), but they aren’t the first or only company to offer well-designed solutions that users will gravitate toward. So back to discussing how web-centralized applications are working to protect our information…

I enjoyed reading Marshall Kirkpatrick’s piece in Tech Crunch, It’s G-Day: Google Launches Apps Premier. In fact, this is the first piece that I read (so perhaps not the first piece in general) that mentioned the security aspect. What I also liked is that it revealed to me (again, not sure if he was the first) that GE and P&G were signing up to be Google Apps customers. Now, often times in an announcement like that, it’s not the *whole* company, but some part of it. Either way, my reaction is “Are you kidding me?”

I don’t mean that as a shot against google, GE or P&G. But by suggesting a company of this size is going to put potentially sensitive documents on a shared drive (or in a shared, web-based location) that they do not control and cannot control, it just seems odd. By odd, I mean: how is this good for the protection of information? Oh, and if you think a *policy* about what can and cannot be stored there will stop someone - think again. See, I *do* believe in the power of the user, but a user just wants to get their job done. As such, if Google Apps (or *ANY* online application) makes their job easier, my experience suggests they will use it.

Now, when GE or P&G decided to go this route, I really hope that their security teams got involved in the evaluation. My instinct suggests otherwise, and that makes me shudder. If you know otherwise - drop me a line (securitycatalyst@gmail.com).

One major concern that hangs over the head of tonight’s news is the ongoing question of Google security. TechCrunch asked for months whether business users would or should trust Google Apps with sensitive business information given the regular lapses of security experienced by the company’s hosted services. See a timeline and discussion of those lapses in this post.

To break it down easy - there is no guidance for companies trying to decide if using Google Apps Premier (or any other service like it) makes sense when they are also obligated to protect information. I run a company. And we launched a community. In both cases, looking at online solutions (especially since both the company and the community have virtual/location considerations) is appealing. In both cases, we have opted to only use them in limited circumstances. We’re small enough that controlling the information outside our walls is a bit easier. So how does the average company decide if using Google Apps, Microsoft Live or Amazon’s S3 storage is a good idea — when it comes to protecting information (if they even consider that)? I have no clue - since we have no commonly accepted framework.

Let me be clear: I’m not suggesting that Google (and others) is not taking this seriously and providing security. Look beyond Google - especially with some of the new and exciting Web 2.0 start-ups. Is designing a system that is “secure” on the forefront of their mind? I don’t think is it for most…. yet. The implication then? Well, we saw with identity theft that while I could steal only your identity, it’s more lucrative for me to break into a system and steal MANY at the same time. So I believe it’s reasonable to consider then that as more of these services go online and more sensitive information is stored on them, the focus of attackers will shift. So while you “trust” Google, Microsoft or Amazon - that’s not good enough for me (or anyone, really).

Interestingly enough, I’m not the only one thinking like this, when Larry Dignan asks, “Will you trust Google with your data?”

When I talk about Security 2.0 (and I still need suggestions for a better name), this is precisely the second component: security professionals need to get engaged in the process of developing and protecting these solutions. But it goes deeper… we need to work as a community to develop a framework and a method to be able to assess these solutions and decide if they are acceptable for us or not. Think about it - no provider can effectively go through a myriad of audits *each* day just to prove they meet the requirements of specific company. Same time, I don’t accept the Trust-E seal or “hacker safe” logos. I’m not knocking them - they serve a purpose; but for a corporation to decide to leverage a service to store data… we need something more.

Aside: I know the name Security 2.0 needs to change. This isn’t about numbers and versions. It was named to build on the success of Web 2.0; the approach still leverages the power of social media to affect a new way of practicing the protection of information. It is about bringing power and ease of use/design to the user. It’s about building a new approach and developing new skills. In the end, this my humble offering for how to move from being on a security diet to having a security mindset. I’m open for suggestions for a new name; until then, we’ll call it the “Catalyst Security Approach.” Clearly, I need some branding help here:)

Now, I don’t like to pose a question without a solution. I believe that what we need in order to assess companies is what I am calling a “security wellness index.” My background is in economics - and this is an approach that blends security with economics, engineering, social sciences and the like. I have a brief 2-3 page overview and have started some discussions to have this research project funded. It’s probably a 2008 effort - but if you are interested, shoot me a note and we’ll talk. I’ll save more details for another post.

But we have solutions if we are willing to apply the time, brain power and energy to making them work. This is not a new problem to solve. We need to change our way of thinking and make sure that, as a community, we all engage and work to implement common solutions. I know, easier said than done - but if we don’t have the conversations and make it happen…

Oh - and since these new web-solutions work, our users will absolutely move to them whether we want them to or not. So ignoring or banning the use of these solutions is not a solution. We have to be proactive and get engaged if we hope to make a difference. If we don’t, we’re doomed for bolt-on security (at best) for another generation - and to me, that means we failed. Besides, how many of you have “banned” gmail at work? Did you see this great posting explaining how to defeat your attempts to ban it: 5 tips for accessing your blocked Gmail (lifehacker)? If something works better than what you designed, they will move to it. The protection of information, therefore, needs to be integrated from the beginning.

The protection of information is a cultural shift.

So we have an opportunity here. Google is a big company that seems to have an interest in Security. They seem to have attracted other large organizations (again with large, I hope, security teams). This is the perfect recipe for working to establish transparent frameworks to embed security into this Web 2.0 (and beyond) applications in a way that we can more readily assess their ability to protect our information and satisfy our corporate policies and goals.

If we ignore this, we do so at our own peril. If we use this as the catalyst to have the needed discussions about how to make this work, we advance on many levels. I’m willing to help, I want to be part of the solution. What about you?

If you enjoyed this post, make sure you subscribe to my RSS feed!