Mounting scrutiny for Google security

As Google moves into the business environment, it is starting to face the same security questions other business app vendors face

Much as the ubiquity of Microsoft's Windows operating system and Office productivity tools has made the software giant a focal point of security research, search giant Google is facing new scrutiny as it diversifies its products and moves further into the business environment.

In a report to be published on July 16, researchers at Ponemon Institute will detail their findings about existing concerns among IT professionals regarding the overall security of Google Desktop, the company's PC search utility, specifically within the confines of business operations.

And while the research revolves around the only significant security flaw to be unearthed in the program thus far -- a cross-site scripting vulnerability reported and subsequently patched by Google in February -- authors of the report contend that their work illustrates a growing level of concern over the massive company's rapidly expanding footprint.

Google Desktop marries PC and Web-based technologies in a similar manner as many other products the company has launched in the last several years, such as its Google Apps document system, which competes directly with Microsoft Office.

If the company is to succeed in its plans to replace Office with Google Apps and drive other applications such as Desktop further into businesses, Ponemon researchers said, the company must be ready to face a wave of inquisition over the potential security impact those products will have.

In the Ponemon survey of more than 600 IT security specialists who indicated that they were familiar with the Google Desktop vulnerability, an overwhelming 71 percent said that they believe that the product likely harbors other security flaws.

The results gathered by Ponemon -- an Elk Rapids, Mich.-based firm that has gained acclaim in recent years for its studies regarding the cost and causes of data breaches -- illustrate the growing apprehension among businesses about the security implications of Google's applications, said Dr. Larry Ponemon, the research company's founder and chairman.

Google has moved to bolster its security skills via recent acquisitions of software makers GreenBorder Technologies and Postini, and has sought to become a thought leader via its sponsorship of malware research projects such as Stopbadware.org.

However, the company must prepare itself to face the daily assault from hackers and researchers previously reserved for Microsoft and other industry bellwethers if it succeeds in becoming a more central provider of business IT products, according to the expert.

"Google has a huge bull's eye on its back because of its position in the market and everything it wants to become, specifically to businesses," said Ponemon. "These recent acquisitions may point to steps to try and make it safer to use their applications, but it's likely that they will become a victim of their success as more hackers and researchers focus their efforts on finding flaws in its products."

In addition to existing concerns among the general public regarding the amount of data retained by search engine providers about people's individual Web queries, products such as Desktop and Google Apps are raising significant questions among business users about the ability for the company to keep hackers from finding a way to break in and use the tools to steal sensitive corporate data, he said.

Another finding of the report was that 81 percent of respondents familiar with the Desktop cross-site scripting security problem said that they do not feel that users who have sensitive data on their computers should utilize functions of the program that allow them to run remote queries on their machines.

Such data provides evidence of the growing fear of Google's plans to foster "deep integration" between desktop and Web-based tools, the researcher said.

"Based on the people we talk to in the world of security, many believe that Google's products could present a serious risk; that if someone can get in, they can find a lot of sensitive data very quickly," Ponemon said. "Google is becoming such a major presence on so many computers that if people are looking for attack vectors that can get them the most information, Google has become an attractive target."

While conceding that Google has encountered very few serious security issues in its products, especially when compared to other major IT companies such as Microsoft, the researcher said that concerns about the search giant's technologies are nonetheless going to increase if more business users begin working with its tools.

Ponemon denied that his company was attempting to "lead witnesses" with the Google survey by reminding them of the Desktop vulnerability before posing its questions.

"To Google's credit, they haven't had many major security problems, but people clearly believe that they may still be vulnerable and that the bad guys will eventually find a way to break in," Ponemon said. "People are scared because they are wondering if this is just the tip of the iceberg in terms of bugs and if the bad guys really are ramping up their activities around attacking Google products in general."

Google representatives complained that the Ponemon report was too narrow and suggestive in trying to provoke people's concerns about their company's overall security standing.

Executives with the company said that the search giant is working as hard as it can to ensure that there are no problems in either its existing or future technologies.

The firm has long considered its ability to foster trust among users regarding the privacy of their search habits as key to its overall success, said Douglas Merrill, Google's CIO and vice president of engineering.

"Search is the oxygen of today's information economy, but we don't believe that search works without users trusting in us to protect their information, so we're focused constantly on improving security and privacy and have been since day one," Merrill said. "That was long before Desktop or our other forays into the enterprise, and it continues with Google Apps; we run our own business on these applications, and I wouldn't be able to recommend them to other CIOs if I didn't know that they were truly secure."

Merrill said that Google engages in rigorous examination of the underlying code in its products to eliminate potential vulnerabilities both during their production and after the tools have gone live.

He said that by fostering open communication with security researchers, white hat hackers, and other technology providers and encouraging responsible disclosure of any problems, the company has been able to head off attacks that could be aimed at its products.

Google currently employs more than 1,000 engineers whose responsibilities include testing for holes in its software and has built proprietary code-scanning tools, he said while acknowledging that the threat of attacks is a reality that no firm can write off in today's environment.

"The reality of the world is that Web applications have a larger attack surface and that client-based technologies have been around a lot longer and still struggle with security issues, but we have a big advantage in that if a problem is found, we can fix it right away on our servers versus trying to send patches out to all of our users," Merrill said. "That doesn't mean we will find all the issues. Security is a constantly changing field, but we're happy with the progress we've made."

Merrill contends that Google's products actually represent a significant advantage over other technologies in terms of security and that they have proven useful in helping companies solve and locate data management problems.

Google's Search Appliances and Desktop products are useful in helping companies find data that may be stored or used improperly within corporate systems, for instance, and its Apps tools require users to authenticate themselves before they are given access to shared documents, adding a new layer of protection to collaborative business efforts, he said.

Through its Google Security Blog and participation in Stopbadware.org -- a malware research effort launched in cooperation with experts at Harvard University Law School, among others -- the CIO said that the company is keeping customers informed of its ongoing work and staying abreast of the latest attack methods.

"As companies get more widely known, they provide a larger attack surface, but we hope we will continue to maintain our close relationships with security researchers, and we will continue to invest in research and development to protect data as our tools get more popular," Merrill said. "We don't feel that the published risks have been too severe, but we will continue to focus on finding and fixing any problems."

Industry analysts agreed that Google has done well thus far in protecting its users from major product vulnerabilities and attacks but observed that the company must learn from the mistakes of companies such as Microsoft if it is to retain its positive image.

Google is in the same position of any dominant technology provider in terms of potential attack and will need to remain open to criticism and stay aggressive in quashing potential problems if it is to maintain that standing, said Paul Stamp, analyst for Forrester Research.

"Google has to learn from Microsoft's mistake of avoiding talk about security issues based on the idea that it will embolden the people trying to take advantage of any vulnerabilities," Stamp said. "If they think that there aren't people out there who know their products as well as they do or who can't exploit any existing problems, that would be a mistake."

The analyst lauded Merrill's pledge to remain open about potential security issues and to court the help of researchers versus making them feel like adversaries.

"Google needs to be transparent and be forward-thinking and use the community to find bugs before even they can find them for themselves," said Stamp. "It's a matter of saying, 'These are the types of attacks we expect to see,' and challenging the research community to go find the bugs first."

Join the discussion
Be the first to comment on this article. Our Commenting Policies