Google is moving its corporate applications to the Internet. A year ago I would have said that’s the dumbest thing I ever heard. Today I’m not so sure.
Sticking stuff in the cloud is the popular answer to everything these days, and I just see the cloud as the new mainframe. It’s not a solution so much as a different take on the same problem, and while I see a couple of potential disadvantages, believe it or not I see some real advantages to the approach as well.
But first, the disadvantages. The textbook first question is how you’re doing the encryption. Google actually does encryption extremely well–better than some government agencies, and I wish I was kidding when I said that–but the questions your security department will ask is what encryption methods are being used to secure the data while it’s headed to the cloud and when it’s stored there, and who manages the keys. The right answer is the client. These are solvable problems.
The harder question is how you control the information. When an employee leaves the company, or starts thinking about leaving the company, what mechanisms are in place to keep the employee from taking a ton of information with them? On a corporate-controlled machine, you can install DLP software to keep the data from being e-mailed, and even limit what applications can access what data. For example, if 7zip is blacklisted from being able to access Excel documents, you can’t encrypt a bunch of spreadsheets and e-mail them to your Gmail account. But in the cloud, I’m curious how DLP would operate. Only allowing access from company assets, as Google does, is part of the answer, but I’m curious whether anything exists that keeps you from just e-mailing a bunch of corporate documents to your personal account.
This problem may be solved too, but the answer isn’t in the article, or in the whitepaper it links to. Google thought of least privilege, so they probably thought of data loss too.
Now let’s talk about advantages.
First, corporate networks aren’t secure. Firewalls don’t provide adequate protection. Yes, I said it. All one has to do to get around a firewall is to find a job opening, craft a qualified resume, obfuscate a remote access trojan, embed it in the resume along with an exploit, then apply for a job and wait. Not for a phone call–for the RAT to call home and give you a command prompt on a computer in HR. As the security guy who has to defend against this, I hope the guy is dumb enough to answer the phone, but I know he won’t be. Once you’re sitting on a computer in HR, there are any number of ways to get the corporate secrets back out. Even if you have DLP. Someone who can embed a RAT in a resume probably has the ability to bypass DLP as well.
So I don’t see a corporate network as an advantage at all. The IT department has slightly more control over it than it has over the Internet. The data is probably harder for an attacker to get to from the cloud.
Second, securing applications is a royal pain. I don’t want to give away too much detail, but when I perform vulnerability assessments, application vulnerabilities far, far outnumber operating system vulnerabilities, regardless of whether you count Internet Explorer as an application or part of the OS. You see more app vulns come out every month than you see OS vulns, and when you go to apply the patches, the OS patches go down at a higher rate of success than app patches, and the app patches take a lot more work to deploy, unless you buy tools that cost around $20 per workstation (and I recommend that you do). I will say that by that measure, IE is definitely an application.
If you can subscribe to a cloud-based solution for around $20 per workstation, you outsource that management problem to someone else. I see a lot of potential for cost savings with the approach, like not having to pay for the application and the tools and labor to manage it.