Ask the Expert

How to secure online collaboration applications like Google Wave

I've read about Google Wave and how many believe it represents the next generation of online collaboration applications. What sort of security policies should we put around collaboration tools (especially Web-based collaboration) that our organization doesn't fully control?

    Requires Free Membership to View

Love them or hate them, online collaboration applications and communication tools are here to stay, and Google Wave is most definitely next-generation. Announced in May this year, it aims to erase the divide between different types of communication channels. Wave brings together email, instant messaging, wikis, forums and other social networking tools and allows participants to edit and reply to content such as text, photos, videos and maps, all in real time. Content, or "waves," can be rewound to see who said or did what and when. This and other features, such as automated translation, make it a potential killer app, and Google wants it to replace email as the dominant form of Internet communication.

The good news is that Google has looked to build in privacy and security protection from the ground up, unlike Facebook and Twitter, which seem to bolt it on as needed. Google claims that Wave is more secure than email and plans to release most of the source code. Security features include TLS authentication and encryption of all Wave traffic, and the ability to whitelist users. All communications, however, are stored on the Wave servers instead of being sent between users. This means an organization must carefully consider whether it can satisfy data protection and compliance regulations before it allows Google Wave (or any cloud computing service) to be used by its staff.

Whenever sensitive data is placed outside the enterprise, there are additional security risks and concerns because of the loss of control over physical, logical and personnel security. Don't forget that you are ultimately responsible for the security and integrity of your data, even when it is held by a service provider; you can't outsource compliance responsibility. In terms of legislation, at the moment there's nothing specifically covering cloud computing, leaving the key question of jurisdiction unanswered. Therefore, use a provider that commits to storing and processing your data in agreed jurisdictions while meeting all applicable privacy laws.

Because cloud data is stored in a shared environment, understand what measures are taken to protect the information. This includes knowing how data is restored after a disaster and how long it will take. Now many Software as a Service (SaaS) and Platform as a Service (PaaS) providers claim that their disaster recovery and security processes are better than most enterprises. This may be true in many instances, particularly as reputation for security is a key determinant of success, but no system is infallible. Windows Azure, Microsoft's cloud computing platform, suffered a weekend outage in March, while Google's Gmail service collapsed in Europe earlier this year. Like members of Facebook and Twitter, their users have also been victims of phishing attacks. Having so much data under one roof makes such services particularly attractive to cybercriminals.

There is also the possibility that the provider may go bust or be taken over. You certainly need to know if your data will remain accessible in such a situation and how you would retrieve it and transfer it to an alternative solution. And what about e-discovery? How much help will you really get if you need to retrieve every piece of data which could be relevant evidence in a lawsuit?

Cloud computing has lots of positives, but as you can probably tell, I don't feel that it's mature enough yet for enterprises to risk using for anything more than development and familiarization, and certainly not critical, sensitive internal applications. Even the large PaaS vendors, such as Google and Microsoft, have short track records with cloud-based services. They need to be treated like any version-one product, with particular attention paid to their service-level agreements. Unless your legal team is satisfied that you can still meet all your legal obligations regarding data security, I suggest you only allow usage of Web-based collaboration tools like Google Wave among users who can justify their use, and ensure that information marked "confidential" is not allowed to be posted.

This was first published in February 2010

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: