The good news is that Google has looked to build in privacy and security protection from the ground up, unlike Facebook and Twitter, which seem to bolt it on as needed. Google claims that Wave is more secure than email and plans to release most of the source code. Security features include TLS authentication and encryption of all Wave traffic, and the ability to whitelist users. All communications, however, are stored on the Wave servers instead of being sent between users. This means an organization must carefully consider whether it can satisfy data protection and compliance regulations before it allows Google Wave (or any cloud computing service) to be used by its staff.
Whenever sensitive data is placed outside the enterprise, there are additional security risks and concerns because of the loss of control over physical, logical and personnel security. Don't forget that you are ultimately responsible for the security and integrity of your data, even when it is held by a service provider; you can't outsource compliance responsibility. In terms of legislation, at the moment there's nothing specifically covering cloud computing, leaving the key question of jurisdiction unanswered. Therefore, use a provider that commits to storing and processing your data in agreed jurisdictions while meeting all applicable privacy laws.
Because cloud data is stored in a shared environment, understand what measures are taken to protect the information. This includes knowing how data is restored after a disaster and how long it will take. Now many Software as a Service (SaaS) and Platform as a Service (PaaS) providers claim that their disaster recovery and security processes are better than most enterprises. This may be true in many instances, particularly as reputation for security is a key determinant of success, but no system is infallible. Windows Azure, Microsoft's cloud computing platform, suffered a weekend outage in March, while Google's Gmail service collapsed in Europe earlier this year. Like members of Facebook and Twitter, their users have also been victims of phishing attacks. Having so much data under one roof makes such services particularly attractive to cybercriminals.
There is also the possibility that the provider may go bust or be taken over. You certainly need to know if your data will remain accessible in such a situation and how you would retrieve it and transfer it to an alternative solution. And what about e-discovery? How much help will you really get if you need to retrieve every piece of data which could be relevant evidence in a lawsuit?
Cloud computing has lots of positives, but as you can probably tell, I don't feel that it's mature enough yet for enterprises to risk using for anything more than development and familiarization, and certainly not critical, sensitive internal applications. Even the large PaaS vendors, such as Google and Microsoft, have short track records with cloud-based services. They need to be treated like any version-one product, with particular attention paid to their service-level agreements. Unless your legal team is satisfied that you can still meet all your legal obligations regarding data security, I suggest you only allow usage of Web-based collaboration tools like Google Wave among users who can justify their use, and ensure that information marked "confidential" is not allowed to be posted.
This was first published in February 2010