Google Apps are starting to move into the enterprise and the iPhone is already there -- ready or not, authorized or not. CISOs and other security professionals are largely unaware of what's happening and/or ignorant of the inherent risks to corporate data.
"This is a wake-up call for security administrators, many of whom we are finding in our research have been asleep at the wheel when it comes to the new paradigms of application delivery that are coming to enterprises today," Robert Ayoub, industry manager for Frost & Sullivan's network security group, said recently in a Web presentation entitled "The Impact of Google Chrome on Enterprise Security."
The new Chrome Web browser is not the problem. It isn't whether Chrome's security features are stronger or weaker than Internet Explorer (IE), Mozilla Firefox or Opera, or if it's more or less vulnerable. The problem is that Chrome was built as a platform for Google Apps, and as users flock to them, sensitive corporate data passes beyond corporate visibility and out of management control.
"There are security professionals that don't think this is happening," Ayoub said. "Even worse than that, there are CISOs top information security directors who believe they can stop this."
The challenge for security officers, Ayoub said, is not to try to keep Google Apps, iPhones or the next hot user application or device out of the workplace. The genie is out of the bottle.
Google Apps will grow in popularity, and not only with users who enjoy the convenience of online applications and increasing availability on a wide range of mobile devices. There are compelling business reasons. Business units like Google Apps offer online anyone-from-anywhere collaboration features. Companies can reduce infrastructure costs as data is stored by the hosting service (Google) and can cut application patching and security costs.
But many firms are going to pay a price for all that, Ayoub said.
You forfeit visibility into who is looking at your data. You can't track, prevent or control data breaches. "You have no visibility of what security pros are used to seeing," Ayoub said. "Firewall data, SIM data …"
But you don't forfeit your corporate governance and legal responsibilities for protecting that data. Things may get fuzzy when we start talking about breach disclosure laws or PCI DSS, but do you want to be the one to explain why merger and acquisition plans, corporate research or customer information have gotten out in the world.
So if you can't beat 'em, what do you do? It's no different than any other business decision. Educate users and management and weigh the benefits versus the risks. Management shouldn't find out when something really bad happens.
"Where is our traditional risk management in security with these new applications and devices?" Ayoub asked. If we lose control of data, who is letting the C-level know?"