Manage Learn to apply best practices and optimize your operations.

Can Google Earth and other mash-up applications threaten enterprise security?

In an expert Q&A, Michael Cobb explores the security issues that occur when an emerging mash-up application like Google Earth is used in the enterprise.

The Department of Defense does not allow Google Earth on any of its common usernets. Do you suspect this to be a policy decision, or are there security issues that Google Earth presents?
Firstly I have to say I'm not aware that the Department of Defense does ban the use of Google Earth on its internal networks. Google Earth Fusion is actually a part of the Google Earth Enterprise suite designed specifically for use by the Department of Defense (DoD) and other federal and state agencies. Maybe you are referring to the ban announced earlier this year by the DoD, preventing Google Earth teams from making detailed street-level video maps of U.S. military bases. Not allowing Google to take panoramic views inside DoD facilities is quite understandable. Nevertheless let's look at what security issues there may be when using Google Earth in a mash-up, as this is fast becoming a popular form of enterprise application.

There are basically three areas of risk:

  • Terms of service when using a third party
  • Vulnerabilities in the application programming interface (APIs) used to interface with the service
  • Images providing sensitive information.

The first area of risk has caused a lot of debate and misunderstanding. Various governments, including those of the Dutch and Australians, and military personnel have expressed concern over how easy it is to get detailed imagery of military bases, government buildings, airports and ports, which could aid terrorists in planning and conducting an attack. Google does blur images of some buildings, like the U.S. Capitol Building, but this type of information is not unique to Google Earth, and commercial high-resolution satellite and aerial imagery of every country in the world is already in the public domain or widely available from numerous sources.

The second area of risk involves mash-ups, which are developed by integrating data from internal and external sources. Information mashed together with Google Maps can support a wide range of applications, such as routing and customer analysis. However, organizations implementing mash-ups using external sources need to consider the reliability of that data. How good is the quality of the information? Are there copyright or other restrictions on its use? What level of data availability is guaranteed? Do the APIs create security holes in the internal applications? APIs that have been deprecated instead of deleted have caused problems in the past for developers integrating applications with MySpace, for example. There is a risk that third-party data could come from hackers or other unknown sources, and DoD data and servers could be compromised. These factors could pose an unacceptable risk for business-critical applications at the DoD.

Finally, according to Google Earth's terms of service, section 11.1 states that Google retains the right to reproduce, adapt, modify, translate, publish, publicly display and distribute any content which is displayed on or through its services. Google's irrevocable right to use its data would certainly be an issue for the DoD.

This was last published in January 2009

Dig Deeper on Web application and API security best practices