Manage Learn to apply best practices and optimize your operations.

How to secure online collaboration applications like Google Wave

Love them or hate them, online collaboration applications and tools are here to stay. Michael Cobb explains how to secure next-generation communication like Google Wave.

I've read about Google Wave and how many believe it represents the next generation of online collaboration applications. What sort of security policies should we put around collaboration tools (especially Web-based collaboration) that our organization doesn't fully control?
Love them or hate them, online collaboration applications and communication tools are here to stay, and Google Wave is most definitely next-generation. Announced in May this year, it aims to erase the divide between different types of communication channels. Wave brings together email, instant messaging, wikis, forums and other social networking tools and allows participants to edit and reply to content such as text, photos, videos and maps, all in real time. Content, or "waves," can be rewound to see who said or did what and when. This and other features, such as automated translation, make it a potential killer app, and Google wants it to replace email as the dominant form of Internet communication.

The good news is that Google has looked to build in privacy and security protection from the ground up, unlike Facebook and Twitter, which seem to bolt it on as needed. Google claims that Wave is more secure than email and plans to release most of the source code. Security features include TLS authentication and encryption of all Wave traffic, and the ability to whitelist users. All communications, however, are stored on the Wave servers instead of being sent between users. This means an organization must carefully consider whether it can satisfy data protection and compliance regulations before it allows Google Wave (or any cloud computing service) to be used by its staff.

Whenever sensitive data is placed outside the enterprise, there are additional security risks and concerns because of the loss of control over physical, logical and personnel security. Don't forget that you are ultimately responsible for the security and integrity of your data, even when it is held by a service provider; you can't outsource compliance responsibility. In terms of legislation, at the moment there's nothing specifically covering cloud computing, leaving the key question of jurisdiction unanswered. Therefore, use a provider that commits to storing and processing your data in agreed jurisdictions while meeting all applicable privacy laws.

Because cloud data is stored in a shared environment, understand what measures are taken to protect the information. This includes knowing how data is restored after a disaster and how long it will take. Now many Software as a Service (SaaS) and Platform as a Service (PaaS) providers claim that their disaster recovery and security processes are better than most enterprises. This may be true in many instances, particularly as reputation for security is a key determinant of success, but no system is infallible. Windows Azure, Microsoft's cloud computing platform, suffered a weekend outage in March, while Google's Gmail service collapsed in Europe earlier this year. Like members of Facebook and Twitter, their users have also been victims of phishing attacks. Having so much data under one roof makes such services particularly attractive to cybercriminals.

There is also the possibility that the provider may go bust or be taken over. You certainly need to know if your data will remain accessible in such a situation and how you would retrieve it and transfer it to an alternative solution. And what about e-discovery? How much help will you really get if you need to retrieve every piece of data which could be relevant evidence in a lawsuit?

Cloud computing has lots of positives, but as you can probably tell, I don't feel that it's mature enough yet for enterprises to risk using for anything more than development and familiarization, and certainly not critical, sensitive internal applications. Even the large PaaS vendors, such as Google and Microsoft, have short track records with cloud-based services. They need to be treated like any version-one product, with particular attention paid to their service-level agreements. Unless your legal team is satisfied that you can still meet all your legal obligations regarding data security, I suggest you only allow usage of Web-based collaboration tools like Google Wave among users who can justify their use, and ensure that information marked "confidential" is not allowed to be posted.

This was last published in February 2010

Dig Deeper on Web application and API security best practices

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.