Google: The Limits Of Security

In Part One of this report, Google’s Eran Feigenbaum dismissed suggestions that cloud apps have a security problem – they are the solution, not the problem, he said.

In this part, we addressed user problems. Why won’t Google let users run Google Apps on their own servers, to create their own cloud? And if passwords are a problem, why isn’t Google pushing other security methods?

Don’t even think of asking to run Google Apps yourself!

One thing users often ask for – according to eWEEK columnist Jason Brooks – is the ability to run Google Apps on their own servers. If users are scared of the cloud, it might reassure them to run their own cloud on servers which belong to them.

Feigenbaum looked shocked when we suggested this to him – and not surprisingly. The concept is completely counter to everything he’s been saying, and if the cloud really is more secure than the data centre, would be a betrayal of his vision: “A traditional CISO can get called in the middle of the night with an emergency. You don’t get that with cloud.”

The fact that Microsoft plans to offer exactly this feature with its Office Web cloud version of Office 2010, predictably cuts no ice with him.

Passwords are not enough

Despite his assertions that the cloud is objectively better, that is not the perception among most people. The big objection to cloud apps – and what hit Twitter – boils down to the fact that data is available from anywhere, and is only protected by a password. These can be found with key-loggers, guessed or retrieved by other devious means – and the best response to this is to use two-factor authentication, so hackers can’t get hold of a password.

“The reality is most security on the Internet today depends on knowing the user’s password,” he said. “We offer stronger levels – we support single sign-on and SAML [the Security Assertion Markup Language. We have clients that use two-factor authentication, with one-time passwords through things like RSA SecurID, smartcards or cellphones.”

He recommends using stronger authentication, and Google offers a tool to help users choose better passwords: “We show admins the strength of each password, based on the attacks we are seeing on the net at that time.”

Google – apparently it relies on passwords

But does Google itself use two-factor authentication, eWEEK asked

“I don’t think I can comment on that,” he said – looking very uncomfortable indeed, and claiming Google’s security would not allow him to answer. The group pointed out that it would not be a breach to simply know whether Google uses two-factor techniques, but Feigenbaum stuck to his rigid “no comment,” leaving us pretty sure that Google relies on passwords.