Expert chides Google, others on cloud security

Even as they become responsible for handling and storing more user and enterprise data, today's cloud vendors continue to fail to provide adequate security for all that data. Or so says cloud expert Chris Soghoian, a student fellow at Harvard's Berkman Center for Internet and Society.

During a talk live blogged by Web 2.0 Journal's David Weinberger, Soghoian laid out the problem in clear detail. More users and enterprises are increasingly turning to the cloud to handle everything from mail to spreadsheets and other collaborative applications. In some cases, individual users aren't even aware that their enterprises have shifted to cloud computing, as some organizations (like Vivek Kundra's Washington, D.C.) roll out Apps-enabled PCs and others take advantage of new browser features that let users launch single apps to the cloud directly from their desktops.

Yet today's cloud vendors still don't take even the most rudimentary security precautions as they look to manage and store all that data. For example, while Secure Sockets Layer (SSL) encryption is practically the standard for other businesses, such as banks and e-commerce sites, cloud vendors don't use SSL for much other than their log-in screens. That means cloud-based documents, spreadsheets and so on can be "packet-sniffed," and that authentication cookies are open to interception.

Soghosian says cloud vendors are well aware of the importance of SSL, but they don't use it because of the performance hit it entails. For example, Facebook, Yahoo mail and Microsoft today don't even offer SSL, and while Google does, it's turned off by default. And to turn it on for something like Gmail, users need to traverse through five levels of screens to find the settings.

What's more interesting is that Soghoian says that if Google were to offer full-blown encryption support for Gmail and Apps by default, it would probably put a severe dent in Google's profits. That's because encryption requires more processing power, not only on the client but also on Google's server side. And since Google builds its own servers, it would have to deploy some firepower to get the new capability: “If 100% of Google’s customers opt to use SSL, it sees no new profits, but higher costs," Soghoian says.

Soghoian says the solution is to raise awareness of the problem and perhaps get the FTC involved, passing regulations that state if a company doesn't use SSL it can't advertise its services as being secure (that's something Google's already under fire for). What do you think: Should cloud vendors be required to support SSL encryption by default, or should it be more of a buyer beware situation, where users and enterprises treat SSL support as just another feature checkbox? Send us your comments and let us know.

* * *

Like this post? Visit the Google Subnet home page for more news, blogs and podcasts.

More blog posts from Google Subnet:

Sign up for the weekly Google newsletter. (Click on News/Google News Alert.)

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2009 IDG Communications, Inc.