Desktop search tools seen raising red flags

Instant messaging products crept onto corporate PCs and introduced a host of security, regulatory and management issues. In the same way, free desktop search tools – designed for consumers – are showing up on corporate networks and raising concerns about data protection.

Desktop search tools use local processing power to locate items inside e-mail and data stores. Three of the most popular are available for free from Google, MSN and Yahoo. Most industry watchers agree the products aid productivity: From a single interface, users can quickly search the text of their e-mail, contacts, application documents, data files, multimedia files and more.

The problem is the information these programs can find and potentially expose, such as documents on a shared file drive that are not properly secured or were supposed to have been deleted.

In fact features of these programs fly in the face of conventional IT security practices. One of the latest consumer versions of Google Desktop, for example, has a built-in feature that lets a user search for items across multiple computers. To do that, Google stores indexing information remotely, on its own servers. The software lets users exclude directories from the search domain, but many don’t know when to do so. The thought of having an index of company information under the control of a third party is cause for alarm among some IT executives.

“Customer data is scattered all over the IT landscape,” says Albert Porco, CIO at Kings County Medical Center. “My biggest concern is that with access from anywhere at anytime, end users can load these tools on their home computers and not only expose their personal data but also expose corporate data.”

That’s one reason the Brooklyn, N.Y., medical facility locks down its desktops. “Desktop support is hard enough, but when users add untested software to the mix, support becomes impossible,” Porco says.

Averting desktop disaster

Desktop search technology has been around for many years and available from vendors such as dtSearch, ISYS and ZyLab. But it wasn’t until fall 2004 when Google got into the market, that things took off.

“It was a sleepy backwater. There were four or six vendors, none of which had seen a substantial amount of business,” says Whit Andrews, a research vice president at Gartner. “Then suddenly Google released, and Yahoo had to respond, then Microsoft responded. Google released Google Desktop beta, and it was explosive.”

Users familiar with these vendors’ public Web search sites – and in many cases dissatisfied with the search features built into Microsoft Outlook, for example – installed these programs on their own to help tame their desktop contents.

But it’s the IT department that has to worry when free desktop search tools expose the contents of a forgotten file server, conflict with a homegrown application or render a PC unusable.

“We have to spend our time removing the applications from end user desktops, changing configuration settings back to default, and possibly repairing damage to the operating system caused by malfunctioning _software that isn’t tested properly and approved by us,” says Craig Bush, network administrator at orthopedic and medical device provider Exactech in Gainesville, Fla.

As users increasingly deploy free consumer-oriented search tools, the management problem escalates.

“This issue is becoming a challenge because we don’t have a policy in place, so it is now open season,” says Priscilla Milam, associate vice chancellor for IT operations at North Harris Montgomery Community College District. “It makes our network vulnerable and creates security issues across the district.”

Milam’s priority in her new role at the Woodlands, Texas, campus is to create and implement a standardized desktop policy that she says she hopes to have in place in the fall. Milam plans to select a desktop search product that can be tied into the district’s Active Directory and forthcoming identity-management infrastructure. But ironing out desktop policies has to come before the product selection process.

“We are currently doing a security awareness public relations campaign that gets the word out to our users about the risks involved with these search tools and other practices,” Milam says. The campaign has been well received – many employees have voluntarily chosen to remove some desktop tools until they have further guidance from IT, she says.

Amerigas doesn’t have a problem with users downloading the free tools because its desktops are locked down. But users want them, so the company is on the lookout for a desktop search product that can be used with SharePoint and Active Directory, says Martin Gibbins, client technology manager at the Valley Forge, Pa., company. “Searching for information is important,” he says.

Take a stance

Companies that don’t address the topic of desktop search are making a mistake, Andrews says. Left unchecked, more and more users will download whatever search product they like best. IT will wind up with a hodgepodge of free products, none of which include vendor support. “This is not conducive to success for an enterprise,” Andrews says.

Instead, companies should choose one desktop search product, arrange for an enterprise license and support it. When companies license an enterprise version of a desktop product, they can arrange for support services from the vendor.

There also are security incentives: Enterprise versions typically include tie-ins to directory products so the IT department can use existing user and group permissions to restrict search result sets, for example. IT also can opt to give users query capability but retain control over what gets indexed and how the index is updated.

“That puts you in a position with all kinds of flexibility you didn’t have before,” Andrews says. “You can manage the indexing, the security and the integration – or lack thereof – to enterprise search platforms. And you can make sure it’s meeting your regulatory needs.”

Making a selection isn’t easy, but there are plenty of options to consider. Google offers an enterprise version of its desktop search, as do MSN and Yahoo. Google also offers premium support services, which cost $20,000 for two years and unlimited users.

Yahoo’s desktop search product is based on technology from X1 Technologies, which offers its desktop search products directly to users. X1 has a client version of its desktop search software, as well as a server edition for companies that want to have enterprise management capabilities. For example, the X1 Enterprise Server provides a central indexing engine for network-based content sources and uses Windows Authentication for security integration.

In addition, vendors with tools for searching content on Web sites and intranets are paying more attention to the desktop search market. Fast Search & Transfer and Autonomy have built desktop search products, and Endeca and IBM have added desktop search capabilities to their suites via partnerships, Andrews says.

Key to making a decision about which platform to choose is to test it, observers say. There are too many unknowns in desktop environments to skip a pilot, Andrews says.

One Gartner client tried a desktop search application and found it conflicted with one of its homegrown applications. “Something went wrong somewhere,” Andrews says. “They liked it better than the one they had to pick, but they could not make it work.”

Another client found a desktop search application caused performance problems on some PCs and caused others to have to be reimaged, he says.

Some of these problems are caused by some products’ consumer roots. “If something is built for consumers, there’s more emphasis on turning it around quickly to grab market share, grab visibility and meet the vast majority of needs, not the entirety of needs. There’s less attention paid to some critical factors,” Andrews says.