I've been surprised to see such unanimously negative comments on a recent MSNBC article regarding the potential use of Google Apps by LA county California. I wouldn't be at all surprised to learn of Microsoft employing large scale commenting operations to push negative PR on the net.
This pretty much summarizes the sentiment:
"A decision to place confidential data into the hands of Google instead of simply upgrading the City's own IT infrastructure and retaining behind-the-firewall control of its data and digital resources would be one of the worst decisions it could ever make," said one poster.
There are some very disastrous misunderstandings about the decision being referenced here. Let's start with email. Do you think that the city of LA has a secure email system? Email definitely travels outside the office, where you can't control communication. People check their city email all the time from home or while on the road. I will wager any amount that the email component of Google Apps is much more secure than what they are currently using. Here's why:
1. Everything is 100% encrypted. At this point, there is no way the city of LA is emailing conversations to employees through an encrypted connection all of the time. That means they are at risk of being snooped on at any point along the chain, from their local ISP to the big communication providers.
2. The architecture at Google is far stronger and more reliable. I feel it would be wrong to assume that whatever method they are currently using to store backups of email and maintain uptime for email service is superior to Google. If you think that Microsoft Exchange, and lots of hard drives is your idea of security, then ok, move along. It simply costs taxpayers money if email is not working, and Google Apps email works. If anyone wants to argue against that point, show some evidence of comparative down times.
3. The filtering is superior. Google Apps email will prevent inefficiencies and, more importantly, viruses from spreading. If you think the city of LA has some kind of standardized, broad virus/spam filter that works better than Google currently, then, well, just move along. If you think they can implement a standardized broad system (like corporate Symantec) that will be less expensive and work just as well at filtering, then you are mistaken.
Now, that's just email. There is no argument here. Google can provide a more reliable, safer, and most of all more cost effective solution and taxpayers need to realize that. Google Docs is another issue altogether. The main question is, how is the city of LA currently sharing documents? There is a misconception that whatever they are doing now is secure because there is not currently some kind of scandal or break-in. I will again bet any amount of money they are:
a) Attaching sensitive documents to emails and sending them around, unencrypted, to co-workers.
b) Using some kind of VPN / web-based solution to log in to their office data through some kind of remote access setup.
Both a) and b) are huge security risks. People need to access some documents remotely. They are most likely doing it with Microsoft products currently, attaching documents to Outlook email and sending them along, unencrypted, and they are also using 3rd party software and Microsoft tools to get access to "behind-the-firewall" content. Does anyone have any clue about the history of the security of Microsoft products? It's terrible, sorry.
Finally, this really has nothing at all to do with anything about Google. The platform is entirely irrelevant, really. What matters is their internal security policies, period. If they are not equipped with a method to prevent "social hacking" for example, criminals are going to get access to "behind-the-firewall" content no matter what platform they use. If people choose stupid passwords or if IT administrators place terminals with access to sensitive documents where a criminal can physically get to them, then no amount of amazing "upgrading" you do will matter.
Fundamentally, the city of LA needs to decide what information can be accessed remotely. A smart security policy would be that, no, you can't get access to important data unless you gain access to a building with armed guards, an ID check and 3 methods of authentication on system that is physically disconnected from the internet. You don't use Google for that, sorry folks, that's something else entirely. The Google Apps product is just not the total solution, and it is a mistake to assume that stuff like "FBI investigations" are somehow magically accessible by they Chinese if they can just guess someone's password. If that's the case when they are using Google Apps, it was the case BEFORE they were using Google Apps.
IT decisions, especially in cases of large scale, are not based on all-one solutions and policy is more important than platform.
16 July, 2009
Twitter Google Apps Not Hacked, TechCrunch, Michael Arrington, and Online Security
Today, there is drama surrounding the trendy social networking website Twitter. To summarize, someone managed to get into their corporate Google Apps account and then proceeded to email confidential documents to (at least) TechCrunch. TechCrunch is run by Michael Arrington, who has begun publishing those documents. It's important that everyone understand that this drama has absolutely nothing to do with Google Apps security. In fact, Mr. Arrington states incorrectly "the original security hole seems to be Google, via Google Apps for your Domain."
Update: This statement was later removed, but there is another statement "It's not our fault that Google has a ridiculously easy way to get access to accounts via their password recovery question." The word "Google" in that sentence really should be replaced with "Google's Gmail service."
Tell you what, how about you try and hack OUR Google Apps? Go to http://mail.blisstechnology.net/ and look down where it says "Can't access your account?" and click on it.
You will get nowhere.
And this is the DEFAULT setting for Google Apps across the board. There is no "security question" for Google Apps users, period.
Now, Gmail is a different story. So are a million other online services that offer security questions as a "password backup." What happened was someone at Twitter, Inc. had a gmail account (@gmail.com, not @twitter.com) which had a very poor security question that someone guessed. From inside the gmail account, they were able to find an email that provided access to Twitter's Google Apps. Oops.
So what lessons can we learn here? Google Apps is stronger than Gmail. Security questions are not something anyone should use ever and if a security question is required, then you make up something utterly ridiculous and unguessable as your answer and write it down in a secure place. Never use personal email for business. Think seriously about security in general in 2009 and beyond - it's way past time to be nonchalant about the subject. Oh, and don't read TechCrunch.
Now, Bliss Technology can't comprehend why Michael Arringon would sacrifice good sense for a quick rush of drama through publishing "secret" documents he obtained, but in our opinion, it's probably not a wise idea to annoy Twitter and their users. A quick search of http://search.twitter.com/ shows his "cool commodity" dropping like a lead stone into a bottomless pit, the social wildfire burning with hatred across the twittersphere, instant and raging.
As we take security seriously, we advise clients about these issues all the time. We also realize that Google Apps, cloud computing, and the online world in general have some PR challenges ahead, in spite of the extensive and shockingly awful history of true hacks and exploits (not just password-guessing) of software, usually Microsoft, that is not in the cloud. That is why I wrote this - to explain clearly the issues surroudning this drama and add our voice to reason, voices who loudly support Google and the cloud, who sing every day about the need to take security seriously, and who speak with distaste when reporters just get our industry flat wrong.
07 July, 2009
Change of password by administrator
This guide is for administrators who are changing the password of a given email account.
1. Log into your administrator account.
(if you are the administrator, this will most likely be your normal email account)
2. In the top right portion of the screen there are a series of options, "Manage this domain, Settings, Older Version, Help, Sign out". Click, "Manage this domain".
3. The screen that appears is your, "dashboard" screen. Click the, "users" button next to the, "Create new users" button. There will be a number in front of the word, "users" that depicts the number of active accounts.
4. Select the user who needs their password changed by clicking their name.
5. Click, "Change password" and create the new password.
6. Click, "Save Changes" at the bottom of the screen.
06 July, 2009
Bing and Google; Bing vs Google
Very few would argue that Google isn't on top of the pile when it comes to preferred search engines. Yet, Microsoft will never go unheard. Enter "Bing" Microsoft's bid in the world of search engines.
Being an avid follower of Google, I find Bing troublesome in the same way I find a new pair of boots that will never quite fit right troublesome. I suppose this could be chalked up to the normal friction that comes from using a new piece of technology.
I'm playing around with Bing, comparing my findings with Google's and so far things have stayed pretty interesting. As interesting as they can when your comparing search engines that is.
First thing I searched for, "write for me" Google shows twice as many results as Bing. Could this be better optimization? Or is this just a new search engine not getting the full picture just yet? Honestly, I have no idea. I'll probably never need 500 million results. I don't really need 250 million results either.
Next, I searched something with a slightly vague, but much more obvious goal in mind, "Dave Tate". It isn't like searching for Chuck Norris. Tate isn't Bubba Gump, but he has a substantial following, all be it a tightly nit group.
Google brought me nearly 1million results. Again, I didn't look at them all, duh, but the first result was the man's store, exactly what I was looking for. Under that were articles and whatnot written by Mr. Tate.
Bing's results went in a different direction. Apparently there is a singer/songwriter named Dave Tate. Regardless, Google was more spot on in this instance with less than half of the results of Bing. This could point to social quirks on my part, sure. But I was looking for gym advice, not soothing melodies.
I have no idea what these searches mean just yet. Or if they mean anything at all. In some cases Google returned more results, in some Bing had more. I think there is enough space in the open spans that is the internet for more than a handful of super interesting search engines.
Each search engine will have its own way of finding the query, sometimes they will fail utterly, other times they may bring you exactly what you want. If you are die hard Bing'er, give Google a shot when you're frustrated and can't find what your after. Same thing goes for us Google folks. There is no reason why Bing and Google can't play nice.
Subscribe to:
Posts (Atom)
Posts
