Security expert on Google Apps for Los Angeles: Is Google trustworthy?
See update at bottom regarding British Telecom's affiliation with Microsoft.
In an effort to cut costs, the city of Los Angeles is mulling a $7.25 million contract to shed its antediluvian e-mail system in exchange for Google Apps, the search company's suite of e-mail, word processing, spreadsheet and other generally useful utility programs.
By outsourcing a big hunk of its communication system to Google, however, the city would no longer be directly responsible for the manner in which its own information is stored and secured. And because city officials frequently use e-mail to send protected documents -- as when a police official would send digitized criminal records to a colleague -- Google would become the de facto steward of huge amounts of confidential information.
Is that something the city and its residents should worry about?
Maybe, said Bruce Schneier, a computer security expert and chief security technology officer at British Telecom. Everyone who uses a computer relies on security systems they barely understand, outsourcing the important choices to IT managers and hoping they get it right. Even the people in charge of security have to assume...
... the hardware and software they're using functions as advertised.
"Security is about who you trust," Schneier said. "Do you trust Google more than your sysadmin? Do you trust Google Docs more than Microsoft Office?"
"Trust is social," he said. "It's not technical."
There's nothing inherently less secure, then, about keeping information in "the cloud," where documents exist out on the Web rather than in a physical location, like a server in a basement.
"If your computer's connected to the Internet, it's accessible by the entire Internet," Schneier said, meaning e-mail stored on company computer systems are open to security threats. "Just like Google docs are.
"So the question you ask is: Is Google trustworthy?"
It's hard to tell, Schneier said. When it comes to the way Google's highly confidential security system works, "you're not allowed to get an impression. It's very much a 'trust me' -- you can't evaluate it -- you can't look at it."
He's skeptical about using Google Apps -- which was created as a set of office tools -- to store highly sensitive materials.
"When you go into one of these outsourced systems, you're buying into a common security level," he said. "Generally that's a good uniform standard, but it's not the uniform standard you protect nuclear missiles with, or police blotter data. It's meant for your business plan and your spreadsheets. It's meant for stuff you're doing at home."
Updated, 1:20 p.m. July 22nd: Earlier this week, British Telecom, Schneier's employer, announced a partnership with Microsoft to provide cloud-based services to business customers. The Times returned to Schneier to inquire about the skeptical eye he cast on Microsoft competitor Google's cloud security, given the new partnership. We asked him if users should be any more or less inclined to trust Microsoft's cloud services over Google's.
"I don't think so," Schneier replied.
-- David Sarno