Google: Cloud Apps Are MORE Secure, Not Less

When Twitter lost data from Google Docs, the idea of cloud apps took a knock. Google’s Eran Feigenbaum says we’re missing the point – the cloud is more secure than the data centre

Data losses from Google Apps have led many people to conclude that cloud applications are not secure enough for enterprise use. Google disagrees: even after a high profile leak took place at Twitter, Google believes its cloud applications are actually MORE secure than apps hosted in the corporate data centre.

In fact, says Eran Feigenbaum, Director of Security for Google Apps, moving data to the cloud is actually the answer to the most pressing security issues facing IT departments today – and it is only their obsession with keeping data on their premises that keeps them from seeing it.

When Twitter’s private data leaked to TechCrunch, the hacker apparently got hold of a Twitter employee’s Google Apps password. This was widely reported as a reason to avoid cloud apps. When Feigenbaum visited the UK this week, he came out fighting, arguing that security in the cloud is better.

In the first part of this report, he argues why the cloud is better.

Three security issues – and why the cloud answers them

“Why is security so tough, and why do companies spend so much money on security?” he asked a round table of journalists at Google’s London office. “There are three issues: 1. The data is everywhere. 2. The security arms race that patch management has become. 3. The scale and sophistication of threats and attacks they are having to respond to.”

These problems all come from traditional ways of handling data and applications, he says. “In the traditional model today, 60 percent of all corporate data is on unprotected PCs. One in ten laptops is lost or stolen in the first year. Sixty-six percent of us admit to losing USB keys, with 60 percent of those lost keys having corporate private data.”

“If you put data in the cloud, you don’t need to store it locally,” he says, adding that his Powerpoint presentation was written on three different PCs, was never saved on any local storage, and is delivered from the cloud. His laptop was once stolen from his car, the day before he was due to give a presentation on security: “I didn’t flinch. I got to work ten minutes early, and got another laptop. My presentation was in the cloud.” He still had his presentation, and no one else got access to it.

“By letting users do the right thing, you eliminate the need to take that data with you,” he said, “because you can access it any time, anywhere, with the security of the cloud.”

Patch management is also better in the cloud, he said. “It’s become an arms race, and chief security officers have accepted it because we know no different. Software vendors issue patches on a regular basis, and security officers have to consume those patches – Are they relevant to us? Do they break any systems? – and get them deployed on the relevant systems.”

It takes up to 60 days to deploy patches after they are released, according to most people, but security officers tell Feigenbaum it’s more like two to three months: “I gave a presentation with Melissa Hathaway, security officer for Barack Obama, and she said that one out of very six government PCs is still susceptible to the Conficker worm – and that patch has been around for six months.”