Vulnerabilities / Threats
6/4/2010
06:37 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Google Explains Security Procedures

In what it describes as a move toward greater transparency, Google has provided details about its security practices in a newly published paper.

In an effort to communicate its commitment to the security of its online services, Google on Friday published a paper that delves into its corporate security strategy.

Eran Feigenbaum, director of security for Google's enterprise group, characterizes the paper as an attempt to be more transparent. It would also be fair to characterize the paper as an attempt to counter the perception that Google's online services are somehow less secure than traditional on-premises systems, a claim often made by Google's competitors.

"Feeling comfortable storing data in the cloud involves trusting a cloud services provider and the practices and policies they have in place," said Feigenbaum in a blog post. "In today's ultra-connected, Web-capable world, understanding how data will be protected is ultimately more meaningful than knowing it is physically located in one data center or another."

Google itself put that trust at risk earlier this year when is disclosed that "a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google."

Part of Google's response to that incident -- said to be made possible as a result of a previously unrecognized flaw in Internet Explorer 6 -- has reportedly been phasing out the use of Microsoft's Windows operating system at the company, a move that may be motivated by marketing concerns in addition to worries about security.

But Google's work making potential customers feel comfortable in its cloud isn't done. In March, Yale delayed a planned move to Google Apps for Education over security concerns. When the City of Los Angeles was considering abandoning its Novell e-mail system for Google Apps and Gmail, similar concerns were raised. The deal ultimately went through but such fears remain.

Google's paper, Security Whitepaper: Google Apps Messaging and Collaboration Products, should help allay those fears. It describes the company's corporate security policies, organizational and operational security, asset classification and control practices, personnel, physical, and environmental security, access control, systems development and maintenance, and disaster recovery efforts.

It may not be quite as fun as, say, the comic book Google used to introduce its Chrome browser, but it's likely to help IT decision makers render more informed judgments about Google's services.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

CVE-2012-5487
Published: 2014-09-30
The sandbox whitelisting function (allowmodule.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain privileges to bypass the Python sandbox restriction and execute arbitrary Python code via vectors related to importing.

CVE-2012-5488
Published: 2014-09-30
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject.

CVE-2012-5489
Published: 2014-09-30
The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.