The issue of security and the Internet cloud came into sharp focus during the past few days as news broke that Gmail's G-Archiver apparently was sending users' names and passwords to the service's creator, John Terry, every time they backed up their data. The danger is that Gmail links a number of Google applications. All of these, it appears, were endangered by the hack.
This is a significant event. TechCrunch discusses the implications. The post paraphrases experts that say Google Apps "can never be a real threat to Microsoft Exchange or Sharepoint" because, as the G-Archiver incident demonstrates, one password mishap could compromise all the data the applications are batting back and forth.
The blogger points out that Google apps support security specs such as OpenID and the Security Assertion Markup Language (SAML), but that it is unlikely most people and companies are anxious to take such extra steps. One of the reasons mobility and Web services have exploded is convenience, and security steps that dilute that asset will be resisted. Last week, TriCipher Vice President Jon Brody suggested in an IT Business Edge interview that such security initiatives, to date, have not been overly successful:
There has been some adoption of SAML and it has gone through some iterations, but it is very technical. OpenID is not as powerful an authentication proposition. SAML offers more security, but you have to be a programmer to implement it. Most apps on the Web don't use standards. That makes it difficult.
The bottom line is that data outside the organization must be kept secure. It may be "at rest" -- stored online at places such as Box.net -- data being used in Web and software-as-a-service (SaaS) applications or data being carried around in mobile devices. Indeed, executives must understand that firewall-protected corporate databases are just one of a growing number of places their valuables may reside at any given moment.
But the biggest adjustment must be made by users. They will have to put up with a higher level of inconvenience. The inflection point will be when they and decisions-makers to whom they report recognize the true and full value of mobile and decentralized organizations that use applications in the cloud. In other words, the new way of doing business must be shown to be worthwhile despite added inconvenience.
As Brody points out, this level of inconvenience may shift depending upon the relative value of the data. But an IT department that thinks it won't have to lean on users of sensitive data -- and workers who think that they should be able to access a corporation's crown jewels via a simple user name and password while they are sitting in an airport lounge -- should think again.
Microsoft gets it. The need to operate efficiently in the cloud in general -- including security -- has led the company to rethink open standards such as SAML, the Service Provisioning Markup Language (SPML) and the Extensible Access Control Markup Language (XACML). The story goes into a good amount of detail about the confusing specs. The bottom line is that the move to revisit the standards is the result of CEO Steve Ballmer's pledge last month that the company would support openness, data portability, industry standards and interoperability for IT and open source developers.