"Can I trust Google Docs with confidential information?"
That was essentially the question posed to me yesterday by someone I know. He was/is thinking of using Google Apps and Google Docs for his business, but he was concerned about the security of Google Docs. If he uses it to write up documents containing "internal" information about customers, how safe is that information stored up in Google Docs? Is there any chance that his documents could leak out to someone else? What security is there? Could he trust Google Docs to keep that information confidential?
Essentially the key question of these times: "Can you trust the security of 'the cloud'?"
Sadly the best answer I could come up was:
I don't know.
Of course, engaging my ultra-paranoid security-guy personality, the answer is very clear - ABSOLUTELY NOT! I mean, Google makes it explicitly clear in section 14 (2) of the Google Apps Terms of Service that there is no guarantee of security:
14. DISCLAIMER OF WARRANTIES
YOU EXPRESSLY UNDERSTAND AND AGREE THAT:
1. YOUR USE OF GOOGLE SERVICES IS AT YOUR SOLE RISK. GOOGLE SERVICES ARE PROVIDED ON AN "AS IS" AND "AS AVAILABLE" BASIS. TO THE MAXIMUM EXTENT PERMITTED BY LAW, GOOGLE AND PARTNERS EXPRESSLY DISCLAIM ALL WARRANTIES AND CONDITIONS OF ANY KIND, WHETHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO THE IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.
2. GOOGLE AND PARTNERS DO NOT WARRANT THAT (i) GOOGLE SERVICES WILL MEET YOUR REQUIREMENTS, (ii) GOOGLE SERVICES WILL BE UNINTERRUPTED, TIMELY, SECURE, OR ERROR-FREE, (iii) THE RESULTS THAT MAY BE OBTAINED FROM THE USE OF GOOGLE SERVICES WILL BE ACCURATE OR RELIABLE, (iv) THE QUALITY OF ANY PRODUCTS, SERVICES, INFORMATION, OR OTHER MATERIAL PURCHASED OR OBTAINED BY YOU THROUGH GOOGLE SERVICES WILL MEET YOUR EXPECTATIONS, AND (V) ANY ERRORS IN THE SOFTWARE WILL BE CORRECTED.
3. ANY MATERIAL DOWNLOADED OR OTHERWISE OBTAINED THROUGH THE USE OF GOOGLE SERVICES IS DONE AT YOUR OWN DISCRETION AND RISK AND THAT YOU WILL BE SOLELY RESPONSIBLE FOR ANY DAMAGE TO YOUR COMPUTER SYSTEM OR OTHER DEVICE OR LOSS OF DATA THAT RESULTS FROM THE DOWNLOAD OF ANY SUCH MATERIAL.
No guarantee of security. No guarantee of availability. Really just "best effort". From a "pure" security point of view, NO, I would not trust confidential data to Google Docs. That kind of information is best kept "inside the firewall" on the corporate LAN and on corporate servers under careful control.
... the hard part of "security" is not being the one to always say no and instead work on "getting to yes". The reality is that there is the age-old balance to be struck between "security" and "convenience/access". Sure, the person I know could keep his confidential info on his own network, safe inside the firewall, and have all his remote employees in home or branch offices access it via VPNs. But inside the firewall there isn't a collaboration option quite like that in Google Docs. Sure, he could find/buy/install a solution, but that then requires IT staff on his part as well as the commitment to keep the software up-to-date, fix issues, etc., etc.
The promise of "the cloud" is to get away from all those premise IT issues and costs.
The beauty of Google Docs is that his staff can all access various documents from wherever they are on the Internet. No need for VPNs. Just login via a web browser and... ta da... they can be writing documents, commenting on documents, etc. From anywhere. Home computers. Corporate computers. Mobile devices. iPhones. Whatever. People can collaborate faster... turn around proposals/deals... and ultimately probably win more deals and make more money.
But at what risk? Google Docs uses HTTPS (SSL/TLS) for login, but after that you are usually switched over to insecure HTTP. I've noticed that I can go and manually change the URL to "https://" and that works. I guess you could just send around https URLs and have people go into the docs that way... but that's a manual interaction that won't always be remembered. So odds are that your transport is not always secure. And the security of documents at Google's site? No real idea.
Obviously, as indicated above, Google provides absolutely no guarantee of security, but from a practical point-of-view, you'd have to think that it is 100% in their best interest to provide such confidentiality and security. They are in a colossal battle with Microsoft for the ultimate control of your data... Google wants people to move away from Microsoft's server/LAN-centric vision and "embrace the cloud" and is making a compelling case for people to do this. (And Microsoft realizes this and is responding with their own online offerings.) From a PR/marketing point-of-view, Google can't have a breach of confidential information as that would play directly into Microsoft's hands.
So what does one do? Do you take the security purist view and keep all your information behind a corporate firewall? Or do you "embrace the cloud" and let the convenience of access and the cost savings (vs premise IT) of Google Docs overrule the security risks?
I don't know.
In the end, it's really all about your level of tolerance for risk - and how confidential you really deem those documents to be. As we move more and more "into the cloud" this is a key question we all will need to grapple with.
What would you do? (or do you do?) Do you put confidential company data (memos about customers, sales proposals, budgets, etc.) up in Google Docs or other similar services? Or do you keep this kind of data "inside the firewall"? How secure do you think Google Docs really is?