Gartner’s recent forecast analysis for Software-as-a-Service observes that Web-based office suites such as Google Apps (including Google Docs) will coexist with traditional office suites as business users will find them appropriate for real-time collaboration or as secondary online tools for taking notes. Google claims that over 3000 businesses sign-up for its Google Apps daily. Moreover, Google Docs is also very popular among employees for personal use. Nevertheless, users have discovered security issues with it, and many businesses have concerns related to data leak prevention and storing data in the cloud.
By using firewall policies that are based on the App-IDs for Google Docs, Google Docs Enterprise, and its functions for Editing and Uploading, businesses can securely enable access to specific features of the service. The Google Docs App-ID can be used to block/allow the entire service, while the more specific App-IDs can be used to control individual functions of the service. With the App-ID for Editing, online editing of documents, presentations, and spreadsheets (that are converted to Google Docs format) can either be blocked completely or be subject to data filtering profiles. While Postini (in Google Apps) provides DLP functionality for Email, Google Docs does not have such a feature. Using data filtering profiles in the firewall security policies allow for pattern searches for SSNs, Credit card numbers, or other confidential information.
While online editing is only for the three file types, earlier this year, Google Docs added the ability for users to upload and share any type of file. This is quite useful when mailing yourself a copy does not work for large files. However, opening up access to work files for users outside of the corporate network can pose a security concern. The App-ID for the Uploading function can be used to identify and control all uploading activity by users on Google Docs.
The Google Docs Enterprise App-ID is useful for organizations that use Google-Apps-for-Business with their company domain and usernames. For finer grained control, custom App-IDs can be created for specific company domains as well.
The Google Docs List Data API allows client applications to programmatically access and manipulate the stored data. Third party applications such as Memeo Connect or Syncplicity use the API to migrate and sync files to Google Docs. Some of these applications encrypt the traffic over SSL. But by using a SSL decryption policy in the firewall, such traffic can be decrypted and identified as Google Docs.
What ever the benefits businesses intend to gain from these services, security admins need to understand and evaluate the inherent security risks and application-based firewall policies provide a powerful tool to address such risks.