Take for example the Google Apps Marketplace. It’s full of useful add-ons for Google Apps, created by third-party vendors, covering categories such as CRM, Project Management, Accounting, Education and Backup. The level of integration varies by app, ranging from sharing log-on information through to the app being able to read and write the data in your Google Apps account such as your email, calendar, contacts and Google Docs.
This raises the important security issue: how well should you trust these third-party cloud apps? And it's not just how well can you trust the vendors themselves with access to your data, but how tight is their own security?
This is the option with the least opportunity for things to go wrong. You see, when you use Google’s OpenID, the third party is not actually obtaining access to your password. It’s simply passing the authentication through to Google, who is verifying your identity and passing that back to the third party. It’s pretty slick and it saves you having to remember and type in separate passwords for multiple apps. But what about giving one of these third party apps access to your Google Apps account data?
Access to account data
Here’s where you need to exercise much more caution, as there is a risk these third-party cloud apps could become a “back door” into your otherwise secure Google Apps account.
It’s important in this case to scrutinise who the third party is and what their own security measures are – both from an internal point of view (what are they doing to make sure their own staff are not illegitimately accessing your data?) but also from an external perspective (what are they doing to make sure their own systems are not going to be hacked?).
- Search the vendor’s website for reassurance on these points. If they don't address these issues expressly and specifically, email them or ask questions in their online forum.
- What sort of questions can you ask? Try some of these:
- What procedures do you have in place to prevent your staff from accessing Google Apps data without our authorisation?
- How do you vet staff before you give them access to customer data?
- Tell me about your own security practices and policies? Are they audited by independent authorities?
- Also look for logos showing certification for the app from trusted authorities such as Truste.
The best vendors will be pleased to get the chance to provide their credentials. The ones who are slow to respond or “woolly” in their reply may not be giving security the appropriate level of attention.
The third-party apps on the Marketplace can bring great benefits to a business in terms of automation, effectiveness, efficiency and functionality. But proceed with sensible, level-headed, hard-nosed business caution. Don’t get carried away clicking to add cloud apps without properly assessing what access you’re giving to your data and to whom.
What cloud apps do you use in your business, and have you considered their security?
“ Don’t get carried away clicking to add apps without properly assessing what access you’re giving to your data and to whom. ”