Menu
Google trumpets extra encryption for Gmail, but stays mum on other apps

Google trumpets extra encryption for Gmail, but stays mum on other apps

While touting an additional security layer to protect Gmail users against snooping, Google remains vague on its other apps

Google recently trumpeted that it now encrypts Gmail messages while shuffling them among its data centers, an extra security layer aimed at thwarting government and criminal snoops, but didn't say if it applies this protection to its other applications.

Asked for clarification, the company declined to comment. "We don't have more details to share beyond the Gmail news, but we're always working in strengthening and encrypting across more services and links," a spokeswoman said via email.

Google's reluctance to clarify the scope of its internal encryption is baffling and does a disservice to enterprise customers who rely on the Apps suite for workplace communication, cloud storage and collaboration, according to analysts.

"When confronted with the evidence of a compromise, and asked for an explanation as to how it happened and what they are doing about it, Google is dissembling. This is no basis for trust," said Jay Heiser, a Gartner analyst.

At issue are reports from last year, based on leaks from former National Security Agency (NSA) contractor Edward Snowden, that the agency snooped on users of online services in part by intercepting data Internet companies transmitted unencrypted in "plain text" among their own servers and data centers.

Back in September, Google officials told The Washington Post that the company was accelerating efforts to encrypt communications between its data centers as a result of these reports.

"It's an arms race," Eric Grosse, vice president for security engineering at Google, said at the time.

About two weeks ago, Google announced it had turned on this "internal" encryption for Gmail, but glaringly neglected to address if and when this will be done for its other services and applications.

"Every single email message you send or receive -- 100 percent of them -- is encrypted while moving internally. This ensures that your messages are safe not only when they move between you and Gmail's servers, but also as they move between Google's data centers -- something we made a top priority after last summer's revelations," the Google post reads.

The Google spokeswoman declined to provide an update on the efforts described in The Washington Post article in September, in which Google officials were quoted as saying the "end to end" internal encryption project would be completed "soon." The spokeswoman also declined to say exactly when this encryption was turned on for Gmail, acknowledging only that it was first announced in the March 20 blog post.

The situation is a model case for why enterprise cloud-service buyers need more transparency from their providers, according to Heiser. "Not only did nobody expect their data would be vulnerable to surveillance in this way, but nobody outside of Google knows what question to ask to determine if that's been fixed," he said.

"Without knowing how data is transferred between Google servers, nobody has any basis for knowing if risk still exists. We all now know that there is a hole, but without knowing more details, vague assurances from Google do not constitute reliable evidence that the hole has been plugged," he added.

Google's vague response suggests that the company hasn't completed the major undertaking Grosse referred to in September, and customers should take note of this, Heiser said.

"This is an instance in which the extreme size and complexity of Google should be a matter of suspicion for its users. Is the traffic or infrastructure supporting their search and advertising business a factor that inhibits the implementation of encryption between their sites?" Heiser said.

Peter Firstbrook, another Gartner analyst, was also unimpressed with Google's lack of response.

"As usual, Google gives no real information here," he said via email, referring to the March 20 blog post. "It is another 'trust us, we're doing the right thing.' No hyperlink into a fuller explanation. There may be a weakness in the new encryption scheme. We just don't know."

The lesson for buyers of software-as-a-service (SaaS) products is clear, according to Heiser: Demand clear, granular explanations from vendors about their security technology and policies.

"No amount of 'we have the following features' can ever help a SaaS buyer fully understand where a particular service might have undesirable vulnerabilities, if you don't have full details on the technology and topology of that service," he said. "SaaS is the digital equivalent to sausage: Mystery meat is not necessarily bad for you, but if you don't have full knowledge of the ingredients, you can never fully understand the health hazards."

Juan Carlos Perez covers enterprise communication/collaboration suites, operating systems, browsers and general technology breaking news for The IDG News Service. Follow Juan on Twitter at @JuanCPerezIDG.


Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags Internet-based applications and servicesGooglesecurityMailencryptioninternet

Featured

Slideshows

Kiwi channel comes together for another round of After Hours

Kiwi channel comes together for another round of After Hours

The channel came together for another round of After Hours, with a bumper crowd of distributors, vendors and partners descending on The Jefferson in Auckland. Photos by Maria Stefina.​

Kiwi channel comes together for another round of After Hours
Consegna comes to town with AWS cloud offerings launch in Auckland

Consegna comes to town with AWS cloud offerings launch in Auckland

Emerging start-up Consegna has officially launched its cloud offerings in the New Zealand market, through a kick-off event held at Seafarers Building in Auckland.​ Founded in June 2016, the Auckland-based business is backed by AWS and supported by a global team of cloud specialists, leveraging global managed services partnerships with Rackspace locally.

Consegna comes to town with AWS cloud offerings launch in Auckland
Veritas honours top performing trans-Tasman partners

Veritas honours top performing trans-Tasman partners

Veritas honoured its top performing partners across the channel in Australia and New Zealand, recognising innovation and excellence on both sides of the Tasman. Revealed under the Vivid lights in Sydney, Intalock claimed the coveted Partner of the Year 2017 (Pacific) award, with Data#3 acknowledged for 12 months of strong growth across the market. Meanwhile, Datacom took home the New Zealand honours, with Global Storage and Insentra winning service provider and consulting awards respectively. Dicker Data was recognised as the standout distributor of the year, while Hitachi Data Systems claimed the alliance partner award. Photos by Bob Seary.

Veritas honours top performing trans-Tasman partners
Show Comments