Re: Bruce Schneier on Google Apps. Do you trust Google?

[krymson () gmail com]

First, I don't trust Google. I haven't trusted Google since shortly after they went public. At which point they answer 
to a whole lot of other people whose only goal is to make money, and not necessarily espouse the vision of "do no 
evil." There is money to be made by gathering information and selling it or at least using it to sell other services to 
targeted audiences. Sorry, but I don't trust people enough to not devolve that in the aim of greed. I like my privacy 
(even for silly things like my purchasing or searching habits).

And that says nothing about the integrity of any Google employee.


Second, I'm not sold on the "cloud" idea. I think many orgs are frustrated with their array of homegrown internal apps 
and software cobbling business processes together. The "cloud" seems like a nice thing (a case of the grass being 
greener on the other side), but orgs will get just as frustrated with it given time with it. They can't be as agile, 
quick, or customized without paying a high price. They can't answer questions on how it works or have any reliable 
assurance of security, integrity, or availability. Orgs want to treat this like a utility that is just always on, but 
it's far too complicated and unique per org to pigeonhole like that.

The only exceptions I immediately see will be "commoditized" stuff that is similar across multiple customers. But then 
you run the risk of the system being changed and you just have to live with it (like Twitter changing replies or 
Facebook changing it's interface). Or being down and you have to just wait (Salesforce, or again Twitter).

And, of course, everything like that is pretty much already in place under different names (for instance, we've called 
this "the web" for a long time [yes the sarcasm is thick in this paragraph])...which means "cloud" is just marketing 
rebranding for those segments. A gross bastardization (misunderstanding?) of "distributed computing."

I don't always agree with Schneier; I can think for myself, but in this case I agree with him.

(Yes, sent from a gmail account...)



<- snip ->
"Security is about who you trust," Schneier said. "Do you trust Google
more than your sysadmin? Do you trust Google Docs more than Microsoft
Office?"

"Trust is social," he said. "It's not technical."

Read more:
http://latimesblogs.latimes.com/technology/2009/07/security-expert-on-go
ogle-apps-is-google-trustworthy.html

I trust that a Google Employee, whose sole function is to maintain the
system, will ensure that the system is secure, patched and up-to-date.
It is simply about Reputational risk. Reputational risk (damage to an
organization through loss of its reputation or standing), can arise as
a consequence of operational failures. Every company understands
reputational risk, particularly businesses who regard their brand as
one of their most critical assets. Google is one of them. They have a
reputation to maintain.

Note: I posted the following as a comment to the aforementioned
latimes blogpost, so it may be a repeat for some folks.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------