Q&A: Google Apps director of security Eran Feigenbaum

Eran Feigenbaum outlines Google's take on cloud security

V3.co.uk: As head of security for Google Apps, can you explain how security managers approach cloud computing?
Eran Feigenbaum: We're in the middle of a few different revolutions at the moment. There's the consumerisation of IT, Web 2.0 and cloud computing. We have a new workforce entering the workplace and bringing in new technologies, with most users having more powerful things available to them at home than they do in the office. According to research, many of them say they would be more productive at work if they had access to the same applications and devices they use at home, and most say they have at least one unsanctioned application at work running on their PC. Most security groups have seen this before and their natural reaction is to lock this down, put more firewalls in place and write more policies.

What should they be trying to do?
Most users are not malicious; it will be hard to protect against the really malicious ones anyway. If you make it easy for users to do the right thing then they tend to, but in most organisations we haven't made it easy, and because of that we've got into a lot of trouble. The role of security is to protect the confidentiality, integrity and availability of business data, but now there must be a way to say 'yes' rather than 'no' because users are smart and they will find ways around your controls.

What are the major challenges facing information security bosses today?
There are three things we still haven't solved: data being everywhere; the security arms race that is patch management; and the scale and sophistication of attacks. Software vendors issue patches and the IT professional's job is to consume them and deploy them to relevant systems. But while organisations are working on patching known vulnerabilities, attackers are exploiting them and looking for new zero-day vulnerabilities which no patches are available for. If you move to the cloud, there are no more servers to patch.

So then it becomes your problem. How do you protect your own systems?
The truth is that it does become the cloud provider's problem, but we've built security into our systems from the get-go and we've had the ability to learn important lessons. We have one homogenous environment, we wrote the operating system and we built our own hardware. We have zero scheduled downtime because of redundancy and replication, and when there is a new threat we can patch all our systems in a rapid and uniform manner, which most enterprises can't do.

So how do you cope with the growing scale and complexity of attacks that even some dedicated security vendors struggle with?
Any individual organisation can only see a small slice of any attack. We process two billion email transactions a day, and that gives us a lot of knowledge. We can see and block viruses hours before some anti-virus vendors see them. The number-one issue from a security perspective for us is changing people's mindsets. It's about going from data in my datacentre that I thought was secure, and putting it into someone else's who has the economies of scale and the necessary expertise.

But if a user's password is cracked wouldn't that give criminals access to all their Google Apps data, no matter how securely you store it?
The reality is that most security on the internet depends on knowing a user's password. We offer different levels of security. Some clients use one-time passwords, smartcards or cell phones, but that's a security decision that each client has to make - although I'd always encourage stronger passwords. We support Security Assertion Markup Language and Single Sign-On too.

How do you respond to fears about the insider threat of data breaches affecting Google and therefore its customers?
Firstly, the data does not belong to us, it belongs to our customers. We'll only hold it as long as our customers request us to, and if they want to leave we'll give them the tools to take their data with them. All our employees go through security training and sign a code of conduct, and internally we practice least privileged access and role-based security, only giving access to those who need it and only giving them the least amount of access they need to get the job done. We're saying put all your eggs in one basket and then guard that really well. We don't allow outside auditors from our customers to come in, but that's the point of our own SaS 70 accreditation.