Google Docs: Providing Enterprise Security to the Masses

Secure Google DocsMicrosoft recently published a blog post that suggests Google Docs offers weak security. Before we correct the gross misrepresentations in Tony Tai’s article, let’s applaud Microsoft for doing what they do best — that is, launch a FUD campaign. No one does it better than Redmond.

Having been in IT for nearly two decades, however, I know security generally isn’t their forte. So let’s begin dissecting Tony’s article:

“When I share an email or a document with a colleague and ask for their confidentiality, I trust that they won’t share the information with others.”

When sharing a document with Google Docs, users don’t have to “trust” that someone isn’t going to share it. The organization’s administrator and the document owner have all the necessary controls enable safe sharing. As you’ll see, Google’s sophisticated, yet easy-to-use visibility options and sharing settings┬áprovides document owners far greater control sharing documents in the cloud than they would have otherwise collaborating via email attachments.

Tony’s first misrepresentation:

“If a user is working in a Google Apps domain, their files adopt the domain’s security setting, by default, whether those settings are private or not, so Google Apps users may be sharing or publishing documents without knowing they are doing so!”

Google Apps administrators can configure how users within their organization can share their Google Docs (documents, presentations, spreadsheets and drawings). Most of our customers choose to allow sharing outside their organization that’s a key feature but some administrators may choose to disallow sharing outside their organization. To address Tony’s misguided point above, administrators can also set the default visibility level for new docs. Out of the box, Google Docs are set to Private.

He also says:

“Google Docs allows users to specify who they want to share a document with online, yet users cannot apply any security settings to the document. Other users can download and share it any way they wish.”

Simply not true. Document owners can choose exactly how they want to share a document. First, they choose a visibility option for the document. Documents can be set to Private, where only specific people can access it, or shared more broadly, using the options Anyone with the Link or Public on the Web.

When Documents are Private and shared with specific people, document owners can grant collaborators different permission levels. Collaborators may be given permission to edit a document, or they can be granted read-only access or comment-only access. Document owners can also prevent users from downloading the document.

Google Docs Sharing Settings

Google Docs Sharing Settings

Furthermore, document owners can choose to grant editors the ability to share the document with other people, or they can limit the sharing permissions.

Most importantly, because all of the content and sharing permissions are stored in the cloud not on individual user desktops administrators have the ability to review, audit, and even modify sharing settings and history globally without having to worry about local issues concerning “My Documents.” Sharing rights can be revoked by the user in real-time without the need for help desk or technical support. And, as with all Google Apps, the security features work on Windows, Mac, Android, iOS and other platforms not just Windows 7.

Tony then goes on to describe Microsoft’s granular sharing controls:

Information Rights Management (IRM) is similar to Digital Rights Management for documents and information. With IRM, users can restrict rights to content and prevent authorized recipients of restricted content from forwarding, copying, modifying, printing, faxing, or pasting the content. Via IRM, Windows users can even prevent restricted content from being copied with Print Screen.”

Google Doc Screen Shot

What's next? Are you going to limit smartphone use to prevent employees from taking "screenshots"?

Even with these very specific levels of control, someone determined to steal data can take a picture of their computer screen using one of today’s many ubiquitous cell phone cameras and share it with the world via an email or web post. As with all security technology, there needs to be a balance between over engineering a solution and maintaining usability. Our customers tell us Google Docs provides that balance.

Finally, Tony admits:

“Information Rights Management requires certain on-premises investments. It is not for everyone. Larger organizations often take the time to implement and benefit from IRM. Should this interest you, customers can establish IRM settings for Office 2010 and Outlook 2010 using Group Policy, while SharePoint customers have the choice of managing security via a LiveID or through a Rights Management Server.

This may be the largest point of differentiation between Microsoft’s solution and Google Apps. We don’t feel that only large businesses that want to make large investments in on-premise equipment should have enterprise-grade security. It is interesting to see that Office 365 is not mentioned in Microsoft’s blog post, as IRM requires on-premise servers and integration.

Clearly we have a dog in this fight. Since our inception over three years ago, Cloud Sherpas has helped migrate over 1 million users to Google Apps, none of which had previously invested in Microsoft IRM. Today, every single user we’ve migrated benefits from the robust enterprise-class content security features in Google Docs on each and every one of their documents. No Google Apps user must endure the complexity or expense of an IRM system to ensure document security.

On the contrary, Google is regularly investing in the area of security and privacy and delivers new features like two-factor authentication and new advanced SSL security techniques to customers at no additional cost and without the need for on-premise hardware or software.

Simply stated, we believe Microsoft’s model for sharing and collaboration is broken. Once a document is sent as an attachment, the recipient has the choice to do whatever they want with the file. Microsoft Office isn’t based on centrally managed content; documents are created and edited locally on end-user machines. Microsoft’s Information Rights Management seems like a lose-lose proposition as documents aren’t any more secure and collaboration is strongly hindered.

Microsoft’s blog post ends by asking, “Is securing documents and email important to your organization?” Of course it is. For organizations that value collaboration and group productivity, Google Docs provides a flexible security model in use by millions whether you’re a small business or a large corporation without any on-premise investments.

David Hoff 44 Posts

David Hoff is the Chief Technology Officer and a co-founder of Cloud Sherpas. He leads corporate technology strategy and thought leadership across the organization. David has a deep knowledge of public cloud technologies, and has spoken at Google IO, ThinkStratgies Cloud Channel Summit and has an MBA focused on Technology Management. Previously, David was at Optimus Solutions (acquired by SoftChoice), where he was the Managing Director of eBusiness services. David is a life long native of Atlanta, GA.