Gmail – unsecure or the most secure?

The recent revelations of Internet security have probably caused you to reconsider how safe your data is in the cloud. We all get heartburn over this (and doctors, attorneys, and financial professionals have double the heartburn) because we don’t want our information or our customers’ information published on the Internet. Are cloud services just too vulnerable for us to use? Can wegmail do a better job of security with in-house resources? I think these are good questions to ask. A good security review is good for all firms every once in a while.

First, let’s establish that not all cloud service providers are created equal. Undoubtedly there are some that have security issues. But this post is about one that I feel does not have security issues – Google Apps or Business, and at the core of that service, Gmail.

Google Apps (now Workspace) is a cloud connected service, which means that the front door is accessible to everyone with an Internet connection. For most people with a Gmail account, that front door is secured by a password. It is possible to enable two factor authentication on Google. You can get the instructions here.

For your own in-house services there are measures that you can put in place that are better than simple password access. But all of these additional measures will mean that you run your own email server, either in a hosted environment or in your offices, with network and firewall access that you can control. In turn that means adding the expense and investment in server hardware, software, networking equipment and an IT staff – never an inexpensive proposition and always more expensive than a cloud solution. You could employ any and all of these additional security measures:

  • Adding an additional level of authentication have a SecureID or token access
  • Employing a digital key system
  • Using other biometrics to gain access
  • Firewalling out certain regions or countries

But real security is more than just access. It also has to do with physically safeguarding your data from loss. Here are a list of features that you would have to put in place just to equal Google. These security elements would be very expensive to duplicate in a self hosted service:

  • Data center security
  • Data virtualization
  • Security staff

(Rather than me writing about these elements, here is an informative video, provided by Google, about Google data security.)

Is your information isolated to a single data center? What happens if that data center is compromised? Loses power? Loses data connectivity? These events happen all the time.
Does your information travel around on laptops, tablets, phones? What happens when these devices are stolen?
What are your controls around employees that compromise data? What do you do about thumb drives?

There is a cost benefit analysis that you need to do here. I can absolutely see that some companies will opt to create their own in-house services rather than opt for cloud services, but I can’t see that making sense for most small companies.

Let's get to work.