Google recently trumpeted that it now encrypts Gmail messages while shuffling them among its data centers, an extra security layer aimed at thwarting government and criminal snoops, but didn’t say if it applies this protection to its other applications.
Asked for clarification, the company declined to comment. “We don’t have more details to share beyond the Gmail news, but we’re always working in strengthening and encrypting across more services and links,” a spokeswoman said via email.
Google’s reluctance to clarify the scope of its internal encryption is baffling and does a disservice to enterprise customers who rely on the Apps suite for workplace communication, cloud storage and collaboration, according to analysts.
"No basis for trust"
“When confronted with the evidence of a compromise, and asked for an explanation as to how it happened and what they are doing about it, Google is dissembling. This is no basis for trust,” said Jay Heiser, a Gartner analyst.
At issue are reports from last year, based on leaks from former National Security Agency (NSA) contractor Edward Snowden, that the agency snooped on users of online services in part by intercepting data Internet companies transmitted unencrypted in “plain text” among their own servers and data centers.
Back in September, Google officials told The Washington Post that the company was accelerating efforts to encrypt communications between its data centers as a result of these reports.
“It’s an arms race,” Eric Grosse, vice president for security engineering at Google, said at the time.
About two weeks ago, Google announced it had turned on this “internal” encryption for Gmail, but glaringly neglected to address if and when this will be done for its other services and applications.
“Every single email message you send or receive—100 percent of them—is encrypted while moving internally. This ensures that your messages are safe not only when they move between you and Gmail’s servers, but also as they move between Google’s data centers—something we made a top priority after last summer’s revelations,” the Google post reads.
The Google spokeswoman declined to provide an update on the efforts described in The Washington Post article in September, in which Google officials were quoted as saying the “end to end” internal encryption project would be completed “soon.” The spokeswoman also declined to say exactly when this encryption was turned on for Gmail, acknowledging only that it was first announced in the March 20 blog post.
Lack of transparency
The situation is a model case for why enterprise cloud-service buyers need more transparency from their providers, according to Heiser. “Not only did nobody expect their data would be vulnerable to surveillance in this way, but nobody outside of Google knows what question to ask to determine if that’s been fixed,” he said.
“Without knowing how data is transferred between Google servers, nobody has any basis for knowing if risk still exists. We all now know that there is a hole, but without knowing more details, vague assurances from Google do not constitute reliable evidence that the hole has been plugged,” he added.
Google’s vague response suggests that the company hasn’t completed the major undertaking Grosse referred to in September, and customers should take note of this, Heiser said.
“This is an instance in which the extreme size and complexity of Google should be a matter of suspicion for its users. Is the traffic or infrastructure supporting their search and advertising business a factor that inhibits the implementation of encryption between their sites?” Heiser said.
Peter Firstbrook, another Gartner analyst, was also unimpressed with Google’s lack of response.
Trust Google? Why?
“As usual, Google gives no real information here,” he said via email, referring to the March 20 blog post. “It is another ‘trust us, we’re doing the right thing.’ No hyperlink into a fuller explanation. There may be a weakness in the new encryption scheme. We just don’t know.”
The lesson for buyers of software-as-a-service (SaaS) products is clear, according to Heiser: Demand clear, granular explanations from vendors about their security technology and policies.
“No amount of ‘we have the following features’ can ever help a SaaS buyer fully understand where a particular service might have undesirable vulnerabilities, if you don’t have full details on the technology and topology of that service,” he said. “SaaS is the digital equivalent to sausage: Mystery meat is not necessarily bad for you, but if you don’t have full knowledge of the ingredients, you can never fully understand the health hazards.”