Google Desktop Security Warning Issued
By Susan Kuchinskas
November 11, 2004
UPDATED: Two analysts issued independent warnings today suggesting Google's Desktop Search tool -- released in October -- poses security risks for the enterprise.
The most significant threat is when desktop search is used while connected to a virtual private network (VPN), according to Dana Hendrickson, an analyst with VPN Central.
In a similar alert issued to Meta Group clients, analyst Timothy Hickernell wrote, "Companies must be aware of potential security risks posed by enterprise installation and must adopt appropriate end-user guidelines based on testing within standard corporate end-user environments."
Hickernell told internetnews.com that the desktop will be the next battlefront in the search engine wars -- and a new front in the battle for corporate security.
Google Desktop Search lets users search documents, spreadsheets, e-mail, instant messages and Web pages that have been visited by that PC. To enable this, it creates cached versions of Web content -- which could include sensitive corporate information stored on servers and accessed via a Web interface.
A Google spokesperson said the company was looking into it.
Enterprises often allow mobile workers to connect to the corporate network using secure VPNs via their home computers, hotel business centers, a customer site or Internet kiosks found at airports and cafes.
Hickernell said that if the person who downloaded the desktop search tool has administrative rights to the local machine, the tool also could search any drives attached to the machine, for example, a departmental drive or server. When the tool indexes local files, it will also index the remote files if the PC is connected long enough.
Then, he said, "Another user can come behind you and see the cached copy of the content."
"Any time you provide a tool that makes it convenient to move information, people will move more of it," Hendrickson told internetnews.com.
Hendrickson's warning came attached to a product release from Whale, a secure VPN vendor. Whale said its remote access product will let corporate IT managers detect whether the Google Desktop Search tool is running -- and either kill it or control it.
Google Desktop Search asks users at installation what kinds of files should be indexed. They can omit their Web histories and also secure HTTPS pages. They also can change the options at any time after the install.
But Joseph Sternberg, director of technical services for Whale Communications, said that administrators can't rely on their users to do the right thing.
"Security needs to be implemented at the enterprise. IT administrators need to ensure the system is secure."
Microsoft's (Quote, Chart) MSN and Ask Jeeves (Quote, Chart) have promised to release their own desktop search tools before the end of 2004, and Hickernell believes Yahoo (Quote, Chart) will follow suit. There also are several standalone products on the market. While these apps are targeted to consumers, Hickernell said, corporate users will inevitably download them.
Whale said it had identified 10 more desktop indexing tools that pose security risks by caching confidential information. The company didn't list them, but said it's working to upgrade its gateways to add the detection and control features.
Whale's administration tools let IT managers set policies for desktop search tools, for example, making rules about what applications or systems can be accessed while the toolbar is running.
"Corporations need to get ahead of this," Meta Group's Hickernell said. "They need to test these tools and be aware of the security implications with Google Desktop Search."