Last Updated Apr 30, 2010 3:17 PM EDT
But no matter how hard Google works to secure its system, the truth is that the real threat keeps growing. That's because in a cloud computing world the biggest danger comes not from outside hackers, but from Google's own users.
Once upon a time the world of computer security was divided into two zones, inside and outside, but the shift to cloud computing changed that. " How do you design a resilient security system when the source of the attacks are most likely people inside the system?" says Roger Grimes, a twenty year veteran of the security industry. "How do you educate users to make sure they don't accidentally let an intruder in?" Google's China hack is case in point. The intruders got in by sending a link to a Google employee that appeared to be an instant message from a friend. When the employee clicked the link it took them to a poisoned web site, allowing the hacker into their computer.
Google explicitly denied that this was an attack on their cloud system, but that always rang hallow to me. New reporting from the NYT confirms that in fact the attackers were able to enter Gaia, the password system that controls access to the business and personal accounts of Google's cloud users. "There is a new reality," says Grimes, "Where if the cloud system is penetrated, there is a risk not of one company's network, but hundreds that are suddenly compromised."
These concerns will continue to grow as Google expands its cloud offers to individuals, businesses and municipalities like the City of Los Angeles, which recently moved to Google Apps. As Grimes has written, the more popular a certain platform becomes, the more it is targeted. Add to the the particular challenge of the cloud, in which an expanding user base means multiplying vulnerabilities.
Google is making an effort to educate its users and improve its tools for keeping the cloud safe. It recently switched all Gmail users to a more secure standard for their emails and added an ISP monitoring service that looks for strange behavior, much like a bank monitors its customers' credit card activity for suspicious charges.
The effort to educate continues on Google's security blog, which publishes detailed posts about what users should watch out for in the ever changing ecosystem of malware. But as Grimes points out, most users pay little attention to these lessons and changes. "Security will cost you a lot of users if it fails, but it won't gain you a lot if it works. Users care about new features, not about new security."