Securing Google Apps: A CIO Q&A

Bay Cove Human Services CIO Hilary Croach used a good dose of caution, and eventually a third-party add-on, in order to secure the cost-saving switch to cloud-based Google Apps

Boston-based Bay Cove Human Services is a non-profit organization that offers assistance and service to 4,000 people and families in Massachusetts. CIO Hilary Croach has several technology challenges to contend with. For starters, the agency has its hands in a number of service areas, including helping individuals with developmental disabilities, mental illness, drug and alcohol addiction, and those who need support with aging. With about 140 locations around Eastern Massachusetts, Bay Cove's employees and IT operations are scattered.

Learn more about cloud computing and security

Because of the expansive nature of his users, Croach decided to take some applications into the cloud with Google Apps for Business. But Bay Cove is subject to a number of regulations, including HIPAA, so the move to the cloud wasn't done without extreme consideration with regard to access control and privacy. Croach recently detailed for CSO why he felt Google Apps tools were the right fit for his agency, and how he handles security in a regulated environment like social services.

CSO: How did you first become interested in using Google Apps for Bay Cove? We had an email platform we had used for fourteen years. It was a great platform when we first got it. But, in recent years, it became clear it wasn't being updated, it wasn't connecting in with mobile devices, so we couldn't continue with it for our email platform. We looked at Exchange and the idea of hosted solution was on the table. We have about 1600 users. When I looked at Exchange implementation from the ground up, I was talking about a $100,000-capital investment, and that was with the relatively-cheap licensing that Microsoft offers to non-profits. But Google, for non-profits of our size, offers Google Apps for free. That was a huge deal for me.

Hilary Croach:

Now, of course using Google Apps means it's not in my data center. And there are concerns about security if it's not in my data center. But we quickly became pretty confident that the email and calendar piece of the Google Apps suite would work as well and be as secure as our previous email system for internal communications - and we were clear that sending an email out of any system is pretty much unsafe unless you have encryption tools and so forth. So we made the move.

Did you use everything in the suite?

No. When we first moved to Google Apps, all we had turned on was Gmail and Calendar. And it's a better platform than we had before, with better connectivity to mobile devices.

When we rolled it out, Google had just given administrators the ability to parse out other pieces. Prior to when we did starting using it, if you wanted to use Google Apps, you had to roll out whole thing. But we were able to just use Gmail and Calendar. And we also rolled out Docs to small group of people. We were using sites for other stuff, like our personnel policies. We were using it as adjunct to our intranet. But more and more people starting coming to me, telling me they really liked the collaborative abilities of Google Docs and they wanted me to turn it on for others.

Did you have hesitations about that? How did you handle it?

Google Docs, out of the box, is a user-centric collaboration tool. And, one thing to remember, is that most documents, whether Word or Google Docs, don't have protected information in them. When I say protected, I mean by statutes, like the Massachusetts statues or HIPAA. Most are just documents. So this is a wonderfully collaborative tool that can be used, for instance, to write a proposal our staff may be working on to bid on a contract. That document might be private in that we don't want people to see it, but it isn't protected from the point of view of regulation and compliance. Many documents, probably over 90 percent, don't have protected information in them. What a drag to say "We aren't going to let you use it because we are scared you might share something that has protected information in it."

[Read CSOonline's Executive Guide to Data Loss Prevention (free Insider registration required)]

On the other hand, we had no visibility; no way of knowing how people were sharing documents. Google is moving more into the enterprise, but the control for the administrators at this point is pretty low, particularly in Google Docs. The ability to share documents is very different from trying to share a Word document that sits on my network. Google Docs has this really scary thing where I can right click on the document and it says "share this with public." That means anyone can access it, even search engines can search it. That can't happen with Word document. Sure, people can print out a Word document and share it or put it on flashdrive. But most breaches in our industry come from inadvertent sharing and Google Docs allows for that in a much greater way. So we decided we didn't want to roll Google Docs.

Then I got some push back. So I started looking around the at third-party apps, some of which were administrative tools, to see if there was there anything that could help me with the visibility component. I found CloudLock. Their tool gives me the ability to retrospectively know if something has been shared with the public, to an individual outside my domain, or within my own agency. We are using all three levels of sharing appropriately. They key to being able to use Google Docs is having the visibility on it.

You can see what people are doing with the documents, but how do you ensure they are sharing appropriately?

To completely prevent inappropriate sharing, I can certainly go into my admin center and indicate no Google Doc can be shared outside my domain. But if I do that, there may be a counselor on my side who wants to share with doctor outside with appropriate consent. If I lock that down, they couldnt do that. Part of it is the visibility and understanding. But just like with my internal documents, I make assumptions staff know and understand polices and will make correct decisions most of the time, I just need to point out to them when they may have accidentally shred.

I can do that because the tool gives me high-level dashboard that shows me how many docs I have in my domain, and lets me know how many have been shared publicly, how many have been shared with individuals in my domain, and what has been shared with everyone in my domain. In the case of protected health information, that could be inappropriate. The tool gives me numbers. And I can look at the content and see if it's appropriate or not. If we feel it is inappropriate, we can then change the sharing privileges. The tool also alerts document owners of potential exposures.

And you are able to fully comply with privacy regulations using Google Apps tools?

Our compliance is part of a much larger strategy. If you look at the new Massachusetts regulations, the technology lockdown is just one part of it. A lot of it is education of staff around what's appropriate, what's not, what's locked down and what's not. It is ongoing education and then giving people tools to make sure they are following procedures.

Do you have any suggestions for other organizations who might consider Google Apps?

Don't reject it out of hand because it's in the cloud. There is a huge split between cloud fans and those who believe if they can't touch it, it's not secure. The reality is somewhere in the middle. By adding a third-party tool, it gives me more visibility on Google Docs than I have on documents in my network. People think Google is not secure. But I think their security is better than a lot of hospitals have for the data centers. My argument is always this: Don't reject it out of hand.

Copyright © 2011 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)