Put safety first in the rush to get hosted

It's always exciting to see an idea make it through the life cycle from blue-sky concept to actual product you can play with. Google has just helped web applications through this metamorphosis, with the launch last week of its Google Apps Premier Edition product.

Google Apps already looked attractive to small companies keen to have their email, IM or calendar programs hosted on the web. By adding support for word processing and spreadsheets — plus 10GB of storage per user — this Premier upgrade begins to look like a worthy alternative to Office.

But companies that are considering abandoning Microsoft in favour of the web need to consider the problem child of IT — security.

We're not suggesting that non-hosted applications are particularly safe, especially not on the day that the first Office 2007 bug is reported. Word and Excel have also suffered serious vulnerabilities in recent months, giving conscientious IT managers plenty to do.

But at least with Microsoft Office, you can push out the latest fixes across the organisation each Patch Tuesday, lock down user permissions and nail down the network perimeter to try and prevent anything nasty getting in or important getting out. When you hand over corporate data to a hosted provider you also hand over the ability to keep it safe. You no longer have the ability to protect it yourself. Google doesn't ofter any security beyond the user name and password, so setting up defence in depth — encryption, rights-mediated access controls, centrally enforced policies and auditing — is practically impossible.

The danger is multiplied if, as in Google's case, several important applications are being linked together. If a malicious hacker gets into one Premier App, it could be worryingly easy for them to run the table and grab data from all of them. Google writes a lot of really great code, but that doesn't mean it is immune to security mistakes. As we saw just last week, in fact, when it patched several flaws in its Desktop product that would allow an attacker to access files on a victim's machine.

In the fanfare around the launch of Google Apps Premier Edition last week, security barely got a mention. Microsoft is no better. In fact it still hasn't really announced what its Live hosted services will be.

We can't recommend any service as ready for the enterprise unless it comes with explicit enterprise-level security commitments. Google may be the greatest software company on earth, but it won't have earned that title until it can demonstrate as good or higher-level security for its applications as that found on a well-configured, non-hosted system.