Ed Brill

Post a Comment

1. 1  Tony Lee  | 4/25/2007 2:55:56 PM

   Some people may accuse you of creating FUD for Google with this entry, but I think it's just being realistic....

1. 2  Bruce Elgort http://www.TakingNotesPodcast.com | 4/25/2007 3:26:28 PM

   Ed,

   I agree with Tony on the FUD factor of this blog entry. However, I do believe that employees need to be made aware of the risks associated of using any type of system outside the corporate firewall.

   Bruce

1. 3  Ed Brill http://www.edbrill.com | 4/25/2007 3:33:15 PM

   hey, it's not like I wrote the article.... but some here have been quite vocal about considering new delivery vehicles, and I think it's reasonable to say, every approach has pluses and minuses.

1. 4  Jeff Picco  | 4/25/2007 3:35:31 PM

   I was waiting for news of this to come out. Sadly, this was a risk that was being glossed over by a lot of people I work with. Now they are looking at it again.

   Google does have a security solution for the enterprise, just not sure when it will be announced.

   Thanks.

1. 5  Dennis  | 4/25/2007 3:37:59 PM

   Found a user :-(

1. 6  Bob Congdon http://www.bobcongdon.com/blog | 4/25/2007 3:43:59 PM

   @2: I saw this article a few days ago and was wondering whether Ed was going to post anything about it. The issue goes beyond Google Calendar and using public e-mail services. Controlling access outside of the corporate firewall to sensitive data is always going to be an issue. More than one organization has accidently allowed Anon access to Domino data via the web.

   I think the key in this case is that individual users are able to make their own decisions regarding sharing. This should be done via policy, not by personal choice. And if McKinsey didn't authorize this user to share their corporate calendar on Google, at the very least, they deserve a reprimand.

1. 7  Jeff Picco  | 4/25/2007 3:50:25 PM

   @6: Remember that with the new way that Google is presenting it's email and calendar solution, it's not always intuitive as to who can see which of the many calendars you can create. So, while training was probably not done on the security aspect, I'm sure it will be looked at now for that company.

   side note: I have 10 calendars that I share with various people on my gmail account. I would love to be able to do that at work, but sadly I cannot unless I buy a third part application or kludge another mail file in to the mix.

1. 8  Charles Robinson http://cubert-codepoet.blogspot.com | 4/25/2007 4:24:11 PM

   I can choose who sees my Notes calendar. If I leave it open to the entire company can I blame Lotus when people find the details of my calendar?

1. 9  Rob McDonagh http://www.CaptainOblivious.com | 4/25/2007 5:15:15 PM

   This is one of the primary reasons why I don't buy into the hype around enabling user-driven IT ("Enterprise 2.0" I believe in buzzword-land); there's an assumption that everyone who uses those services will be aware of the security risks associated with a given action. The reality is that most people just don't think that way. Increasing openness and ease of use almost always leads to a decrease in security (it is often said that convenience and security are endpoints on a continuum), and any company large enough to be considered an enterprise clearly has to have appropriate security policies and the IT infrastructure to support them.

   Caveat: I still maintain that Google Apps is a powerful solution for the VSB, and the vast majority of those companies aren't - and shouldn't be - as worried about IT security and compliance as the bigger enterprises.

1. 10  Jeff Picco  | 4/25/2007 5:42:01 PM

   @8: In Notes, yes you can choose who can see your calendar, but you only have one calendar. In google, you can have multiple calendars (e.g. personal, work, project 1, project 2) and the all roll up in to one. You can invite people to view or be editors of each one individually. You can also choose to make your calendar discoverable by the world. I'm assuming the people talked about in that article chose to invite others or they published it to the world. So, that level of granularity does not exist in Notes today. There is the option to mark items private in Notes, so you can do some of that per document.

1. 11  Bob Congdon http://www.bobcongdon.com/blog | 4/25/2007 7:14:02 PM

   @8: Some companies (e.g. IBM) perform an audit on your Notes calendar to make sure that you don't share it with anyone except approved people (e.g. manager, direct reports, AA, etc).

1. 12  Keith Brooks http://www.keithbrooks.com | 4/25/2007 7:29:53 PM

   It seems to me that a point is being made by the individuals from these firms in question.

   Namely they do not have the capacity within their calendar systems to either a)work with outside clients/vendors calendars or b)trsut their own IT staff or internal methods for some unknwon reason.

   Uninformed users? Maybe.

   Did they know the risks? Providing they are not from Pluto(er whatever it is called now) they most positively should. Every newspaper, magazine, tv channel, radio station discusses privacy, security, even at a child's level.

   Could they all have entered the info as public unknowingly, who knows, but in their next job they will.

1. 13  Mike Lazar  | 4/25/2007 7:36:02 PM

   @8...I don't see your point. Leaving your calendar to the company is in no way the same as leaving it open to THE ENTIRE INTERNET. If I choose to have my calendar viewable by anyone in my firm, who cares? It's a closed environment that is not accessible from anywhere but my LAN or VPN. If I put corporate info on a Google calendar and share it, the entire world sees it. That's the point here.

1. 14  Mike Brown  | 4/25/2007 8:11:30 PM

   @7 Why is creating another calendar via another mail file a "kludge"? Because it's not in the same .nsf file, perhaps?

   If so, does that matter, as long as it works? Which it does, for me, anyway. You can even have links on to your other calendars to your main calendar menu. The only problem you'd have is not being able to easily search across all of your calendars in one go.

   cheers,

   - Mike

1. 15  Charles Robinson http://cubert-codepoet.blogspot.com | 4/25/2007 8:51:53 PM

   @10 - My executives use Google Calendar instead of the Notes calendar precisely for the reasons you outline. Notes calendaring is nowhere near as capable and it's not a value-add to the business to buy or build something in Notes when Google Calendar fits the need and is free.

   @11 - I guess big companies have different things to worry about than those of us down in the muck. :)

   @13 - My point simply is that it's not Google's fault people didn't use the tool appropriately. Information in the wrong hands is a security lapse regardless of the scope. History has shown that information leaked internally can very quickly become leaked externally.

1. 16  Pete McPhedran http://www.corefusion.com | 4/25/2007 10:44:24 PM

   Question: If you "choose" to share your Google calendar with the world and then the big Google engine indexes it, then you figure out that, oops, didn't mean to share that with the "World" and you unshare it. Does it stay indexed with Google?

   As a hosting provider, this whole conversation is very interesting to me. Although there is merit to keeping things behind the firewall, there are lots of cases where accidents, screw ups and plain old stupidity can circumvent that protection ultimately putting you in the same place as the user that decides to share his/her Google calendar. It's the same Internet after all.

   --Pete

1. 17  emma  | 4/25/2007 11:20:33 PM

   @16 My understanding is that it will disappear next time Google indexes the server hosting the data, but that doesn't mean it's gone from the internet. You'd be amazed how much seemingly trivial data is cached or archived on servers that the original content author probably doesn't even know about.

1. 18  Mike Lazar  | 4/26/2007 7:43:43 AM

   @Charles -- While that might be the case, it is far less likely to be found by the world if your mistake is behind your firewalls. That was Ed's point here. People are pushing these free web based services as corporate email solutions. I can protect my company against most people's misuse/stupidity/ignorance with solid security. If the information is already out on the Internet, I cannot. That's all he's saying here. There will always be people who make mistakes with data. If I have it stored out where the world can see it, it had better not be sensitive data. Considering sensitive data is passed via email every second, it' probably not a good idea to trust your corporate email to a Google or Yahoo.

   Now, I reserve the right to change my opinion in 6-12 months, but for now, I would not recommend a business of any size put their corporate mail on a free web based service.

1. 19  Charles Robinson http://cubert-codepoet.blogspot.com | 4/26/2007 7:59:44 AM

   @18 - Okay, fair enough. :-)

1. 20  Jeff Picco  | 4/26/2007 9:01:22 AM

   @7: Yes, by using another mail file and having others share it with you for the purpose of a group calendar is a "kludge" in my opinion. The fact that the user has to go looking for data and do manual, even if only mentally, aggregation of their calendar is just wrong.

   In my evil scheme of the C&S world, you would have one calendar to look at for everything; business & personal. It would roll up other calendars that you have subscribed to from your corporate events system, to the team(s) you are working with on specific projects, to your soccer (futbol) club practice / game schedule, to holidays, to family events. Each would have it's own access control list so when others view your calendar, they only see the data you allow them to subscribe to. Then it would be easy to hide data so it doesn't get in the way and search would be easy and intuitive. I've been dreaming of a system like this since the day I started caring about my schedule. There have been some really good group calendars that will update your Notes calendar, but that just seems like a stop gap. Google has been the first to bring a solution that is really close to what I want.

   I love Notes and have been working with the product since 1995 as a developer, admin, architect, sales, janitor and consultant. I've been able to evangelize it and also had to defend it daily. I think I made the correct choice in all of that. So, while I do tend to be rough on Ed and crew, I do it because I know they can potentially provide a better product than what is expected from Google and others.

1. 21  Mike VandeVelde  | 4/26/2007 6:23:24 PM

   hehe how about this one:

   { Link }

   I really don't see Google as much of a threat to Lotus. Yes we should be aware of it, and I imagine quite a few companies will experiment with it, but I can't see it hitting the enterprise and getting wide adoption - and having staying power. Maybe as a first step, but I imagine at some point most companies who get into it will move on. But I am not psychic ;-)

1. 22  Christopher Byrne http://www.controlscaddy.com/ | 4/27/2007 7:32:49 AM

   Some of you have touched on the need for risk assessment, others seem to miss this point (though dancing around it). See { Link }

1. 23  Bernard Devlin  | 4/27/2007 9:42:00 AM

   @12

   >>

   Did they know the risks? Providing they are not from Pluto(er whatever it is called now) they most positively should. Every newspaper, magazine, tv channel, radio station discusses privacy, security, even at a child's level.

   <<

   Well, we live in different worlds. I would guess that I over-hear one 3 minute discussion about IT security on our national TV and radio stations about every 6 or 12 months. Judging by the behaviour I see, even that (minimal) information is totally lost against the background 'noise'.

   Most computer users have NO idea about security. In my experience many with qualifications and jobs in IT also know almost nothing about computer security. I know intelligent, well-educated and otherwise highly-skeptical people who readily type in their credit card details on pages without even knowing that there is a protocol called https:, or that they can check the certificate in the browser, or even what a certificate means.

   These are people who have used computers day-in and day-out for 10 years. I don't think they have any idea that the site could be fake, or that their personal details are (at least sometimes) travelling unencrypted across public networks. For them computers are such impenetrable and opaque systems, they have no comprehension of what is going on behind the surface. Sad, but true.

   Before the WWW existed, Kevin Mitnick could break into computer systems using just a modem. But it is widely acknowledged amongst security analysts that the easiest way (in the past) to get information about a company was to go through their trash. Or steal a company laptop. Google is now providing another window into those companies.

   My suspicion is that the majority of security breaches are covered up, probably on the (specious) grounds that it protects the victim and other potential victims. Such cover-ups just serve to keep users ignorant about computer security. Furthermore, there must be an untold number of security breaches where the victim never even finds out that it has happened. But some competitor just seemed to out-manoeuvre them yet again.

   Laws and business practices that prevent employers from recording the email/browsing activities of their employees also serve to lull users into a false sense of security. It might well be protecting some 'human right' of the employee, but that's a different matter.

   If an organisation is seriously concerned about not divulging information to those with opposing interests, they will shred documents that are thrown away, and wherever possible they will use encrypted communications. These are the bare minimum in terms of security.