Sunday, June 5, 2011

Is Gmail Secure?


There are over 200 million Gmail users and it is completely free.  You get 7.4 Gigabytes of disk space to store 1.5 million pages of text.  Gmail has greater than 99.999% availability and has a response time of less than 0.2 seconds. It offers every conceivable e-mail feature. All you need is any browser to receive messages, with spam already filtered out and searches made without leaving a trace. One can sign up for Gmail in two minutes, with emphasis on rating the strength of the proposed password.
When US government employees need to communicate they would have an incentive to use Gmail instead of the demonstrably inferior e-mail services usually provided by their agency. It is therefore a matter of interest to examine the widespread publicity that has been recently generated when the access to the Gmail accounts of a few government employees was obtained by “hackers” with origins presumed to be in China.
The attacks used emails that appeared to be tailored to their targets to better fool their victims, a technique known as spear phishing. Recipients were asked to click on a link to a phony Gmail login page that gave the hackers access to their personal accounts.
 SUMMARY
The attacks come as the U.S. government considers expanding its use of Web-based software for email, along with word processing, spreadsheets and other kinds of documents. Google is one of the many companies vying for the business with its Apps product, as is Microsoft. Web based email would be vulnerable to hackers who steal login information through phishing attacks, which then allows them to apply malware to worm into the disk drive of a person’s computer and from there spread out to others. Web-based systems are not easier to hack than traditional email, even if a government agency would rely on own servers to manage e-mail.
The issue here has nothing to do with the presumed vulnerability of Gmail. The security weakness is located in a human failure when someone opens an infected attachment to an e-mail.  Whether the government e-mail runs in Google data centers or at a government-managed server farm makes no difference. Human errors will occur regardless where the e-mail is hosted.
The approach to diminish “hacking” attacks is the compartmentalization of records. Personal messages, engagements with social computing and classified e-mail should be contained within individual logical “sand boxes” that prevent traffic from separate folders to access any other folder. That requires the redesign how desktops, laptops or smart-phones are organized.  For instance, a device such as the Chromebook, illustrates how folders are managed and stored. A compromised folder can be examined and then purged.
 The "sand box" partitioning of cloud-based e-mail, such as Gmail, has a greater chance of being more secure than the existing client-server based solutions.
Of course, giving to U.S. government customers a superior e-mail system will go a long way to keeping all e-mails within already secured transmission channels. 

No comments:

Post a Comment

For comments please e-mail paul@strassmann.com