Google Addreses Security Issues

The joy and pain of Google Apps and other services is the single sign-on system. While it’s great to be able to access online your email, document repository, analytics and other services by only logging on once, it can also open yourself up to a world of information theft if your password is compromised.  Combine that with browsers that store passwords, malware and phishing scams, and you’ve got a recipe for disaster if you are not careful.Recently, this single sign-on system came under attack by many security experts. Each of the experts points back to the December cyber-attack on Google and other companies.  Shortly after announcing the attacks on January 12th, Google dropped supporting IE6, which is believed to be part of the reason for the attack. Writers at eWeek have their own theories on the security of Google’s single-sign on and how safe it may or may not be.

Google Fights Back

As of Monday, Google has a solution to locking down Google Apps accounts.  When you sign into Google, a cookie is stored on your computer.  A cookie is a small text file that gets sent back to the site who issued it every time you click on it.  In this case, the cookie tells Google that you are signed in and not to ask you to sign in again.

Google has always allowed domain administrators to change passwords.  Google is now empowering enterprise users who have implemented Google Apps on their domains to expire  any user’s cookies in real-time.  This means your domain’s administrators can – essentially – automatically log out users who have logged in.  Why is this cool?  Here’s a scenario:

  1. Someone steals your password (or worse yet, your mobile phone with a saved password)
  2. They log in as you, change your password, locking you out of your own account.
  3. Having your administrator reset the password won’t kick the person out; it merely prevents them from logging in again.  (Presuming they ever log out).
  4. By expiring the cookie, the identity thief is forced to log back in again – but this time, they won’t have the password because the administrator changed it.

It’s a start.  It certainly brings more credence to Google Apps for a real Enterprise solution. Time will tell to see how this plays out with the security bloggers.