UPDATED: Two analysts issued independent warnings today suggesting Google’s
Desktop Search tool — released in October — poses security risks for the enterprise.
The most significant threat is when desktop search is used while connected to a virtual
private network (VPN), according to Dana Hendrickson, an analyst with VPN Central.
In a similar alert issued to Meta Group clients, analyst Timothy Hickernell wrote,
“Companies must be aware of potential security risks posed by enterprise installation and
must adopt appropriate end-user guidelines based on testing within standard corporate
Hickernell told internetnews.com that the desktop will be the next battlefront
in the search engine wars — and a new front in the battle for corporate security.
Google Desktop Search lets users search documents, spreadsheets, e-mail, instant
messages and Web pages that have been visited by that PC. To enable this, it creates
cached versions of Web content — which could include sensitive corporate information
stored on servers and accessed via a Web interface.
A Google spokesperson said the company was looking into it.
Enterprises often allow mobile workers to connect to the corporate network using secure
VPNs via their home computers, hotel business centers, a customer site or Internet kiosks found
at airports and cafes.
Hickernell said that if the person who downloaded the desktop search tool has
administrative rights to the local machine, the tool also could search any drives attached
to the machine, for example, a departmental drive or server. When the tool indexes local
files, it will also index the remote files if the PC is connected long enough.
Then, he said, “Another user can come behind you and see the cached copy of the content.”
“Any time you provide a tool that makes it convenient to move information, people will
move more of it,” Hendrickson told internetnews.com.
Hendrickson’s warning came attached to a product release from Whale, a secure VPN vendor.
Whale said its remote access product will let corporate IT managers detect whether the
Google Desktop Search tool is running — and either kill it or control it.
Google Desktop Search asks users at installation what kinds of files should be indexed.
They can omit their Web histories and also secure HTTPS pages. They also can change the
options at any time after the install.
But Joseph Sternberg, director of technical services for Whale Communications, said
that administrators can’t rely on their users to do the right thing.
“Security needs to
be implemented at the enterprise. IT administrators need to ensure the system is secure.”
MSN and Ask Jeeves
have promised to release
their own desktop search tools before the end of 2004, and Hickernell believes Yahoo
will follow suit. There also are several standalone products on the market.
While these apps are targeted to consumers, Hickernell said, corporate users will inevitably
Whale said it had identified 10 more desktop indexing tools that pose security risks
by caching confidential information. The company didn’t list them, but said it’s working
to upgrade its gateways to add the detection and control features.
tools let IT managers set policies for desktop search tools, for example, making rules
about what applications or systems can be accessed while the toolbar is running.
“Corporations need to get ahead of this,” Meta Group’s Hickernell said. “They need to
test these tools and be aware of the security implications with Google Desktop Search.”