Security Considerations When Evaluating Applications on the Google Apps Marketplace

Written by

 By Tsahy Shapsa

Customers care about the security of their data in the cloud, and security of customer data is obviously important to Google, which is why Google has invested in completing numerous security audits and certifications such as FISMA, SSAE 16, and recently, ISO 27001.

Since 2010, we’ve had the honor of engaging with some of the largest Google Apps customers in the world. When dealing with these large organizations (as well as smaller ones that care about the security of their data), at some point during the evaluation process, “security assessment” questions arise.

One might argue that the real value of Google Apps is not contained to messaging and collaboration, but rather in the ability to transform the way businesses consume applications. This transformation is demonstrated and driven by the Google Apps Marketplace, offering hundreds of applications, broken down into multiple categories, which any Google Apps customer can add to their domain with a click of a mouse.

With great power comes great responsibility, and as enterprise IT Security professionals know, adding Google Apps Marketplace applications extends the security perimeter of the organization to include that application, and the company behind it (including the employees).

Here’s the warning message displayed when installing a marketplace application:


Technically speaking, adding non-Google services (aka “installing” marketplace applications) to a domain, is really granting privileges for that application to access the domain and end-user data. Different applications require access to different data repositories: documents, spreadsheets, and calendar are just a few examples.

Security of organizational data is a critical part of any comprehensive DLP strategy. Security audits and certifications can be equally important to internal auditors, legal and compliance teams, as well as customers (if the company is hosting customer data).
Google reminds customers that it is their responsibility to trust and verify 3rd party (non-Google) services they would like to add to their domain.

How do customers trust and verify 3rd party applications?

Here’s a quick checklist that any organization can use in evaluating whether to add a marketplace application to their domain:

Assessing the trustworthiness of a marketplace application provider

Here’s a quick explanation around each one of the security controls and its impact on the level of trustworthiness of the marketplace application provider. Highly trustworthy 3rd party application vendors will be able to provide the security assurances customers require proactively:

  • SSAE 16 Audited – having this means that a 3rd party auditing company has reviewed and attested to the security controls reported by the application vendor
  • System Security Plan (SSP) – a system security plan is a ‘must have’ to be considered even somewhat trustworthy. Just having an SSP isn’t enough as anyone can write their own, and security officers should look for independent verification of the controls, procedures and processes reported in the SSP
  • Ongoing Application Vulnerability Scanning – A standard practice for any SaaS application
  • Customer Security Assessment – In lieu of an industry standard security audit, prospective customers should demand the app provider to respond to a security assessment which will capture the controls they have in place. These include employee background checks, documented and implemented policies and procedures, change management, monitoring, and vendor self-audit verification
  • Application is strategic to the vendor – if the app is not strategic to the vendor’s core business, chances are that the necessary investment in security controls didn’t take place. And security does require an ongoing investment (as anyone who’s gone through a security audit will testify)

In summary, security of customer data should be important to all of us.

Security is important to Google - As is evident by their heavy investment and excellent track record in world class security

Security is important to customers - To protect organizational data, to adhere to legal requirements, and to ensure that the organization’s security perimeter is not compromised by adding non-trustworthy services.

Security must be a top priority for vendors to be trusted - Trustworthy third party vendors make no compromises, and continuously invest, audit, and innovate around their security practices.

Though the transition to the cloud has brought unprecedented sharing, availability, and collaboration benefits to organizations of all sizes, companies must be aware of the 3rd party vendors that now have access to corporate data, and must be able determine whether those vendors pose a security risk.

Tsahy Shapsa is the VP of Sales & Marketing and Co-Founder of CloudLock, where he helps the largest Google Apps customers in the world bring DLP to their data in the cloud. Prior to founding CloudLock, he held various business and technology management roles with companies like Sun Microsystems and Network Appliance, both domestically and internationally.

What’s hot on Infosecurity Magazine?