Google Apps Get Added Security

September 20, 2010

One of the practical manifestations of the recent flurry of interest in “cloud computing” is the adoption, by at least some organizations, of the Google Apps platform for E-mail, calendar and document sharing, and other “cloud” services.  One of the frequently expressed concerns about cloud services in general has been security: some managements are made very nervous (not without some justification) by the idea of their confidential data not being under their control.  One set of worries has to do with the data being physically in someone else’s data center; another centers on how well the access controls on the data — which, after all, is in principle accessible from anywhere on the Internet — will work.

As reported in an article at Ars Technica, Google today announced the availability of additional security measures for its Google Apps customers (which, according to a post on the official Google blog, now number more than 3 million) to address the second class of concerns.  Customers may now choose to enable an additional layer of security verification: in addition to a user ID and password, the new system will require the user to enter a six-digit code sent to the user’s mobile phone.  This covers two items of the security trinity: something you know (the password), and something you have (the mobile device).   The system, which is described in more detail in a post on the Google Enterprise Blog, also will enable certain devices to be designated as trusted, meaning that the two-factor authentication will not be required.  (One might use this, for example, for devices on a local wired network.)

Google says that the new security measures are available now for customers of its Premier, Education, and Government Editions of Google Apps, and that it plans to eventually make the system available to all users.

This seems to me to be a useful step forward in the attempt to provide better security for Internet applications.  There is no perfect system, of course, but this makes life a bit more difficult for the potential shoulder surfer or password sniffer.  But it is also predictable that some users will manage to mess it up.  If you’re planning to enable this feature, have you sent out the “Don’t keep your cellphone in your laptop bag!” memo yet?


Adobe Releases Updated Flash Player

September 20, 2010

As expected, Adobe today released an updated version of its Flash Player, which incorporates a fix for the recently discovered security vulnerability.   The new version, 10.1.85.3, is available for Mac OS X, Windows, Linux, and Solaris.  There is also a new version, 10.1.95.1, for the Android platform.  Further details are in the Adobe Security Bulletin [APSB 10-22].

If you are using a browser other than Internet Explorer on Windows, you may need to get two updates: one for your “other” browser (e.g., Firefox, Safari), and one for IE.

If you are using Google’s Chrome browser, the most recent version, 6.0.472.62, has this update included.

You can get the new version via the built-in updating mechanism, or from the download page.  I recommend installing this update as soon as you can.  The Flash Player is very widely installed across all platforms, which makes it a tempting target for the Bad Guys.


%d bloggers like this: