1
Google Apps and Your Data:
Five Potential Threats That Google Can’t
Defend Against, But You Can
A Complete Guide
Table of Contents
Introduction
3
Data Threat #1: User Error
4
Data Threat #2: Security Breach
7
Data Threat #3: Third-Party App Error
9
Data Threat #4: Rogue Employees
11
Data Threat #5: Google Error
12
Conclusion
15
3
Introduction
...Why should I read this?
This guide is for you if:
you’re running a Google Apps domain or
you’re thinking about running a Google Apps domain
and
you care about – how to put this gently –
not losing
every bit of priceless business data you’ve ever known
and loved!
Because, while there are dozens of really good reasons
to use Google Apps for your business (most of them
accompanied by giant dollar signs), there are some
legitimate risks associated with any software-as-a-
service (SaaS) application suite, including Google Apps.
It turns out
. You owe
it to yourself and your business to know how and why
Google can’t always protect your data, and what it takes
to protect that information yourself.
What’s so bad about Google? (Nothing)
We come here not to bury Google Apps, but to praise
them. In some respects, Google Apps is the safest
productivity suite in the world. In fact, our research has
shown that
Google has literally never lost customer data
.
the brim with customers who have lost data, never to see
it return. So what gives?
Google doesn’t lose data on its own, Google is told to
delete data. Most of the time, those deletion commands
are legitimate. Far too often, Google is told to delete the
wrong data, or the wrong person or program is issuing
instructions to delete your information.
4
Google Apps has no way of distinguishing between
legitimate and illegitimate deletions. Moreover, Google
is actually a fairly scrupulous organization – they preach
“don’t be evil” as a credo – so when you tell Google to
permanently delete data, they actually, truly, permanently
delete it. No take-backs, no do-overs.
The odds of Google deleting your data are practically
zero. The odds of you permanently losing Google Apps
data through no fault of Google’s are terrifyingly high.
People mistake Google’s near-infallibility as meaning they
can’t lose Google Apps data. Nothing could be further
from the truth.
Will there be techno-jargon? Or math?
This ebook discusses the likelihood of your Google
Apps domain losing data, and how much those losses
could cost your company. However, this is an ebook
designed to provide an overview so where we’re light on
the math or techno-speak, we’ll point you to the right
supplementary whitepapers or tools that do the deep-dive
on numbers.
5
Data threat
#1
: user error
What is user error?
Think of user error as the “deadly oops” – a simple,
honest mistake with disastrous consequences. According
to a recent Aberdeen report
Problem You Didn’t Know You Had”
from an application like
Google Apps.
User error falls into two general types: accidentally
deleting information, or intentionally deleting data only to
need it later.
a Gmail message when you thought you archived it.
as the deleted message will still be in your Gmail trash.
After a month, Google will delete it permanently.) The
same holds true for Drive documents. Calendar events
and Contacts entries, however, have no trash folder from
which you can rescue mistakenly deleted data. A simple
slip of the mouse or misunderstanding of how Google
Apps works could lead to a major loss of business data.
In the second case, you or a colleague could erase
a document or message you were certain was no
cannot be restored. This happens often when projects
end or employees depart; shared data gets deleted
because the owner is done with it, never suspecting that
someone else in the organization still has a need for the
information. Occasionally, that “someone else” is very
scary and very important, like the IRS or an industry
regulator. These groups don’t tend to accept the “Google
ate my homework” excuse.
Reasons for
47% End-user delete
17% Employee over-wrote data
13% Hacker delete
10% Ended SaaS and Lost data
7% Malicious delete
7% Application over-wrote another
% of Survey Respondents
n=123
Source: Aberdeen Group January 2013
6
Why Google can’t stop user error
Google can’t protect you from yourself. You told Google
Apps to delete data, and Google did what you asked. To
abuse an analogy, even the safest car on the road will
suffer damage if you absentmindedly drive it into a wall.
What user error can cost you
Most of the time, an accidental deletion involves a single
item. Our research suggests
worth about $2.11 and the average document is worth
, based on the time and money needed to
recreate the lost data. The average user deletes a critical
item roughly three to four times per year. That means in
any given year, you could lose as little as $6 to well over
every user on your domain.
How to defend against user error
A “no deletion” information policy is the best place to
start in defending against user error, as it should answer
the “should I purge this or keep it?” question every user
is supposed to ask before clicking the delete button.
Unfortunately, not every user bothers to ask that question
before gunning zealously for an empty inbox.
Regularly scheduled third-party backups of your Google
Apps data are your safest protection against user error.
The best way to keep your data out of harm’s way is to
keep a copy of it where it can’t ever be deleted.
Google is very good at avoiding their own
errors. And chances are, they won’t loose
your data.
But there are some situations where Google
can’t help.
You’re working on a group project and
want an old version of a chart you
created. Your teammate thought it was
no longer needed and deleted it.
Your boss scraps a project you
started, so you delete your work.
A few months later, it’s revived but
you’re back at Square 1.
A teammate left the company
to pursue another opportunity.
He deleted all his information
before he quit.
Your password was too obvious and
your account was hacked!
A colleague left for vacation but you
need their presentation now.
#1
#2
#5
#3
#4
Top Ten List:
when cloud-to-cloud
backup will save the day
7
Data threat
#2
What is a security breach?
A security breach occurs anytime someone you don’t
want to gains access to your Google Apps domain. If
anyone other than one of your users signs into one of
your Google Apps accounts, that’s a security breach.
There are two kinds of security breaches: a “hard” breach
and a “soft” breach.
A hard breach occurs when the software itself is
compromised. Hackers have found a way to get around
your defenses and get at your data. While Google
hasn’t suffered any major publicized hard breach, past
performance is no guarantee of future success. In fact,
do a
Google search on the phrase “zero day exploit”
then see how well you sleep at night. Or, for that matter,
show your users a list of the most popular easily guessed
passwords and see if their faces go pale with recognition.
A soft breach occurs when an attacker tricks one of
your users into granting him “legitimate” access to your
Google Apps domain. These techniques are known as
where the attack focuses on people
rather than technology. The most common form of soft
breach is caused by phishing, where users are duped into
revealing passwords by way of emails or web pages that
are designed to look like “real” login screens. It happens
so often that Gmail has its own
Why Google can’t stop security breaches
When it comes to hard breaches, Google has so far been
very successful. Unfortunately, there are no real software
defenses against soft breaches. It doesn’t matter how
sturdy the lock is if you give a burglar the key, and soft
breaches are always about convincing you to let attackers
in so that they don’t have to deal with Google’s highly
effective security measures.
source: SplashData 2012 list
passwords
1. password
2. 123456
3. 12345678
4. abc123
5. qwerty
8
What security breaches can cost you
If a hacker obtains an account password, he or she
can effectively corrupt or delete all the data in that
account.
The average Google Apps user generates just
, based on the
time required to recreate the information. The average
Google Apps account is three years old, so a hacker
compromising even a single Google Apps account can
That “report phishing” button seems a lot more useful
now, doesn’t it?
How to defend against security breaches
The best bang for your buck in preventing security
breaches is actually training your Google Apps users
on security best practices. Simple things like “don’t tell
anyone your password, ever” and “check the web address
of any page that asks you to log in” can stop the vast
majority of social engineering attacks. You’d be surprised
at how many users – even very technically sophisticated
ones – don’t know these basic rules.
Beyond bringing your staff up to speed on good
Internet safety habits, implementing Google Apps’ own
security features is a pretty good idea. Google Apps
administrators should have backup email accounts
and phone numbers in case their primary account gets
locked out or compromised. All Google Apps users
should be required to use strong passwords. Two-factor
authentication, which requires users to input both a
password and a time-sensitive code to log into Google
Apps, renders even stolen passwords useless.
You just saved a new email
attachment and accidentally over-
wrote an important document.
An employee knows he’s going to
information before he leaves.
There is a legal hold for compliance
reasons and you can’t access the
presentation you are about to give.
Google is temporarily down for server
maintenance, but you need your
document now.
A student purposefully deletes his
homework and tells the teacher that
Google ate his homework – yes, this
has actually happened.
#6
#7
#10
#8
#9
Top Ten List Continued
9
Data threat
#3
What is third-party app error?
Third-party applications are any software that isn’t made
by Google but which gets installed on your Google Apps
domain. In other words, pretty much everything in the
. The project management
application that connects directly to Google Calendar, the
CRM suite that manages information in Google Contacts,
or the accounting system that builds and populates
spreadsheets and reports in Google Drive are all classic
examples of third-party applications.
incorrectly or aren’t employed according to the developer’s
directions. (It’s almost comical how often cries of “your
app deleted all my data” are followed by “the setup guide
stated ‘if you do X you’ll overwrite existing data.’”) Google
cannot and does not guarantee that the third-party apps
in its Marketplace are foolproof. Like any software, third-
party Google Apps products occasionally have bugs, and
even the ones that don’t are often quite easy to misuse.
The danger lies in the amount of access these applications
have to your Google Apps data.
When you install third-party apps on your Google domain,
broad – set of permissions. If a project management app
can add events to your Google Calendar, it can also delete
those events – or populate them with nonsense data that
renders your schedule unusable. Similar problems can
befall applications that manipulate Gmail, Google Drive,
Google Contacts or Google Sites.
Why Google can’t stop third-party app errors
Just as Google can’t tell good commands from bad ones
when they come from individual users, Google is blind to
correct and incorrect instructions from third-party apps.
For all Google knows, you actually want your CRM app
to delete all your existing contacts and start fresh, or
massively rearrange the folder structure of your Google
Drive. Only you know the difference and odds are you
damage.
What third-party app error can cost you
You can sum up what’s at risk with third-party application
errors in one word: Everything. Third-party app error is
amongst the most dangerous threats to Google Apps data
because third-party apps can touch an entire service or
party app still moves at the speed of an app, which means
domain.
While most applications don’t touch all your Google Apps
data, some do, and all of them can affect enough of your
critical business information to do serious damage not just
to Google Apps, but to your entire business.
How to defend against third-party app error
Again, the best defense here is to have a copy of your data
where third-party applications can’t reach it. A secure,
independent backup of your Google Apps domain data
means that even if a malfunctioning third-party app does
overwrite, corrupt or delete your Google Apps domain data,
you’ve still got a fallback copy you can rely upon.
(It should be pointed out that third-party backups are, by
the same read/write permissions that make other apps
dangerous. The key to evaluating a good third-party
backup and restore application is to ensure it performs
non-destructive restores. That’s the technical term for
restoring data without overwriting existing data. A good
third-party backup app will restore a backup copy of a
Google Drive document alongside an old one, rather than
paving over the data in place. If a backup and restore app
is limited to non-destructive restores, it can’t harm your
existing data.)
11
Data threat
#4
What is a rogue employee?
Imagine user error that isn’t accidental; that’s the
threat of a rogue employee. While some disgruntled
users make headlines for violent acts against their
co-workers, the vast majority of revenge-seeking
their managers or sabotaging company computer
systems.
Typically, rogue employees damage Google Apps
domains in cases where domain administrators can’t
or don’t know to lock the departing employee out
termination. When the departee returns to clean out
his desk, he can also clean out his Gmail inbox (full
of vital client emails), Google Drive (home to several
shared, irreplaceable sales spreadsheets), Contacts
Calendar (where delivery schedules are maintained).
a domain before leaving for another job, or simply
because they feel slighted by your organization.
Regardless, imagine all the damage random user
who knows exactly what Google Apps data your
company can least afford to lose.
Why Google can’t stop rogue employees
We’ve said it before and we’ll say it again: Google
can’t distinguish between “good” employees and
“bad” anymore than it can distinguish between
intentional or accidental commands. If someone with
legitimate access to your Google Apps data wants to
do it harm, there’s nothing Google can do to stop it.
Email message
$2.11
Appointment
$12.07
Contact
$12.07
Document
$217.20
source: How to Calculate the
ROI of Google Apps Backup
(Backupify, October 2012)
12
What a rogue employee can cost you
Much like a security breach, a rogue employee can
delete all the data in a single Google Apps account.
A typical Google Apps user creates approximately
average Google Apps account is three years old,
deleting a single Google Apps account can eliminate
How to defend against rogue employees
The most effective defense against rogue employees
is also the easiest:
or suspend an employee’s Google Apps account
should be the HR department, followed by the
Google Apps administrator, then followed by the
employee. Any other order gives the employee time
to do damage to your data before his or her access is
suspended.
Data threat
#5
: Google error
What is Google error?
We began this ebook by asserting that Google has
never lost customer data.
That’s true, Google has
never permanently lost or destroyed customer data.
Google has, however, denied its customers access to
their data for long periods of time.
There are two major types of Google errors: service
outages and erroneous account suspensions.
Service outages are pretty straightforward.
Occasionally, some percentage of Google’s
customers will simply lose access to some or all of
their Google services. It isn’t a daily occurrence, but
Google Apps User
1. Change the departing
user’s password
2. Download a Snapshot of the
User Account for Safekeeping
3.
an Account “Executor”
4.
the Departing User’s
Vacation Auto-Responder
5. Delegate Access to the
Departing User’s E-mail
6. Transfer Ownership of the
Departing User’s Google Docs
7. Add the Departing User’s Contacts
to the Google Apps Directory
8. Delegate Access to the Departing
User’s Calendars
9. Transfer Ownership of the
Departing User’s Groups
10.
the Departing User’s
Non-Core Google Apps Services
11.
a Calendar Reminder For
Yourself to Delete the Departing
12. Delete the Departing User’s
Account
13. Create a Group With the Same
Mail Address As the Deleted User
13
it happens often enough that Google maintains a
in most of its major products.
Gmail users were locked out of their accounts for
nearly an hour. That seems like a small number until
so approximately 2.3 million people could not reach
their inboxes that day. These outages are generally
brief, usually lasting only minutes, but in some cases
– like the infamous
for days.
A much more common form of Google error is the
account suspension. Google reserves the right to
suspend or terminate, without notice, any Google
account at any time. It’s right there in the
your Google Apps users is violating its terms, it
clause is there to ensure that Google Apps accounts
aren’t used to support criminal activity or actions
that could harm Google’s systems – like running a
spam operation off your Gmail account, or using
Google Checkout transactions to launder money –
questions later.
It’s in Google’s best interest to preemptively lock up
accounts for suspicious activity while it investigates
threats. There are documented cases of this process.
It can take days to unlock accounts, as the burden
of proof is on you to convince Google your account
isn’t secretly harboring criminal data. Again, these
instances are generally rare, but they are common
enough that you need to prepare for them as part of
your business continuity plan.
14
Why Google can’t stop Google errors
Google isn’t trying to cause errors, but when
accounts, even a miniscule error rate can result
in dozens, hundreds, or thousands of wronged
customers and gigabytes of misplaced data every
day. Google can’t protect you from yourself, and
Google can’t always protect you from itself, either.
What Google errors can cost you
The actual cost of Google errors are, frankly, almost
impossible to calculate because eventually, everyone
gets their data back. The cost of data lost to Google
errors is based on opportunities and productivity
lost when your organization is denied access to your
having access to your Gmail inbox in the middle of
a client negotiation, or the loss of an accounting
spreadsheet in the midst of a tax audit?
How to defend against Google errors
Every user on your Google Apps domain should
set up account recovery options, which allow you
to list a mobile phone number and alternate email
address, which Google can contact to verify your
identity. If Google suspects your account has been
hijacked, this is where it will send alerts and begin
the process of returning control of your Google Apps
account. Accounts that don’t have recovery options
set up face much longer roads back from account
suspension.
There is no Google setting to defend against a
Google outage. The only remedy for a lack of access
to your Google Apps domain is a backup copy
of Google Apps data. With an adequate backup,
you can still refer to and act upon your business
information – look up emails, download documents,
check calendar schedules – even when Google Apps
itself isn’t accessible.
15
Great, now I’m afraid to use Google Apps
Don’t freak out, Google is still among the safest places on
earth for your business data. Seriously. Still, to return to
our previous car analogy, even if you buy the safest car
on the market and follow all the rules or the road, you still
want a few bits of safety gear close at hand.
Nothing in this report should stop you from driving
Google Apps off the dealer lot. You should, however,
make sure you’ve got the computer-security equivalent
in the glove box, and your insurance card in your wallet.
Also, you may want to give your users some driving
lessons before letting them loose on the information
superhighway.
So, about that math you promised
similar mathematically inclined personalities out there, we
have a couple of options. First, there’s our whitepaper on
How to Calculate the ROI of Google Apps Backup, which
offers hard numbers from our own research on how much
your data is worth, how likely you are to lose it, and how
much you should pay to keep it safe.
For the abbreviated version of this exercise, we
recommend our
based on your unique data and income. Just log in, grab
your Gmail data and you’ll learn just how much money is
tied up in your inbox.
16
So what’s the bottom line?
Don’t put all your eggs in one basket. Your Google Apps
data needs a third-party backup, period.
Even if you enable all of Google’s security settings, train
your staff well, and observe all the industry best practices
– and, yes, all those old-school on-premise best practices
still apply to data stored in the cloud – it still isn’t a good
idea to have all your irreplaceable business data in one
place. A secure second copy of Google Apps data means
that no matter what Google or hackers or your own
employees do to your Google Apps domain, a copy of
your Google Apps data is kept safely somewhere else.
About Backupify
to-cloud backup solutions let IT departments maintain
control over critical company data by providing a secure,
second copy that’s always available on-demand. Daily
automated backups let companies easily restore lost or
Apps and Salesforce.com, as well as quickly and easily
export important data for compliance or data accessibility
reasons.
For more information, please visit
or follow
on Twitter.