Google wave

I got mine, thanks Michael. Now I just need learn what I can do with it.

As far as I can tell I did not get any invites, at least not yet.

I wish the documentation was reading rather than video, but I'll deal with it.

Joe
 
jesse said:
His corporation has slightly different security requirements then a lot of corporations.
Click to expand...

Unless Mr. Dager deals with classified/compartmentalized data, I wholeheartedly disagree.

Cheers,

-Andrew
 
SkyHog said:
Reading this after reading your Mobile use policies makes me scratch my head.

Honestly, Sharepoint just flat out sucks. But its in place in most places these days, so from the technical standpoint, its pretty much a necessity.

I yearn for the day that someone comes out with a comparable solution that will work. Google wave might just do that.
Click to expand...

Google Sites + Google Docs. Amazing stuff.

Cheers,

-Andrew
 
alaskaflyer said:
I'm not scratching my head over his comments. As we apparently cannot have both decent, intuitive web 2.0 functionality AND security, he defaults to security, as do most IT professionals I'd wager. The end user will continue to :mad2:
Click to expand...

The security arguments are FUD, pure and simple. I'm not some rabbit on hi subject - I've spent the past 11 months of my life working with security experts, lawyers, privacy experts,and senior business executives on this very matter. Unless your data has chain-of-custody requirements (a la classified/compartmentalized data), then the security issues are easily netrialized. HIPAA data, banking data, PCI data - all work with Google
 
astanley said:
The security arguments are FUD, pure and simple. I'm not some rabbit on hi subject - I've spent the past 11 months of my life working with security experts, lawyers, privacy experts,and senior business executives on this very matter. Unless your data has chain-of-custody requirements (a la classified/compartmentalized data), then the security issues are easily neutralized. HIPAA data, banking data, PCI data - all work with Google
Click to expand...

Interesting. So Google is willing to allow on-site audits of their data centers?
 
It bears mentioning -- this is for Google Apps, the messaging/documents/collaboration solution. Amazon EC2 is raw computing power, and, as such, has different tolerances for data retention. I can't speak directly to those, as I have not assessed EC2 in light of PCI and HIPAA.

Cheers,

-Andrew
 
astanley said:
It bears mentioning -- this is for Google Apps, the messaging/documents/collaboration solution. Amazon EC2 is raw computing power, and, as such, has different tolerances for data retention. I can't speak directly to those, as I have not assessed EC2 in light of PCI and HIPAA.

Cheers,

-Andrew
Click to expand...
The biggest problem with PCI and cloud is the on-site auditing required. You can't have a credit card transit EC2 and be PCI complaint. You can build your app on EC2 and then have the credit card number post against another service, like Amazons Simple Payment stuff, authorize.net, etc.
 
astanley said:
The security arguments are FUD, pure and simple. I'm not some rabbit on hi subject - I've spent the past 11 months of my life working with security experts, lawyers, privacy experts,and senior business executives on this very matter. Unless your data has chain-of-custody requirements (a la classified/compartmentalized data), then the security issues are easily netrialized. HIPAA data, banking data, PCI data - all work with Google
Click to expand...
Hmm -- what part of Google's App product would you use to handle credit card and be PCI compliant?

You can't move card-holder data over Google App Engine.
 
jesse said:
Hmm -- what part of Google's App product would you use to handle credit card and be PCI compliant?

You can't move card-holder data over Google App Engine.
Click to expand...

GAE and PCI is an interesting case.

For customer service and other functions where CC#s may move over our Google Apps instance, we are using the Google Message Encryption package to secure any email that contains CC#s. Additionally, we implemented TLS within Postini with federated trading partners who we share sensitive data with.

Cheers,

-Andrew
 
jesse said:
The biggest problem with PCI and cloud is the on-site auditing required. You can't have a credit card transit EC2 and be PCI complaint. You can build your app on EC2 and then have the credit card number post against another service, like Amazons Simple Payment stuff, authorize.net, etc.
Click to expand...

I am starting to wonder if Google got an enterprise-wide PCI certain due to checkout. I don't know for sure, but I will have a team of Googlers on site next week. Since our PCI exposure is limited to customer service email and the like, our security analysis wasn't focused on the 'ecommerce' side of PCI. I also punted a note to our PCI compliance counsel to get sone further insight.

Cheers,

-Andrew
 
astanley said:
GAE and PCI is an interesting case.

For customer service and other functions where CC#s may move over our Google Apps instance, we are using the Google Message Encryption package to secure any email that contains CC#s. Additionally, we implemented TLS within Postini with federated trading partners who we share sensitive data with.

Cheers,

-Andrew
Click to expand...

astanley said:
I am starting to wonder if Google got an enterprise-wide PCI certain due to checkout. I don't know for sure, but I will have a team of Googlers on site next week. Since our PCI exposure is limited to customer service email and the like, our security analysis wasn't focused on the 'ecommerce' side of PCI. I also punted a note to our PCI compliance counsel to get sone further insight.

Cheers,

-Andrew
Click to expand...
I've noticed that a lot of folks assume that their cloud solution is PCI complaint -- because well -- it's Google or Amazon, right? right? Generally, wrong.

Things get a lot worse if you are moving credit card data on behalf of other companies. Not only do you have the PCI DSS requirements -- you also have additional requirements put in place by Visa or Mastercard, etc...Certain numbers of transactions require certain on-site audits.

I cannot imagine trying to move credit card data via e-mail while trying to keep that PCI complaint. Even worse on a cloud solution. Why would your customer service folks be moving sensitive data like that via e-mail?

I've never seen Google claim anywhere that their App products meet PCI. I have seen their engineers in IRC state that there simply is no way to pass CC data through Google App Engine and have it be complaint. Amazon has publically stated PCI can't be met via EC2 if you pass data through EC2.
 
Last edited:
I have 4 invites to give out. Is anybody still waiting?
 
astanley said:
Unless Mr. Dager deals with classified/compartmentalized data, I wholeheartedly disagree.

Cheers,

-Andrew
Click to expand...

Depending on ones point of view....well.... ;)
 
astanley said:
SAS 70 Type IIs for Google Apps Premier Edition customers.
Click to expand...

SAS70 II means squat...if you know what a SAS70 II is (and I am assuming you do).

Sorry...but this "Google is secure" is pure horsecrap. There are TON of regulations and requirements that simply make cloud computing difficult at this time. Not too mention control of WHERE ones data is stored as it relates to political boundaries and the laws associated with it.

Hell man I WISH it were that easy, than my work life would be SOOOOOOO much easier.
 
tdager said:
SAS70 II means squat...if you know what a SAS70 II is (and I am assuming you do).

Sorry...but this "Google is secure" is pure horsecrap. There are TON of regulations and requirements that simply make cloud computing difficult at this time. Not too mention control of WHERE ones data is stored as it relates to political boundaries and the laws associated with it.

Hell man I WISH it were that easy, than my work life would be SOOOOOOO much easier.
Click to expand...

Data location regulations are something Google can work with, if the deal is right.

SAS 70 Type II presents a reasonable third party assessment of the processes and controls within a facility. In my industry, that's enough.

I think we'll have to agree to disagree on the security front. I have had the privilige to meet and spend time with many senior Google technical staff - most discussions under NDA - but I can tell you that they have security down cold.

I'm also participating in debate panels with a large privacy ad compliance law firm. Some people agree with me; others do not. Except for the .mil world, most IT professionals cannot, for absolutely certain, tell you where all of their data is. I've spent time in Financial Services, Healthcare, Energy, and other 'sensitive' industries and I've witnessed data leakage firsthand at many places.

To your point re: laws/policy, in some cases, you are right. But, I believe that our current technology state mean that, unless you work in a VERY security focused firm, you are only complying with those laws through 'intent', and may still suffer leakage.

Cheers,

-ars
 
Andrew....I will go with that. We simply have to disagree on some level, but overall I do see what you are saying. Of course "intent" means diddly in a court of law or with a contract where you agree, with binding force of law, to protect client data.

I do work for a VERY security focused organization (and head of InfoSec) and can say this crap keeps me up at night. I just wish I had the answer (and if I did I would be a millionaire and NOT worrying about it! LOL)
 
tdager said:
Andrew....I will go with that. We simply have to disagree on some level, but overall I do see what you are saying. Of course "intent" means diddly in a court of law or with a contract where you agree, with binding force of law, to protect client data.

I do work for a VERY security focused organization (and head of InfoSec) and can say this crap keeps me up at night. I just wish I had the answer (and if I did I would be a millionaire and NOT worrying about it! LOL)
Click to expand...

We should talk offline sometime.

Cheers,

-Andrew
 
If there are any invites left, joycelwilson at gmail dot com

Thanks!
 
I just got a Wave account, and once I figure out how to give out my invites, POA is welcome to them...PM me if you want some....

PS--Thanks Jason:)
 
astanley said:
We should talk offline sometime.

Cheers,

-Andrew
Click to expand...

I would love to man...hell I wish you were in the area. We could grab some beers and share knowledge, I can tell you have a lot and your insights are indeed helpful.

I just get grumpy sometimes with all the competing, and sometimes, contradictory crap flowing from various governments and industries and their own version of "best practice" or regulation.
 
tdager said:
I would love to man...hell I wish you were in the area. We could grab some beers and share knowledge, I can tell you have a lot and your insights are indeed helpful.
Click to expand...

For sure! But, given what you do, and what I do, I'm always looking to see "the other side" of what I believe -- especially since we're in seperate industries, doing similar work.

I just get grumpy sometimes with all the competing, and sometimes, contradictory crap flowing from various governments and industries and their own version of "best practice" or regulation.
Click to expand...

Sigh, as do I. Reactionary BS. I worked on HIPAA implementations in the early part of the decade, and was even a HIPAA compliance officer for an account my company had. The road to hell is paved with good intentions...

Cheers,

-Andrew
 
You must log in or register to reply here.
Back
Top