Or How Device Authentication Could Get Google More
Office in the Clouds
Google’s product suite for office productivity is fantastic.
It provides all the expected stuff … word processing, spreadsheets, email, calendar, wiki, search, presentation slides, survey forms, instant messaging and video conferencing, archiving and ediscovery, and …
Here’s what it gets right:
- Pure Web - the entire product suite works through any modern standards compliant web browser - on any device, form factor, operating system, or vendor. You’re not locked into Internet Explorer and Windows. And unlike Microsoft Office 365, Google’s web interface is the primary product, not a poor second cousin with a crippled user experience.
- Single Version Of The Truth - Your documents are stored in the cloud. And you work on them at source. You don’t have uncontrolled copies or versions floating around - a massive information management and security weight lifted from your shoulders.
- Low Maintenance - The entire product suite is intentionally designed to be simple to manage - adding users can be done by clicking a few buttons. You don’t have the technology and infrastructure complexity (risk, cost) of Active Directory or Exchange Server. You don’t need expensive skills - you can genuinely get started in minutes. And it very rarely goes wrong - it just works. That’s why startups love it.
- Price - it’s cheap as chips. £3.30 per user per month for the basic business service. £6.60 for unlimited storage and ediscovery. No hidden costs like Active Directory, Sharepoint and Exchange seats.
- Interoperability - Google plays nicely with open and common document formats which helps you to work with others. They’re not trying to suck you into their file format - there isn’t one. They do their best with the unfriendly obscure proprietary Microsoft formats.
- Security - Google’s infrastructure and operations are trusted by many serious organisations including governments, and there is some independent assurance of their security. Google has vastly greater budget and expertise for securing services than almost any other organisation. The incentives for Google not to screw this up are astronomical. But there is one problem ….
Security Includes That Device
Google does a great job of securing the data in its cloud infrastructure.
Google does a great job of securing data as it travels between your device and their infrastructure, using browser TLS.
Google does a great job of assuring the right user is accessing the account - with 2-factor authentication made super easy and super cheap.
But Google, like Microsoft’s Office 365, has a huge gap - the services themselves don’t prevent unsafe devices accessing them.
You can have the right user, with the right 2-factor authentication, using a browser with TLS encrypting traffic across the internet, working on data that is as safe as houses inside Google’s infrastructure. But you can have all this with a compromised, hacked, malware ridden device. A device watching your key strokes, or taking screenshots of your data, or subverting your information in the cloud to which you’ve just opened an authenticated channel.
Super Simple Fix
The fix is super simple - use browser certificates to authenticate the client device to the Google service.
This is not a new idea.
When you do online banking, for example, you see the padlock next to the website address at the top of your browser. That shows your browser has asked the banking website to prove it is who it says it is, and is happy that the returned certificate checks out - by checking with the trusted certificate issuing authority.
There is no reason Google’s service can’t then ask your device for a client certificate to prove it is a pre-approved device.
The beauty of this method:
- No New Software - doesn’t need new software to be installed by the client. It works with any modern standards compliant browser.
- Established - is a tried and tested technology that has been in use for donkey’s years.
- Lightweight - it doesn’t disrupt or slow the user experience. No need to connect to a specific VPN which authenticates your device.
- Great User Experience - because users don’t notice this invisible security mechanism. There is nothing to remember or codes to enter.
- Optional - device authentication can be configured optionally for those users or businesses that want it.
There references below show you how to do mutual TLS authentication for web services.
One M.. Billion Dollars
Right now this gap in security means many enterprises are not using Google for Work - especially those that do security properly and care about unsafe devices.
And the ones that are using it, are having an unhappy, painful, expensive and clunky experience trying to abuse Single Sign On (SSO) by third parties to do this additional device check. An ugly hack.
It would be trivial for Google to implement browser client certificate checks - cheap, easy and in line with their design goals for user experience and self-service. They already manage SSL certificates for custom domains across their App Engine products.
So Google, if you do this, I’ll only ask for … one mil.. billion dollars!