Corporations Urged to Ban Latest Tech Toy

Two analysts issued independent warnings suggesting Google's Desktop Search tool -- released in October -- poses security risks for the enterprise. The most significant threat is when desktop search is used while connected to a virtual private network (VPN), according to Dana Hendrickson, an analyst with VPN Central.

In a similar alert issued to Meta Group clients, analyst Timothy Hickernell wrote, "Companies must be aware of potential security risks posed by enterprise installation and must adopt appropriate end-user guidelines, based on testing within standard corporate end-user environments."

Google Desktop Search lets users search documents, spreadsheets, e-mails, instant messages and Web pages that have been visited by that PC. To enable this, it creates cached versions of Web content -- which could include sensitive corporate information stored on servers and accessed via a Web interface.

A Google spokesperson said the company was looking into it.

Enterprises often allow mobile workers to connect to the corporate network using secure VPNs via their home computers, hotel business centers, customer site or Internet kiosks found at airports and cafes.

Hickernell said that if the person who downloaded the desktop search tool has administrative rights to the local machine, the tool also could search any drives attached to the machine, for example, a departmental drive or server. When the tool indexes local files, it will index the remote files as well, if the PC is connected long enough.

Then, he said, "Another user can come behind you and see the cached copy of the content."

Google Desktop Search does ask users on install what kinds of files should be indexed. They can omit their Web histories and also secure HTTPS pages. They also can change the options at any time after install.

Hendrickson said because desktop search makes finding things so easy, people will tend to use it more, greatly increasing the amount of formerly remote information that's now cached on the desktop.

"Any time you provide a tool that makes it convenient to move information, people will move more of it," Hickernell told internetnews.com . He noted that, while the desktop may be the next battlefront in the search engine wars -- it is also a new front in the battle for corporate security.

Microsoft's MSN and Ask Jeeves have promised to release their own desktop search tools before the end of 2004, and Hickernell believes Yahoo will follow suit. There also are several standalone products on the market. While these apps are targeted to consumers, Hickernell said, corporate users will inevitably download them.

Hendrickson's warning came attached to a product release from Whale Communications, a secure VPN vendor. Whale said its remote access product will let corporate IT managers detect whether the Google Desktop Search tool is running -- and kill it.

"For our clients, many of whom are Fortune and Global 1000 enterprises, security is paramount. They can't afford to leave cached information behind," Daniel Steiner, Whale's president, said in a statement.

Whale said it had identified ten more desktop indexing tools that pose security risks by caching confidential information. The company didn't list them, but said it's working to upgrade its gateways to add the detection and kill features.

"Corporations need to get ahead of this," Meta Group's Hickernell said. "They need to test these tools and be aware of the security implications with Google Desktop Search."