Slashdot Mirror
Can We Abandon Confidentiality For Google Apps?
An anonymous reader writes "I provide IT services for medium-sized medical and law practices. Lately I have been getting a lot of feedback from doctors and lawyers who use gmail at home and believe that they can run a significant portion of their practice IT on Google Apps. From a support standpoint, I'd be happy to chuck mail/calendar service management into the bin and let them run with gmail, but for these businesses, there is significant legal liability associated with the confidentiality of their communications and records (e.g., HIPAA). For those with high-profile celebrity clients, simply telling them 'Google employees can read your stuff' will usually end the conversation right there. But for smaller practices, I often get a lot of push-back in the form of 'What's wrong with trusting Google?' and 'Google's not interested in our email/calendar.' Weighing what they see as a tiny legal risk against the promise of Free IT Stuff(TM) becomes increasingly lopsided given the clear functionality / usability / ubiquity that they experience when using Google at home. So my question to the Slashdot community is: Are they right? Is it time for me to remove the Tin Foil Hat on the subject of confidentiality and stop resisting the juggernaut that is Google? If not, what is the best way to clarify the confidentiality issues for these clients?"
..the google apps contract is fine. IAAL and i use google apps for all my stuff. i DO maintain a separate backup but everything goes on google. the bar is also fine with it.
If you are in an industry where your internal communications/documents/etc should or must remain confidential, than you cannot trust Google Apps as your free platform for email/document creation/document storage.
If you don't mind the possibility that the world may get your data, then by all means feel free to use Google, or any other SaaS type offering.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Confidentiality is very, very important to businesses and individuals, even more so in the Internet age. One of the reasons to continue to operate your own infrastructure, no matter what the current hype is.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
immediately squelch any such thoughts.
"I don't know, therefore Aliens" Wafflebox1
From here: http://docs.google.com/support/bin/answer.py?answer=82366&ctx=sibling
"
Privacy and security: Understanding section 11.1 of our Terms of Service
Print
We've received questions over time about the meaning of section 11.1 of our Terms of Service. We realize that for those not familiar with legal agreements for services that use the Internet, these terms can look confusing, or even frightening.
The first thing to understand is that this language doesn't give Google ownership rights to your data. You, and you alone, own your content. Whether you wish to keep your content totally private, or share it with the world, that's your choice.
However, in order to honor this choice, Google Docs needs permission to display your content as you see fit. This is what we mean by a "license to reproduce." We need to ensure that when you click the "Publish document" button, or use the "Invite collaborators" option, we have the license to carry out your wishes. It is this agreement, between Google Docs and you, the user, that section 11.1 of our Terms of Service reflects."
Why would you even chance it? That's their EXISTING terms of service, but as always, those terms are subject to change without notice.
I can't imagine that HIPAA would allow this.
Sent from your iPad.
It might be an acceptable compromise. The same clients considering Google Apps are 99.999% likely to have a non-existent or ineffective backup/archiving system, lack the expertise/cash for sysadmining Microsoft enterprise apps and would probably benefit from being able to log in on multiple machines to access their data. All strategies involve risk - if you veto Google, they may be missing out on the best compromise solution. YMMV.
This is slashdot, not legaldot.
That being said, your writeup sounds like you're a contractor/have your own company. If that's the case, the best you can do (Outside of telling your customers you aren't going to and being fired) is make very clear, in writing, what your opinion is, and get them to sign off, in writing, that they are responsible and/or have another way for handling confidential info, etc.
I'm not sure if that's enough to cover your butt or not. See first sentence about this is slashdot, not legaldot. I would consult with a lawyer, preferably one that is not one of your customers.
Why does the story header appear *red* instead of the usual green? (Firefox 3.5 on Vista)
It does that when the story is brand spanking new, I think. It means you're getting the freshest of slashdot's offerings, rejoice!
You can't take the sky from me...
Tell them about what could happen, and that the risk may be low but not zero. Because data have been exposed through sloppiness before, not only through malice.
Then make sure YOU are not liable if they violate HIPPA or something similar. Either don't support their Google stuff or make sure you have documented that they use Google SAS against your advice.
C - the footgun of programming languages
If they wanna do it, they gotta get a lawyer--a lawyer who knows HIPAA. HIPAA compliance is a pain--and noncompliance can be very expensive.
Lawyer costs may even outweigh the Google savings
As a Paramedic, I can say that HIPPA is extremely strict and will, if violated, force your license to be questioned as well as cause fines to be pushed your way. Honestly, doing ANYTHING outside of a secured network or a patient care medium (i.e. Pyxis, Temsis) with privileged, confidential information will plant a bullseye on your back. It is just not worth risking it. I can guarantee that an expert data thief is going to be more skilled and knowledgeable at computers and networking than any physician I know.
Your role, as a qualified member of the IT staff, is to make the higher-ups aware of the risks. Do your due-diligence, tell them the data isn't secure (in person, in e-mail, and maybe even on paper), and remind them from time-to-time (using creative new analogies whenever possible). That's it, you've done your job.
The fact of the matter is, regardless what the policy is, and regardless what they all "agree" on, they're going to put sensitive information on the Web. You'd have to take away their Internet access and portable devices to prevent it, and even then, they'd just go home and use that.
Accept that the best you can do is educate them and provide alternatives.
I'd like to report them to the regulatory commission that enforces HIPAA rules.
Seriously, read up on HIPAA and get them to follow HIPAA rules, otherwise huge fines could be coming their way.
Just because a doctor hands out those privacy pamphlets doesn't give them the green light to ignore or circumvent the privacy and security rules. Claiming ignorance is not an option.
Get them off of gmail and google apps and put them on systems and networks that you can effectively apply controls too.
You have no control over the security and privacy controls in place within google apps thus you can't effectively satisfy the HIPAA rules.If they do not want to do an internal networks with servers, outsource it all to a data center that is HIPAA compliant and where you control the servers both physically and logically.
Good luck and hire yourself a partner or subcontractor that does HIPAA and SOX regulatory consulting. You could hire me but I'm $350/hr.
Amazon published a white paper about using their AWS platform with HIPAA compient applications: basic idea is to keep data encrypted until it is in memory, and encrypt it again before writing to persistent storage.
For Google Apps, how about using rich clients that decrypt data for viewing/editing, and encrypt it again before storing back on big table, etc.
Perhaps Google themselves would implement this as browser plugins?
Far as I know the Google Mini Enterprise comes with all of the apps you need.
And since it's a local server, I suspect it'd still qualify for your confidentiality needs the same way any other local server would.
When you click "Accept" on many EULA's you give up rights to privacy of your data to that company. What's the difference if it's hosted or not. Microsoft can just as easily have Exchange phone home with data as Google employees can read your mail. There's no difference. You just have to decide which company you trust most.
If an officer ever threatens to taze you, say you have a pacemaker.
We are a contractor for the Veterans administration. The VA insists that we comply with privacy issues strictly. Any communications that have patient information must be sent on encrypted secure systems. No open email servers/hotmail/gmail/whatever is allowed. Failure to comply with the privacy (detailed in the out of control HIPAA set of rules and standards) is punishable both financially and by being banned from contracting with the US federal government. As an administrator, I have to remind physicians that if they are caught transmitting identifiable information of our patients over unsecured channels, it may cost us our contract and may result in their being banned from seeing medicare/medicaid patients. Anyhow, that's my two cents on utilizing gmail or such for sensitive information.
It is not your job to educate them on their professional responsibilities. Odds are very good that you aren't competent to advise them on it, and it would arguably be a violation of their canons of ethics to take advice from you. Lawyers and doctors have ethics committees to field questions like these: refer your users to them.
In the interim, stand by your guns. If your users say they'll go to the ethics committee and they're sure they'll be exonerated, propose this as a hypothetical question: if you give privileged documents to an uninvolved third party, is the veil of privilege pierced? Yes or no? (The answer is usually "yes"; exceptions are rare.) So, if you give privileged documents to Google, is the veil of privilege pierced?
Don't give advice. Just ask questions, and whatever you do, don't give in.
Some stories are red to show that they were posted by a communist.
signature is pants
I think there are three classes of company for the purposes of this discussion:
If you trust shared hosting providers; you shouldn't care about the Google employees who can access your data
If you trust managed hosting providers like Rackspace, particularly if they're hosting virtualised servers for you; you probably shouln't care about Google employees with access to your data.
If you don't trust managed hosting providers; well you're probably not reading this from the office, and Google Apps doesn't get a look in.
I'd say most companies fall into the second.
I don't understand what "possibility" has to do with it. Your data could "possibly" be exposed if you have your own infrastructure.
A more relevant question is probability. Is there additional exposure through using Google? Are Google internal security practices likely to be better than yours? If you are a small shop outsourcing your IT services anyway then why is Google worse than some other party?
Boffoonery - downloadable Comedy Benefit for Bletchley Park
Source: http://www.google.com/support/forum/p/Apps%20Partner/thread?tid=4d6f74d03de056c7&hl=en
Answer to your question.:
PeteGriffin@Google (Google Employee) + 3 other people say this answers the question:
From a sales standpoint, I would recommend turning the question around and asking them what steps they are currently taking to be compliant with the relevant compliance-acronym (HIPAA, SOX, FERPA, PCI, etc). Understand what steps they currently take to be compliant, and what their current solution is. You'll be able to quickly discover if it's a real showstopping requirement and be able to move on, if it's something that can be addressed by Google Apps... or if they are horribly un-compliant and they're hoping that Google Apps will solve all of their problems (and more!).
No solution by itself is going to be the silver bullet; organizations (especially small and medium businesses) have extremely varied IT infrastructure and policies, with information flowing in different ways for different reasons. Google doesn't certify or identify Google Apps as being compliant with any specific set of regulations. It's really up to the organization to determine if a solution meets their compliance needs for their specific situation.
Google Apps has a very impressive set of features that are extremely helpful when dealing with prospects with compliance needs. The Postini component of Google Apps (referred to as Google Message Security) allows for very granular control of email content (in and out). There are additional email archiving and retention components available. Google Apps is SAS 70 Type II certified. We have also made a good deal of information available about Google's security policies when it comes to our network of data centers through a hefty white paper.
If anyone has experiences dealing with situations like this, please feel free to share your thoughts. Tony Safoian over at SADA Systems has some good thoughts around this:
http://www.google.com/support/forum/p/Apps+Partner/thread?tid=2ce6b0904f65ac44&hl=en
But google is. They place ads based on the content of your emails (i.e. I get SVN commit messages, and lo and behold ads for SVN related stuff on the side bar). So at a bare minimum they have automated processes reading all your emails, extracting meaning from them and displaying ads to you.
Wouldn't Google be more likely to keep on top of software updates and security threats than a small, local hosting company who are figuring it out as they go? Hosting one's email with a local company or at one's own office may open a person up to more risk of being hacked than simply letting Google manage it.
Agreed. Also online aps are more-expensive longterm. For example I purchased Microsoft Office 97, and I'm still using it 12 years later, which is an annual cost of just ~$12. Online aps have significantly higher fees than that.
There's also the advantage of owning the software. If for example you develop a design, you can archive both the design and the tools so they can still be used 15-20 years from now and "resurrected" from the basement. You can't do that with online aps which are constantly updated with no way to "freeze" a tool at a certain point.
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
That would never work for our military projects. Everything has to stay within the building's walls, including email.
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
No matter how ironclad the agreement or how draconian the penalties your data will still be public. Sue Google into non existence and well your data is still public.
Without physical security there is no security.
If you don't own the box and control access yourself there is no physical security.
Agreed. Also online aps are more-expensive longterm. For example I purchased Microsoft Office 97, and I'm still using it 12 years later, which is an annual cost of just ~$12. Online aps have significantly higher fees than that.
.
Do you really think it's wise or responsible to be using a piece of closed-source software (and one not known for its security, to say the least) so many years after the vendor has stopped supporting or releasing patches for it, and for which known exploits are in the wild?
.
In what way does, for example, Google Apps Standard Edition ($0/year), cost more -- either up-front or in the long term?
.
Do you not think using current tools at the time to produce a file, then ensuring the file is stored in an industry-standard open file format (such as ODF, RTF, plain text, HTML, TeX, or PDF -- or even better, more than one), is an acceptable archive, without needing to also archive a copy of (or later run) a dated (and bug-ridden and proprietary, in this case) application along with it -- which may not even run on machines "15 or 20 years" later, as you mention?
Once something is on Google, the up side is: any computer with internet access can log in and access it. The down side is the same: any computer with internet access can log in and access it.
If something is on your internal network, that already puts a bit of a limit on who can access those files. It's not bulletproof, and you can still get rooted, but it's a limit. The average Tom, Dick and Harry are as good as physically separated from that data, even if they can guess your password.
Once that stuff is on Google, essentially anyone who can guess your password is good to go.
For example, you only need one employee who uses the same password everywhere (it happens more often than you'd think) and has ever shared their home email password with their spouse, or their WoW account with the chinese guy who power-levelled it, or whatever. Or they only need the same password somewhere where you need to guess their mother's maiden name to get that password. (Again, you'd be surprised how many put the real maiden name there.)
Or some passwords are that easy to find out, because they're weak. People use their nickname, or pet's name, or whatnot as passwords all the time.
Some passwords aren't even kept secret. I know the logins for a local hospital _and_ the emergency medical service, without ever having worked there, just because the former was taped to the monitor and the latter was spoken out loud while I was there. And yes, apparently veryone there used the same. So every ex-employee knows those too. Plus any patient who can read or has ears.
So, ok, now you know a name and password for the hospital computers. Now what?
In a traditional IT scenario, they're only accessible from the internal network. Sure, you can try to sneak into a room and use their computer, but you can be caught, so most people won't. Sure, you can try to get them rooted somehow, but again most people wouldn't even know how.
Now move those files on Google, and you have a real extra problem. If that hospital ever moves its data to Google, every single patient who ever read the post-it on a monitor, can try it from their own home. No having to sneak anywhere, no risking that someone walks in on you, no l33t haxxx0r skillz needed. Just point your browser at Google, log in as a doctor, and read the medical data of everyone who ever used that hospital.
A polar bear is a cartesian bear after a coordinate transform.
which leads to
It would be a massive risk of confidentiality breaches. I would rather only have to trust the people working for the law firm to prevent a data leak than have to trust them and the thousands upon thousands of IT workers at Google. Legal files could easily become high-profile overnight, especially if there are special interests who think they can them as a case-in-point for whatever agenda they have; an IT worker at Google might be paid off to leak some files, and with so many IT workers, the chances of finding one who is corrupt or desperately needs money are fairly good.
Palm trees and 8
pgp is fine for a small practice to use between say the receptionist and the doctor. the problem with using pgp to obtain your confidentiality with respect to HIPAA is that emails sent from outside sources (e.g. patients) are subject to HIPAA as well, and unless you can convince all their customers to use pgp, that'll never work.
My advice for the original asker is to take a firm stand with your clients. If there is any way that they can pin the liability on you for recommending use of google apps or other online services they will when the lawyers come knocking. I suggest you strongly recommend against it, in writing, and keep that recommendation on file.
This comment is fully compliant with RFC 527.
Do you really think it's wise or responsible to be using a piece of closed-source software (and one not known for its security, to say the least) so many years after the vendor has stopped supporting or releasing patches for it, and for which known exploits are in the wild?
Word/Excel/Powerpoint? I really wouldn't worry about it, as long as they meet his needs. (Although, I'd consider giving OO.o a try.)
Outlook - yeah, I'd suggest he pony up for a new copy, or switch to something else.
In what way does, for example, Google Apps Standard Edition ($0/year), cost more -- either up-front or in the long term?
Lost productivity.
1) Lost productivity when the local ISP or some some intermediate router is down? Multiply by each user. (In a lot of places that's pretty significant. Lots of places suffer multiple hours of network down time / flaky internet every month.)
2) Lost productivity as your employees are clicking on google ads and browsing online when they should be working on that spreadsheet or word document, or simply lost productivity as the ads become insufferably intrusive and distracting.
Think about it... you are getting standard edition for "free". Google wouldn't do unless some non-trivial number of users is READING and CLICKING on those ads. If your secretary is working on a budget spreadsheet, and gets distracted by an google ad in the corner of her spreadsheet, gets distracted and clicks on it, and goes browsing for 20 minutes as a result... that costs you money. And THAT is PRECISELY what your beloved partner google is counting on. THAT is their entire business model. Give you the app for free, and then extract a profit by luring your staff to click ads instead of work.
Now you might counter that google ads are unobtrusive and easily ignored. That's true to a point, but I find adds in my productivity apps VERY distracting; far more than I do on the web. I personally won't use ad supported software, but don't find them nearly so distracting on the web. Maybe its just me... But face facts google is a multi-billion dollar advertising company as direct result of people not ignoring those ads. So the ads =DO= work. Maybe YOU don't click them, but SOMEBODY is. And every time they work on someone in your company they cost you money.
I don't object to google apps for home and noncommercial use, and their 'premium' stuff is ad free, as you are now paying them directly for service.
But a business owner who gets his staff to use standard edition? Its idiotic... what's next? Will you switch to "free" printer toner from the Jehova's Witnesses, and in exchange they'll have witnesses wander around your office to spread the good news?
Do you not think using current tools at the time to produce a file, then ensuring the file is stored in an industry-standard open file format (such as ODF, RTF, plain text, HTML, TeX, or PDF -- or even better, more than one), is an acceptable archive, without needing to also archive a copy of (or later run) a dated (and bug-ridden and proprietary, in this case) application along with it -- which may not even run on machines "15 or 20 years" later, as you mention?
What makes you so confident ODF will be readable in 20 years by Google Apps, or that a google apps will even exist? All ODF being a standard ensures is that you WILL be able to write something that can read it 20 years from now, because the specification is documented and public. There is no gaurantee google apps or anything else will run it 20 years from now. And if you are looking to archive ODF, you should probably make a point of storing something that can actually read it too, ideally along with its source, unless you want to gamble on having to implement something yourself from scratch 20 years from now.
Google apps doesn't enable you to avoid making your own backups, and if anything google apps, makes it slightly more complicated. Google apps could disappear tomorrow (unlikely in the immediate future, but possible, and who knows what the more distant future holds; companies have been shut off before), so not only do you need backups, but you should have some means of reading them too... because you can't rely on google apps being available or supporting the files.
Your walls mean nothing to us.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
operate your own infrastructure, no matter what the current hype is
Exactly. You should be digging trenches, laying fibre, and setting up entirely separate networks so that no email you send ever passes through a machine or a network or a cable accessible by a third party.
Having done a fair amount IT architecture work in the healthcare realm for the past 10 years, I can truthfully say that doctors are really cheap and look for ways to cut a dollar now at the risk of tens of thousands later. They are also early adopters of technology yet are basically clueless on how it works.
The cost of keeping an internal server plus vpn access for laptop use on an annual basis is a few hundred dollars. The cost of not having access to their records because of a fiber-seeking backhoe attack on their buildings access is hundreds per hour.
What _is_ the customer support number for Google if your Google Apps data goes missing? The doctors have your cell number and probably your home phone as well.
To Google, their account is one of thousands. To you, they are a car payment and maybe a few nights at the pub every month. Who is going to take care of them better, not cheaper.
The old mechanics saying comes to mind: "We do things 3 ways - right, cheap and fast. You get to choose two".
You forgot the other side of the coin:
Many people seem to believe that using something like Google Docs is just like using MS Office, but the reality is that it's fundamentally different in many ways. Nearly ubiquitous accessibility, collaborative tools, change history, backups, etc. The amount of productivity and work that saves alone is WAY more than any time you could lose due to advertising in my estimation. Your comparison is absurd and poorly thought out as well, because "getting toner from Jehovah's Witnesses does not give you any benefit other than getting it for free. Using cloud authoring software compared to personal software is COMPLETELY different for the reasons I listed above and others.
The fact is that neither one is REALLY better than the other, it all depends on the task at hand, as both approches have their strengths and weaknesses. If I'm just writing a quick letter, then I'm going to use Word or OO, but if the file itself is going to be used over an extended period of time, and especially viewed or contributed to by others, I find it makes more sense to use Google Docs.
Plus, I can't count how many times I've worked with a team on something and wound up using a Google Doc as what essentially amounts to a massive whiteboard to outline our plan of attack and add our ideas and solutions to the task at hand, as well as comment on others.
You have classified and unclassified networks. Classified networks don't touch the Internet, ever, in any way.
HIPAA requires ePHI to be protected both in transit and at rest (on disk). Google will tell you flat out that your data is not sufficiently protected (eg encrypted) at rest to qualify as being HIPAA compliant. Obviously you can use SSL during transit but that doesn't solve the whole equation. Google apps, flat out, are not HIPAA compliant, and google will be the first to tell you that.
Confidentiality is very, very important to businesses and individuals, even more so in the Internet age. One of the reasons to continue to operate your own infrastructure, no matter what the current hype is.
IAAD and I agree that confidentiality is extremely important, and health care professionals have a responsibility to safeguard PHI. However, I also think that IT admins have a responsibility to create an infrastructure that doesn't suck and that takes into account the needs of the people that actually need to use it. Because if it sucks bad enough, people will find a way to circumvent some of the safeguards in order to get their work done. Because it's human nature that getting one's work done is a more immediate need than theoretical concerns about privacy and confidentiality. So if you're going to develop an internal system, looking at what makes "the current hype" so popular might not be a bad idea.
For example, I work at a large county hospital/university system that has adopted groupwise. We are told that PHI is secure if sent through groupwise. However, besides the fact that groupwise is inherently sucky, they've made it extremely inconvenient for residents to use it. We cannot run the real client because we aren't allowed to have VPN access, so we have to use the web client, which has a horrible interface. It has a tiny storage allotment. They will not install the software that will allow it to work on the iphone. So, most people forward their groupwise email to their personal gmail or yahoo mail or whatever. Thus defeating the purpose of having the secure system.
Yes, it's wrong for the doctors to circumvent the security. However, I think it's just as wrong for the IT people to implement a system so crappy that people are driven to do this. Most doctors are thinking along the lines of "I have patients to take care of, I don't have all this time to spend fiddling with this crappy groupwise thing" not "let me violate HIPAA because I'm lazy."
Google apps, flat out, are not HIPAA compliant, and google will be the first to tell you that.
And your insurance company and their lawyers will be the second.
Actually, this is hardly surprising. HIPAA compliance is for the geeks to worry about, not the HARDCORE ER STAFF who's job is SAVING LIVES you INSIGNIFICANT LITTLE NOBODY! Did you ever SAVE A LIFE with your applebook? Huh? Didn't think so. Now get out of my way while I manage to infect our network with spyware and trojans even after repeatedly being warned about russian ring-tone sites.
Literalism isn't a form of humor, it's you being irritating.
1. Lost productivity due to forgetting the thumb drive with your work at home
2. Lost productivity due to your company's internal network going down
3. Lost work due to a hard drive failure
4. Lost work AND productivity due to computer theft
5. Lost work AND productivity due to accidental overwrite of a shared file on a network drive
6. Lost work AND productivity due to malicious code (viruses, trojans, et al)
7. Lost productivity due to most software's inability to provide a decent collaborative environment
2,3,4 & 6 all affect using google apps too, to precisely the same degree assuming you have even a half decent backup solution.
1 is offset by the internet / google going down
5 not an issue assuming you have a decent backup solution on the network drive
7 most documents aren't collaborative and what you gain in collaboration you lose in script and automation/workflow support
Using cloud authoring software compared to personal software is COMPLETELY different for the reasons I listed above and others.
And contains pitfalls as well as benefits. We didn't talk about any of the pitfalls of cloud apps:
1) No change control of applications or ability to handle training in advance. If google rolls out a new theme and re-arranges the buttons your help desk and IT department find out about the same time users do.
2) If the service provider removes or alters a feature you rely on - tough. Especially if you are using 'free' SAAS.
3) Legal liabilities. No control over googles security policy. No control over googles retention policy. No control or ability to discover intrusions or data theft. No control over their response in the event of a subpoena.
4) Loss of productivity due to the issues that result from running your office suite in your browser. Things are getting better, but I'd rather pull my hair out with Office 97 than do anything serious with Google Docs.
Plus, I can't count how many times I've worked with a team on something and wound up using a Google Doc as what essentially amounts to a massive whiteboard to outline our plan of attack and add our ideas and solutions to the task at hand, as well as comment on others.
There are even better whiteboard solutions out there. Wikis come to mind for 'massive only collaboration document' while actual honest to goodness whiteboard software works great for when you actually need an online whiteboard.
Plus, I can't count how many times I've worked with a team on something and wound up using a Google Doc
This seems more like a 'when have a hammer, every problem looks like a nail." situation.
The fact is that neither one is REALLY better than the other, it all depends on the task at hand, as both approches have their strengths and weaknesses.
I can agree with that, to a point, based on pure productivity/cost. But when you factor in legal implications, change control, training, and so forth, I don't think its sane for most businesses to use cloud apps in the vast majority of situations.
I get the same requesets from my clients. And it's not just GMail they want to use. It's the word processor, spreadsheet, etc as well.
I try to tell them that the security is an issue and they look at me like I just said that "Elvis enjoys tacos". It's startling how unconcerned they are about the risk to their confidential client work product especially in light of the fact that if it were to leak out they could potentially lose thier license to practice.
But...but...it's free, they say, with confused puppy eyes. As if free somehow obviates any need for security.
-B-
I don't understand that anti-google "hype", which probably was started by Ballmer :-)
There are many hosted mail solutions, every ISP has their own mail service, blackberry does have one too. There's a load of hosted Exchange solutions. Etc, etc, and businesses USE it. If a google employee can read email, why an ISP employee can't? Because it's in their terms of service? ha!
Rolling your own solution is damn expensive and you need a guy who actually knows something about it, that's why most companies are more than happy to outsource it.
...and no way to audit Google's data center(s) to establish compliance which is a very big deal in a lot of industries.
-B-
Lost productivity due to forgetting the thumb drive with your work at home
That's why we use a VPN to work on documnts from work rather than relying upon a flash drive.
Lost productivity due to your company's internal network going down
If my company's network goes down (which it rarely does) I can troubleshoot it and get it back on it's feet. If Google goes down I can send them an e-mail (assuming I'm NOT using GMail) and get an automated response or maybe I can call them and hear that the next avaialble agent will be with me shortly.
Lost work due to a hard drive failure
If you don't back it up then you don't deserve to have it.
Lost work AND productivity due to computer theft
If my computers get stolen then how do I log into Google?
Lost work AND productivity due to accidental overwrite of a shared file on a network drive
See: Backups.
Many people seem to believe that using something like Google Docs is just like using MS Office, but the reality is that it's fundamentally different in many ways. Nearly ubiquitous accessibility,
I wouldn't have had access to my Google Docs on the flight I just got off.
it all depends on the task at hand, as both approches have their strengths and weaknesses.
Well that I certainly agree with. Google Docs has its place. But that place will never include mission-critical or confidential work product. Not unless some drastic changes are made.
-B-
I can agree with that, to a point, based on pure productivity/cost. But when you factor in legal implications, change control, training, and so forth, I don't think its sane for most businesses to use cloud apps in the vast majority of situations.
You're thinking like a techie, and probably a sysadmin there, and not like a businessman.
The only way to hold off cloud apps is to provide something better. For a lot of users, Word is not better and Excel is not better. They like doing things on the Web; it lets them be more productive. Fighting against that is a bit like being King Canute, telling the tide to stop coming in.
"Little does he know, but there is no 'I' in 'Idiot'!"
1) Lost productivity when the local ISP or some some intermediate router is down? Multiply by each user. (In a lot of places that's pretty significant. Lots of places suffer multiple hours of network down time / flaky internet every month.)
Google Chrome supports offline use of google apps.
2) Lost productivity as your employees are clicking on google ads and browsing online when they should be working on that spreadsheet or word document, or simply lost productivity as the ads become insufferably intrusive and distracting.
Only the standard free version is ad based. If you upgrade to the premium the ads are gone. For anything serious like outlook integration, you need google apps premium.