Could Google Mail or Google Drive work as a path to a company's network?

Question

I am a newbie to data security and would like to ask few questions related to Google Mail and Google Drive. What I want to know is how these two apps could be used to access a company's network AND how its data on Google Drive can be taken advantage of. So here are my questions numbered:

1. Could Google Mail and Google Drive provide a path or opportunity for unauthorized people to break into the company's network?

2. Is it wise to put any document related to customers, customers' meetings and customers' orders on Google Drive (you might say that this depends on how sensitive the data is, but isn't every company's data important, specially when you have rivals)?

If my questions are unclear, please comment, I will try to explain better.

Answer 1

Short answer: No

Long answer... it depends on how well you secured your account (i.e. two-factor authentication, SMS/mail alerts etc.)

Google drive is a cloud service, logged in through either an app or via the web browser, unless someone completely hacks and bugs the (web)application and spikes it so it reads into your system (which requires them to also crack the security of your system/browser/phone etc.), it MAY have a way in... which will never happen, obviously.

Storing data that could be confidential in the cloud always has the risk of someone accessing the account, having two-factor (or even more advanced, 3 factor) is your best move, and should ALWAYS be enabled for security, this is the same for Google drive, OneDrive, Dropbox, name it!

Answer 2

In response to (1), yes it could provide a path, but it's unlikely for just about any organization under some reasonable assumptions. In particular, it's possible to access GMail and Google Drive from a browser that only supports JavaScript, so the standard browser sandbox means that Google itself shouldn't be able to read or change any files on your internal network that you might have access to.

That's for a responsible user and an up-to-date browser, just using the web version of the apps. Of course a user could receive malware via GMail or stored/shared from a compromised computer or with compromised credentials in Google Drive. Google does provide a Google Talk plugin and a Google Drive client, and it's possible that a back-door has been placed in one of those. Furthermore, if a user does a web search for "download gmail client" or "download google drive client" or "download browser for gmail" and clicks the wrong link, they might get malware instead.

The bigger worry about allowing users in a secure environment to be checking their web-mail (from any provider) or accessing files on a cloud service is that it's easy for them to share the organization's data and information without proper controls. The network as such is beside the point, what really makes something a security breach is the secrets.

Which leads to an answer to (2). Google says in their Privacy Policy that "We work hard to protect Google and our users from unauthorized access to or unauthorized alteration, disclosure or destruction of information we hold." That's not quite an absolute promise; there are specific exceptions noted elsewhere in the policy and the Terms of Service. If your organization is engaged in law-abiding activities in the U.S., mail sent between two GMail accounts is less likely to be viewed by KGB agents than mail sent between two mail.ru accounts. If you're a direct competitor to Google and you put your business plan in Drive, they shouldn't look at it. That's not as strong as saying that no one can look at it.

If you have a contract (or privacy policy, etc.) with your customers that says you may store their information in Google Drive, or with "commercial providers", then you may. However, your organization could also have a policy that prohibits storing particular items (such as the customer-related ones you mention) without particular controls, and Google Drive may not meet those controls.