Web 2.0 Apps: A Pandora’s Box of Risk

Some products offer a file synchronization function, but in most cases, backups require downloading a local copy of each file to the user’s machine — a cumbersome process if you have many files. (One vendor, AdventNet Inc., offers a version of Zoho Virtual Office that can be hosted on your own servers, where files can be managed and secured by IT.)

Then there’s patching. Microsoft issues patches once a month, and administrators test each before deployment. With services such as Google Apps, updates and patches happen automatically and without warning. If online applications become the primary tools for workflows and collaboration, as Microsoft Office is in many businesses, it’s possible that things could break. “These applications — the enterprise doesn’t get any visibility into them,” Pescatore says.

Most important, the security of data on back-end servers can’t be guaranteed. “How does Google demonstrate that I can’t link to some other company’s spreadsheet?” Pescatore asks. It doesn’t. Providers of enterprise-grade hosted applications, such as Salesforce.com, don’t just make promises about such things. They go through audits to prove to customers that their back-end servers are secure. Google and others provide no such assurances — even to those paying $50 per year for Google Apps Premier Edition.

A $50 subscription is still a lot less than Office 2007 costs, but you get what you pay for. “You either accept the risks to save money or you spend more to mitigate the risks. Then the savings aren’t as large,” Pescatore says.

One way around the problem is to ban the use of hosted application services and provide users with viable alternatives, such as Web-accessible in-house collaboration platforms and virtual desktops using products such as Citrix’s Presentation Server or VMware Desktop.

As with public instant messaging and Web mail, however, the services may have valid business benefits in some situations — especially in smaller businesses working with less-sensitive data. But administrators need to establish clear policies with regard to their use and educate users about the risks.

Robert L. Mitchell is a Computerworld national correspondent. Contact him at robert_mitchell@computerworld.com.