by Shane O'Neill

Google Apps: How We Locked Down Documents

Apr 06, 2011
Cloud ComputingData and Information SecurityEnterprise Applications

Here's how two organizations added extra security and monitoring power to track and protect sensitive Google Apps documents. The bad news: Until Google delivers these capabilities itself, you'll have to turn to a third party vendor.

Although Google Apps has made progress over the past few years as a cloud-based collaboration and productivity suite for businesses, the first big wave of adopters have been government agencies, schools and nonprofit organizations.

Google certainly has enterprise Google Apps customers such as Virgin America Airlines and Genentech, but it only owns a tiny percentage of the enterprise e-mail market. The bulk of Google Apps migrations have come from the public sector — setting off a fight for cash-strapped state government agencies between Google and Microsoft, with its BPOS (business productivity online suite) cloud service.

With tighter budgets than most corporations, government agencies have been more apt to move to cloud-based services that allow e-mail and documents to be stored in remote data centers.

But with all these documents being saved and shared in Google’s cloud service, two Google Apps users who spoke to — the City of Panama City, Florida and the nonprofit American Lung Association of New England — were both surprised that Google did not provide better tools for actually monitoring the documents.

Both organizations have moved from old and discordant technologies to a cheaper, more modern cloud alternative in Google Apps for e-mail, collaboration and productivity apps.

Slideshow: Gmail Tips: 10 Features to Try Now

IT directors for both organizations say they took a risk in deploying Google Apps in 2008, and learning curves aside, they have no regrets about the move. Neither organization misses paying for upgrades or managing servers. And even older employees who were tied to Outlook or Lotus Notes for decades have adjusted to using Gmail and working on documents within a browser and saving them to the cloud.

But managing the docs after they had been saved in Google Docs proved to be a cumbersome process, says Panama City Network Administrator Richard Ferrick.

“I needed to view all the documents stored in Google Docs and get data on who they belong to, who else that person has shared the docs with and whether they were shared internally or outside our domain,” says Ferrick. “I couldn’t do that with Google Docs. I would have to log in as each person and see what was there.”

Panama City’s Public Records Problem

Panama City, which has been using GAPE ($50 per user per year) since 2009, came to the cloud service after using Lotus Notes and an ancient Domino server for too long, says Ferrick.

He pushed for Google Apps because he was a happy gmail user himself and wanted better mobility for city workers, who had been slowed down by having to log in through the firewall using a Cisco VPN client to check Lotus Notes e-mail.

But Google Apps was still a brave new world for users not accustomed to collaborating online and using SaaS (software as a service) applications.

“We had to do some training on storing documents in the cloud and sharing them instead of e-mailing them,” Ferrick says.

But he was still stymied by the inability to take an inventory of the city’s documents within Google Apps.

“In Florida, we put a lot of documents out there as public record, but we want to have control over them.”

With four of the city’s departments archiving into the cloud, Ferrick needed Google Docs to act more like a file server. And that’s when Ferrick came across CloudLock for Google Apps, cloud-based data protection software that can track how users have accessed, edited and shared documents in Google Docs. CloudLock works to protect the documents by monitoring which ones are shared and by who and even lets the admin revoke sharing rights if necessary.

The tool also allows IT admins to transfer ownership of Google Docs to a different account on a company domain. Both Panama City and The American Lung Association of New England have used this feature to assign docs to a new employee and delete the account of an employee who has left.

Keeping Private Documents from the Public

With its medley of interns, volunteers and regular employees, the American Lung Association of New England, based in Waltham, Mass., has also benefited from the document ownership transfer feature in CloudLock, says Eric McDuffee, Director of Data and Technology.

“With Google Docs I would have to go through one by one and download a person’s documents,” says McDuffee.

Using CloudLock’s bird’s-eye view of all documents, McDuffee can select docs of a former employee and give ownership to someone else, then shut down the account.

McDuffee, who moved the American Lung Association to Google Apps Education Edition (which is free for nonprofits) in 2008 when six offices merged into one, noticed from the beginning that document management tools were missing from Google Apps.

“You have the ability to share documents internally and with the public, but no real way to monitor those documents,” says McDuffee.

What CloudLock enables is governance of documents, says McDuffee, allowing him to make documents available to important people like donors, but still control what docs can be shared and viewed by the public.

“We want to be transparent, but only to a certain extent,” he says. “Obviously we don’t want a spreadsheet with everyone’s salary to be viewable by the public.”

Google Apps: A True Enterprise App?

Both the American Lung Association and Panama City grant administrative rights to department directors so they can use CloudLock to monitor the documents of everyone in their department.

“A department head knows more than me about who in their group should have rights to certain documents. It takes the burden off the IT guy a bit,” says McDuffee.

Ferrick adds that without the addition of document management tools like CloudLock, Google Apps isn’t a true enterprise app.

“For IT admins, CloudLock allows us to get a true inventory of what’s going inside Google Docs.”

CloudLock costs between $2 and $4 per Google Apps user per year. Click here for more pricing information.

Shane O’Neill covers Microsoft, Windows, Operating Systems, Productivity Apps and Online Services for Follow Shane on Twitter @smoneill. Follow everything from on Twitter @CIOonline and on Facebook. Email Shane at