[mirimir]

With exceptions on the level of sharing recipes or whatever, I find it hard to imagine collaborators using such an insecure platform. Sure, communications are encrypted, but Google has full access to documents.

How do IT security staff sign off on stuff like that?

[fixermark]

Perhaps the security staff are convinced that either Google doesn't actually have access to it in any practically-concerning sense (https://www.quora.com/Can-Google-open-and-see-files-in-my-Go...), or the risks associated with that access are negligible?

I think you've hit on a very interesting point. The fact that IT security staff (with careers and reputations on the line) do sign off on companies using Google's platform for business applications that include passing sensitive data around might indicate that our assessment of the risk model is flawed?

[jonfw]

Many of us are the people making those risk assessments. What information would these IT security staff have that we don't?

It's no secret that a lot of companies don't have great information security.

I think that the fact that people are signing off on it just emphasizes how little some people care about information security.

[fixermark]

> What information would these IT security staff have that we don't?

The cost-benefit analysis of their individual industries and the risk tolerance of their companies.

[jonfw]

I'm talking about actual information about what Google does with their data.

The cost-benefit analysis and risk tolerance doesn't tell us about how much Google secures their privacy, it tells us about how much the company cares about their privacy/security.

[fixermark]

Google's entire privacy policy is laid out in (by the standards of other documents I've seen) very digestible language. https://policies.google.com/privacy#intro

Beyond that, it's a trust and a penalties-for-violating-policy exercise.

And I agree with you: you can probably tell volumes about how much a company cares about the risk factors based on who they trust. But I don't generally think companies are being ignorant placing their chips on Google---it's a big org with a lot to lose if something goes wrong. That gives it advantages over either smaller competitors or rolling one's own (factoring in that to match the security of a dedicated service's cloud offering while approaching the convenience of such an offering, you basically have to hire your own full-attack-surface-spectrum infosec team, and that's one more line item in a small company's budget).