[Update: 2/13/2006 12:02 PST]: I just realized that Google's first implementation is at San José City College, not San Jose State. Updated accordingly.
Over at Expert Texture, Robert had a great post yesterday raising concerns about Google branding GMail (Corporate GMail). According to their post here, Google is going to start offering GMail to corporate customers--with their domain names. They're starting by taking over San José City College's e-mail.
Robert raises a couple of salient issues:
How will GMail isolate company data and ensure that it never gets shared with other customers? How secure is the GMail database? Leaving aside the issues raised by the EFF yesterday, what are the security procedures in place at Google to ensure that customer data are secure?
Those are great questions. Few pieces of software contain as many corporate secrets as e-mail servers. In this day and age, virtually all communication goes through e-mail servers (much, much more gets done this way than through phones or IM)--and that means that corporate secrets are in that system.
Certainly many small-to-medium companies don't worry so much about intellectual property and therefore won't worry so much about this. After all, if I were operating Dan's Frisbee and Waffle Shop, and corporate GMail would give me the ability to have e-mail addresses like firstname.lastname@example.org without my investing any time, staff, or money in hardware or software, I may think that is terrific. Who cares if someone finds out that I'm introducing a new flavor of syrup next week?
But if I'm a large corporation (and let's face it: by announcing the service with a 10,000+ account implementation, Google is is making it clear that they aren't aiming at the frisbee and waffle shops of the world), I have grave concerns about putting my most secret intellectual property in the hands of any other corporation; even if their motto is "Don't be evil."
But in a larger sense, this same question is being faced all over the software industry as people create and offer Software as a Service. And in many cases, companies are finding ways to assure their clients that their secrets are safe. Look what Salesforce.com has been able to convince companies to do: hand over all of their customer and sales data. For many companies, those secrets are as valuable as the ingredients to their special sauce.
SaaS companies are finding ways to convince customers that their data are safe (from both outside and inside vulnerabilities). But it will continue to be a major issue as SaaS becomes a more frequent business model. And, undoubtedly, just as we hear today about credit card companies accidentally exposing credit card numbers, in the not-to-distant future we'll here of some SaaS provider who inadvertently revealed the ingredients of the special sauce.
So, SaaS developers, I give you this. I've already told you that you have to design your system to be scalable from the outset. Now: make sure you're thinking about security from the ground up, too.