'Red Team' to Tackle Google Privacy Issues

By | Aug 27, 2012

Google is recruiting members for a "Red Team" of privacy and security experts who will be tasked with catching flaws in Google's products early in development. For the IT community at midsize firms, the move is a promising one. All too many IT vendors bring products to market without ensuring their security, users' privacy protections or, all too often, basic reliability. Anything that improves vendor performance is good news.

For IT managers at midsize firms, Google's example may also point to an effective measure for safeguarding the company's own IT operations: Create a team tasked with trying to break things. And the earlier a flaw is found, the more easily it can be fixed.

Testing the Defenses

As Charlie Osborne reports at CNET, Google's "Red Team" privacy-protection operation was revealed by a job advertisement on the Google website. The job sought a "data privacy engineer," adept at analyzing software from both security and privacy perspectives. Candidates would be "experts at discovering and prioritizing subtle, unusual, and emergent security flaws."

As security firm Kaspersky Labs noted in a blog post, "red teams" charged with testing systems by attacking them are not new. But including user privacy in the scope of such protective measures is a new development.

Google recently paid a $22.5 million fine to the Federal Trade Commission to settle a case in which a Google product set cookies on machines using Safari browsers. Apple's default for Safari was to reject such cookies. And some other privacy missteps have dogged Google in the last couple of years. The company seems to be taking steps to avoid further privacy embarrassments.

Privacy and Security

One fundamental IT lesson implicit in Google's move is the very close relationship between privacy and security. Effective security involves ensuring the privacy both of a firm's own system and of its customers.

Another lesson is that IT vendors all too often fall short in both of these respects. Even the largest tech vendors are under strong pressure to bring their products to market as soon as possible.

All too often this ends up meaning that products are shipped in spite of security flaws, privacy hazards, and plain old bugginess. Midsize firms cannot count on vendors to look out for them.

A further lesson for IT managers at midsize firms may be offered by Google's example: One of the best ways to ensure that security and privacy are protected is to subject them to attack as part of the development process. No one likes to find out that their systems or products have flaws. But the sooner you find them, the sooner--and more easily and cheaply--you can fix them.

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. Like us on Facebook. Follow us on Twitter.

IBM Solution Security & Resiliency

IBM IT security expertise can help medium-sized businesses develop, implement and maintain comprehensive strategies to combat ever-evolving security threats without increasing complexity, cost, or resources required for administration.

Learn More »

More on This Topic

Three Security Concerns for 2016

By Allan Pratt on Dec 4, 2015
As we near the end of 2015, what will 2016 look like in the information security sector? Undoubtedly there be an increase in data breaches across all industries, but will businesses take the high road and inform their customers and ...