Desktop Search: The Ultimate Security Hole?

By Matthew Hicks  |  Posted 2004-12-02

Desktop Search: The Ultimate Security Hole?

Desktop-search tools have become one of the industrys hottest trends, promising to extend the ease of searching for Web pages to the finding of hard-drive files and data.

While end-users may jump at the chance to uncover their lost e-mails or past Web page visits, analysts and IT executives are warning enterprises to think twice about desktop search because of its potential to reveal personal and confidential information on corporate computers.

The problem, they say, isnt necessarily the technology behind desktop search, but rather the unintended consequences of being able to instantly locate previously hard-to-find data such as e-mails and cached Web pages.

The retrieval of Web history is the biggest cause for concern, said Timothy Hickernell, a vice president at IT research company The META Group Inc. Hickernell issued a client advisory last month warning IT departments about the risks of desktop search.

In particular, Googles desktop search client, released in a beta in October, can index cached Web pages, including pages from secure sites that display corporate data from Web-based enterprise applications or personal information such as financial-services accounts and medical records.

Read more here about how Google Desktop Search retrieves cached Web pages.

Googles tool is only the beginning of the onslaught of new desktop-search downloads expected to be released in coming months.

Microsoft Corp.s MSN division and Ask Jeeves Inc. both have said they plan to launch desktop search products this month. Yahoo Inc. and America Online Inc. also are working on a desktop search offerings.

"Theres no way IT is going to stop this," Hickernell said. "For power users in particular, this is a valuable tool.

"We are not recommending that IT outright ban the tools but that departments have to test the tools, get out ahead of this trend and understand what the tools are doing in their own corporate desktop environment."

One Silicon Valley hospital and medical group went so far as to warn the users of its online medical records system about the risks of Google Desktop Search.

The Palo Alto Medical Foundation issued an advisory within weeks of the Google Desktop Search release after IT officials realized that the search tool, by default, would index the encrypted Web pages from its patient system called PAMFOnline, said Dr. Paul Tang, the medical groups chief medical information officer.

"When I downloaded desktop search, it dawned on me that its very powerful but sounds like it could also be accessing caches for things you may not want to be findable," Tang said.

Rather than telling users not to install Google Desktop Search, the hospital explained in its advisory how users could changes the tools settings to ensure that encrypted Web pages (HTTPs), such as those served by its medical-records system, were excluding from searches, Tang said.

"I like Google a whole lot, but this was just a matter of trying to keep people informed of the other potential implications [of desktop search]," Tang said.

Next Page: Consumer technology making its way to the enterprise.

Consumer vs

. Enterprise"> IT departments should even consider barring consumer desktop-search tools on corporate machines if they are not willing to investigate their risks, said James Governor, principal analyst at RedMonk, based in Bath, Maine. Unmanaged use of desktop search tools could expose enterprises to regulatory violations around privacy laws and the federal Sarbanes-Oxley statute, he said.

Governor likened desktop search to other emerging technologies that largely rose through the ranks of consumers and individual users before gaining the attention of enterprise IT.

"Organizations do need a formal policy on desktop search, just as they do on wireless and instant messaging," Governor said in an e-mail interview.

"These are all potential breaches in an organization, and their viral adoption by end-users makes life even harder for overstretched IT departments."

Click here to read Security Center editor Larry Seltzers perspective on how Google Desktop Search doesnt harm security.

The reality is that the desktop search tools coming from Web search providers are largely intended for consumers and not for enterprise environments, Hickernell said. Yet a spate of users downloading them could indicate a real need for enterprise-class desktop search within an organization, he said.

Enterprise search vendors such as Autonomy Corp. plc and specialized vendors such as ISYS Search Software and Coveo Solutions Inc. make desktop search tools targeted for organizational use.

Along with their rise in search, consumer desktop tools are growing generally. Hickernell said he expects the tools to become more intrusive, potentially raising further enterprise security concerns about user tracking.

"The ultimate value in commercial search companies and ad firms going to the desktop is to get the ability to capture more context, and the more context they have, the better able they are to target advertisements and offers to consumers," Hickernell said.

Check out eWEEK.coms for the latest news, reviews and analysis about productivity and business solutions.

Rocket Fuel