Desktop Search: The Ultimate Security Hole?

While uncovering lost e-mails or past Web page visits may appeal to some users, analysts are warning enterprises that desktop search makes it possible to reveal personal and confidential information on corporate computers.

Desktop-search tools have become one of the industrys hottest trends, promising to extend the ease of searching for Web pages to the finding of hard-drive files and data.

While end-users may jump at the chance to uncover their lost e-mails or past Web page visits, analysts and IT executives are warning enterprises to think twice about desktop search because of its potential to reveal personal and confidential information on corporate computers.

The problem, they say, isnt necessarily the technology behind desktop search, but rather the unintended consequences of being able to instantly locate previously hard-to-find data such as e-mails and cached Web pages.

The retrieval of Web history is the biggest cause for concern, said Timothy Hickernell, a vice president at IT research company The META Group Inc. Hickernell issued a client advisory last month warning IT departments about the risks of desktop search.

In particular, Googles desktop search client, released in a beta in October, can index cached Web pages, including pages from secure sites that display corporate data from Web-based enterprise applications or personal information such as financial-services accounts and medical records.

/zimages/1/28571.gifRead more here about how Google Desktop Search retrieves cached Web pages.

Googles tool is only the beginning of the onslaught of new desktop-search downloads expected to be released in coming months.

Microsoft Corp.s MSN division and Ask Jeeves Inc. both have said they plan to launch desktop search products this month. Yahoo Inc. and America Online Inc. also are working on a desktop search offerings.

"Theres no way IT is going to stop this," Hickernell said. "For power users in particular, this is a valuable tool.

"We are not recommending that IT outright ban the tools but that departments have to test the tools, get out ahead of this trend and understand what the tools are doing in their own corporate desktop environment."

One Silicon Valley hospital and medical group went so far as to warn the users of its online medical records system about the risks of Google Desktop Search.

The Palo Alto Medical Foundation issued an advisory within weeks of the Google Desktop Search release after IT officials realized that the search tool, by default, would index the encrypted Web pages from its patient system called PAMFOnline, said Dr. Paul Tang, the medical groups chief medical information officer.

"When I downloaded desktop search, it dawned on me that its very powerful but sounds like it could also be accessing caches for things you may not want to be findable," Tang said.

Rather than telling users not to install Google Desktop Search, the hospital explained in its advisory how users could changes the tools settings to ensure that encrypted Web pages (HTTPs), such as those served by its medical-records system, were excluding from searches, Tang said.

"I like Google a whole lot, but this was just a matter of trying to keep people informed of the other potential implications [of desktop search]," Tang said.

Next Page: Consumer technology making its way to the enterprise.