Skip to content

Understanding Intent and Control – When Defaults Attack


“A Japanese ministry is conducting an internal investigation after a Google Groups account used for international treaty negotiations was left on its default, publicly viewable settings.”

It’s tempting to say that Google should change the defaults to be more secure. Security professionals understand the default-deny stance really well, but there are other perspectives to consider.

The Intent of the Service

“An official at Japan’s Ministry of the Environment created the group to share mails and documents related to Japan’s negotiations during the Minamata Convention”

First, it’s not that the defaults are bad, it’s that they’re bad for the intent of this user. Consider that he was sharing documents on Google groups, as system designed for sharing, not privacy. Is it surprising that the defaults are permissive? It shouldn’t be. I’m not sure what else you’d expect. He should have checked the settings.

An IT Service Failure

“[T]he ministry has its own system for creating groups and sharing documents, but it doesn’t always function well outside of Japan, sometimes leading to “poor connections” and a “bad working environment.”

Say hello to the workaround hero. I can’t help wondering if this was the first time he set this up. He must have known that Google groups would work. There’s a rule from Pragmatic Marketing’s product management course that goes like this: “If product managers don’t do their jobs, the other departments will fill the void.” You might translate that for the cloudy new world: If IT doesn’t offer a service, the Cloud will fill in the void.

What happens when the cloud providers do a better job than corporate IT (some would say that some already do)? Is there an BYOD+Cloud driven corporate IT coup coming?


Post a Comment

Your email is never published nor shared. Required fields are marked *