Yesterday, David F. Gallagher wrote “I’m in Your Google Docs, Reading Your Spreadsheets” for the NY Times Bits blog. He describes how he was mistakenly sent a sharing invitation to a set of Google Docs by an employee of Community Newspapers Holdings Inc. -- based on his email being similar to that of a CNHI employee. This gave him access to spreadsheets (among other things) with detailed financial data. This highlighted for me the true but mundane statement that “Security is human,” and the role that security needs to play in our current discussion of the design of communication and workflow infrastructure for multi-organizational project teams. While I mentioned yesterday how I redesigned my prototype site based on specific needs for password controls, I haven’t yet broached the issue of how when you self-design for collaboration, you also need to self-design the technical and human aspects of security for your collaborative systems. We make decisions in face-to-face settings about whether to leave the conference room door open or closed, and we need to make similar decisions in more virtual settings. Many of the current 35 comments to Mr. Gallagher’s post focus on bringing the collaboration tools behind the organization’s firewall. That works for some collaborations, but not for any of the ones I work with as they are all multi-organizational. Ultimately, security is human. Yes, it would be nice if Google Docs would do a check and ask you if you really mean to share with someone you’ve never shared with before – a suggestion Mr. Gallagher provides. (Google Sites does query your intentions when you add someone from outside your own domain.) However, as he notes,
in the end, security requires careful typing — and perhaps some careful decisions about whether some documents would be better left behind the corporate firewall.I’ll add that careful consideration of permissions, access controls, version tracking, and the like are all part of the human/technology system that must be carefully intertwined in modern environments. We need to actively consider our security just as we should actively think about what to write on the white board, how the tables and chairs should be arranged, and who should be involved. When we make the decision to use teams, we take on the responsibility of proactively designing them as well.