Life after Heartbleed: What Google Apps Customers Need to Know

This week, a major security flaw was discovered in OpenSSL, the open-source implementation of cryptographic protocols SSL and TLS. This flaw, now referred to as Heartbleed, poses a fundamental risk to the security of data transmitted between servers. In other words, the bug allows malevolent parties to request data from a web server’s memory, which may include encryption keys, passwords, user information and content. Once attackers have access to this data they can use it to impersonate services and users. What’s worse is that the flaw has been around since December 2011, meaning potential hackers have had access to vulnerable data for over two years.

Scary, right?

Yes, Heartbleed should be taken seriously. End users can and should take key steps like resetting account passwords, but much of the onus is placed on the web providers we rely on and trust. For BetterCloud and our customers (and most of the free world), Google is a major player in our online lives – personally and professionally.

Thankfully the web giant, that actually employs the researcher who discovered Heartbleed, was extremely quick to act and ensured users yesterday that they had assessed the vulnerability and applied patches to services including Search, Gmail, YouTube, Wallet, Play, Apps and App Engine. Google Chrome and Chrome OS were not affected.

Since our product, BetterCloud, is built on top of Google App Engine, our engineering team has been closely monitoring the Heartbleed situation since it was discovered. And now that Google has assessed and patched any vulnerabilities to App Engine, BetterCloud is completely secure. “One of the benefits of running on top of a world class service like Google App Engine is that we get world class security services to pass on to our customers,” notes BetterCloud CTO, David Hardwick.

BetterCloud customers can rest assured that their data is safe and secure in the Google Cloud. However, it is still a best practice for IT administrators to either force password resets for their users or encourage users to change Google Apps passwords on their own. While we know we’re not supposed to, many of us do use the same passwords for multiple services. And since Heartbleed has been a problem since 2011, old passwords that were used for vulnerable services now offer little protection even for services that have been secured.