I have seen a number of organizations do a total lockdown, including
> one that would not allow users to add any shortcut icons to their
> desktop and running a process each night to removed unauthorized
> shortcuts (a bit draconian?), but with mixed results.
>
> It comes down to a balance of trust and controls, the ability to
> support users needs if there is a total lockdown (i.e. handle user
> requests for software installs, updates, etc), the establishment of a
> clear and consistent policy (including penalties for non-compliance),
> documentation, and a strong political will (i.e. the backing of the C-level people).
>
> Which leads to this thought: C-level types are many times the biggest
> offenders because they have no fear. You wrote “Let’s also suppose the
> environment is not locked down and people do contact tech support
> after installing a software that is not part of the SOE. What good
> solutions do people have to minimise this load?”
>
> You might adopt a policy which state that these users are told that
> they cannot receive suport for their call because it is an unsupported
> application. Does that policy get applied when it is the CEO/CFO/CIO
> calling, the same CEO/CFO/CIO who calls to get technical support for
> their home computers or so that their children can get something done?
>
> If you use a policy to fire or otherwise penalize an employee for
> non-compliance, what happens when they take you to court because they
> know that C-level people have not been sanctioned for similar actions?

A wild guess: does GDS send keywords to Google so Google can send back a sidebar of Sponsored Links and Related Searches? Then yes, I see that that would constitute a risk. Google should be up front about it and make it easy to turn the feature off.

That said, I just had a similar discussion with a friend about privacy concerns in Gmail. He was suspicious about storing his e-mail on a service whose business model involved narrowcasting advertising, even if the service claimed that the information flow was one-way from marketers to users. My response was that any ISP or mail provider has the same opportunity to abuse its customers’ privacy, and I’d bet that Google has a stronger motivation than some no-name operation to keep its nose clean.

Of course GDS and Gmail are different animals, as are institutional security and personal privacy, so conclusions about one don’t necessarily apply to the other.

but rather, i wonder why there is a hue and cry about GDS, when it’s really not a new application category. the same arguments could be made about X1, Copernic, or any of the other search tools out there. or even more to the point, any number of applications that users download – like Kazaa or Limewire.

basically i think IT shops need to make sound decisions for their workstations in general, rather than single out GDS as a security scapegoat. GDS introduces security concerns, true, but it’s hardly the only example of that, and surely not the worst.