oyogurtcu 
- Snake Oil Salesman
I was in the Location Intelligence conference in Denver recently talking to another vendor who provides business and demographics data – and a platform to display that data. I told him about our product Bluemaps, and that how we use Google Maps to map business data. He said, “Yeah, but you know, we don’t like to use Google Maps as we are dealing with sensitive business data. It is not secure.” I can understand business people who have second thoughts about data security when you are using a web based map provider; but a vendor, if a vendor is pointing out security as a reason to undermine Google –or any web based map provider for that matter- I can only think of two reasons:
1. He has no concept of security, and he knows when he points out a security risk, most business people in the audience will be overwhelmed and accept his ideas without questioning,
or
2. He is just trying to sell his product knowingly bending the truth about security concepts.
In the past, I have seen that the “snake oil” security product concept coined by Bruce Schneier is also applicable to non security related products, abusing security for their purposes. Security is a vague concept, requires expertise and is mostly not understood properly. And as it is; snake oil salesman are out there. Yet, I have heard misconception about security of browser based map providers in other discussions from some customers and thought it would be a good idea to share some thoughts on that.
First of all, it is very possible to create an insecure system with Google Maps, or any other platform provided by any vendor whether they are web based or installed in local networks. Business applications must be designed and developed with concepts of security in mind and implementing them carry security related risks. But using a web based map provider or an API provided as such does not increase this risk at all.
I’ll mostly refer to Google Maps API in the following paragraphs but the ideas are applicable to almost all other web based providers too. Also I will be focusing on Bluemaps, but the concepts outlined are valid for any application that uses Google Maps API properly.
Google Maps provides a JavaScript API that lets developers use JavaScript calls to create a map, and create visualizations on the map for their purposes. Of course there are some other capabilities like the API lets you interact with the user etc. But basically everything you do, you do through a JavaScript API. JavaScript is a client side technology – meaning it runs on the users’ computer not on the server side. And inherently in its design, JavaScript is very sensitive about security. It is impossible to use JavaScript and cause some kind of security breach in the users system In Bluemaps (or any application that uses Google Maps API), when the user runs the application by the means of opening a web page, Google Maps API code and the Bluemaps implementation code is loaded in the user’s browser and the application runs within the security context of JavaScript. Then Bluemaps takes control of the application flow, retrieves the sensitive business data from the Bluemaps Data Engine, which is also installed on the client network. After the initial launch, Bluemaps uses the relevant Google Maps API functions to create the map and the visualizations on the map. Within the described process, no sensitive business data gets out of the client’s network. All the application does is, retrieve relevant map data and Google’s JavaScript API code from Google. It is exactly same thing as when any user in the company network browses Google Maps to lookup a location of say, that great sandwich place they can all go for lunch. Any business application using Google Maps API for data visualization hardly ever brings any more threats than a user sitting in his desktop using Google Maps to find an address.
I should also mention that, if Google weren’t a respectable software company but a hacker, that tried to retrieve business data from the enterprise companies who use Google Maps API, all the data he would be able to retrieve would be images and related coordinates placed all over the world, with colors and locations of lines and polygons drawn on earth’s surface. The information about the lines and colors; but no related business information…
Obviously any system working with business data carries a security risk and must be designed with security in mind. But retrieving any kind of data or map information from the internet to complement your business system does not increase the risks inherent in the system as long as your application was designed based on the security concept that would be essential for any business system.
