Could someone with access to my internal network and who owns a separate Google Apps domain, download SDC and open up the internal network but within a separate Google Apps domain?
This is possible, but OAuth mitigates this situation, because someone with this capability must be registered with Google Apps Premier Edition or Education Edition and leave an audit trail in Google. Also, this type of access does not change the fact that an intranet is vulnerable to an adversarial insider – put it another way, an insider can already steal information inside a firewall and publish it to the outside world. This could be done by setting up a reverse SSH proxy in an external server and establishing an outbound SSH connection, which would be authorized by most corporate firewalls. An insider who uses Google Apps to set up an unwelcome tunnel would need a Google Apps Premier Edition or Education Edition account and would leave a record inside Google.
