Security

Google Apps Project Delays Highlight Cloud Security Concerns

Google led a coup against Microsoft to win the contract with the city of Los Angeles to provide messaging and productivity software for roughly 30,000 city employees. Nine months later, though, implementation is behind schedule as Google and the city of Los Angeles address security concerns with the cloud-based services.

The cloud isn't all white and puffy--security concerns can make it more like a storm cloud.
The Los Angeles police department (LAPD) is not ready to embrace the migration due to concerns with lags in e-mail delivery, and continued anxiety over the security of data entrusted to Google. The LAPD must comply with rigorous data protection requirements and it is not yet convinced that the Google security controls are sufficient.

A memo last fall from the Los Angeles Information Technology Association which contributed to the Google contract win spelled out that Google will "provide a new separate data environment called 'GovCloud.' The GovCloud will store both applications and data in a completely segregated environment that will only be used by public agencies."

The Google GovCloud is encrypted, and is both physically and logically segregated from the rest of the Google-verse. Google also specified that the data stored in GovCloud would only be housed in US-based servers, and only available to US citizens with proper clearance and authority.

Those seem like fairly stringent security measures, but to quell any remaining unease Google also committed to notify the city of Los Angeles of any security breach. To hedge the bet, Los Angeles council members added a clause to the contract which requires Google to pay the city in the event of a data breach.

All of the promises, commitments, and security measures, though, can't undo a security breach. Having Google pay the city a penalty in the event of a data breach might be a windfall for LA, but it won't un-breach the data.

Vendors of all shapes and sizes--including powerhouses like Google and Microsoft--are aggressively pushing the cloud as the next great frontier in computing. But, as the first major implementation project for Google Apps, the LA project illustrates that there are still some hurdles to cross before the cloud exodus can really occur.

Companies fall under a wide variety of state, federal, and industry compliance mandates requiring that data be processed, stored, and protected in certain ways. As of yet, the cloud does not provide sufficient controls to meet many of those compliance requirements, and the regulatory bodies that govern the compliance frameworks have not issued addendums or specific guidance for securely processing and storing sensitive information in the cloud.

The controls and commitments laid out by Google to accommodate the city of Los Angeles certainly seem to be a step in the right direction. However, project delays resulting from ongoing concerns prove that the cloud still has some security growing pains to get through.

Subscribe to the Security Watch Newsletter

Comments