Welcome Guest. | Log In | Register | Membership Benefits

Compliance Holds Up Los Angeles Google Apps Deployment

Google Apps deployment has been long delayed due to security issues, but that doesn't mean security compliance is impossible with the cloud-based service

Oct 24, 2011 | 05:56 PM | 

By Ericka Chickowski, Contributing Editor

According to news leaked last week by a consumer advocacy group, a 2-year-old Google Apps implementation at the City of Los Angeles has been hung up for some time due to security compliance issues -- to the point where the municipality is asking for its channel partner, CSC, to not only waive Google licensing costs, but also to pay for the cost of running its old email systems during the lengthy transition.

While these kind of events might spook compliance-conscience organizations from implementing Google Apps in the future, Google proponents and security experts believe the company is making great strides to make Google Apps work in regulated environments.

"The way that the Google Apps administration console was when the product was created was not as sophisticated as many enterprises needed, but that has changed in the last six to nine months," says David Hoff, vice president of Cloud Sherpas, a Google Apps partner that has helped numerous regulated customers navigate compliance issues during deployments.

In the case of City of Los Angeles, the municipality originally entered an agreement with CSC in 2009 to provide email services through Google Apps to 30,000 city employees, moving from a Novell GroupWise implementation. While 17,000 employees have been transitioned to the SaaS email solution, 13,000 LAPD employees have not because CSC has not been able to comply with U.S. Department of Justice Criminal Justice Information Systems (CJIS) policy requirements. No details of what specific security requirements have remained the sticking points in the implementation surfaced in a letter to CSC from city officials published by advocacy group Consumer Watchdog, or by CSC, which released a statement in response to the publication of the letter.

"Subsequent to the award of the original contract, the City identified significant new security requirements for the Police Department," CSC said in an e-mailed statement. "CSC and Google worked closely with the City to evaluate and eventually implement the additional data security requirements, which are related to criminal justice services information ('CJIS'), and we're still working together on one final security requirement."

According to Hoff, some of the most common security compliance requirements Cloud Sherpas has helped customers deal with in Google Apps implementations include data retention for e-discovery, monitoring, and audit trail capabilities and multifactor authentication. "Those are things that are starting to get rolled into the product," he says.

Even those security features required for compliance that are not immediately available natively are often possible to build out through Google's developer platforms and APIs, he says.

"Google started to recognize very early on that it's one thing to interact with data directly through the browser, but it's another situation to interact with that data through integration via an API, and so they built this developer console, which is the tool that you use to go from a very tight bubble around all of your data," he says. "A lot of times there may be one or two things in somebody's current security requirements that isn't completely obvious how to implement, but we have enough tools in our bag to accommodate them."

At the moment, there are no SIEM plug-ins to Google Apps, Hoff says, but that might just be a matter of vendors waiting for a critical mass of deployments to strike out with a solution.

"I think we're close, but it is definitely not on the three- to six-month road map," he says.

As organizations consider Google Apps implementations, Mike Rothman, an analyst with Securosis, says that compliance might not outright preclude them from utilizing the SaaS service, but that it is important to do homework before committing to something that may not work with auditors.

"Not having control or infrastructure visibility is challenging for an auditor, which will definitely complicate things from a compliance standpoint," Rothman says. "Any time an organization is looking to cede control over a critical part of the technology infrastructure, it's always a good idea to include the auditors in the decision process. Most auditors aren't going to give a firm thumbs up or down until they are on the clock, but you'd at least be able to have a good conversation about the issues they see. If getting a service is a total nonstarter from an auditor's perspective, it's probably a good thing to know before you commit to the service."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.



Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dark Reading encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dark Reading moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Dark Reading further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
Subscribe to RSS



Compliance Reports

report How To Boost Security Via FFIEC Compliance
With just a smartphone, users can conduct nearly all their banking business at any time of the day or night. However, all this flexibility and convenience opens up new avenues for fraud and cybercrime. Guidelines laid out by the FFIEC several years ago predate many of the capabilities-and vulnerabilities-that are in place today. In this report, we examine the latest guidelines and provide advice on how you can extend the work done to comply with FFIEC guidelines to strengthen your organization's overall security posture and keep customers and their data safe.

report Keeping Compliance In Check
Configuration mistakes, access control gaffes, poor documentation--it doesn?t take much for a compliance audit to go all wrong. In this special retrospective of recent news coverage, Dark Reading takes a look at the costs, common missteps and best practices for compliance, as well as the day the Internet nearly went dark due to the threat of new regulations.

report FISMA Lifts All Compliance Boats
FISMA may not be on your radar now, but it likely will be at some point. Geared specifically toward the federal government and its affiliate agencies and third parties, FISMA is a very specific set of requirements aimed at establishing and maintaining at least a baseline level of computer and network security. FISMA requires unique categorization and classification of information assets, not to mention a boatload of documentation to prove compliance. But once your organization achieves FISMA compliance, it will likely be compliant with just about every security mandate out there.

Other reports from the Compliance Tech Center:

Related Content

Log Management in 2012 and Beyond
2012 brings interesting changes to the log management world. Now, more than ever, it is critical to understand the impact to your log infrastructure and the solutions that will better prepare you to manage your security posture.

SANS Log Management Survey Report
Organizations are increasingly dependent on log management to support core business functions, including cost management, service level and line-of-business application monitoring, as well as traditional IT- and security-focused activities.

Cut the Time and Effort of Troubleshooting and Reporting
Organizations generate millions of logs a day and struggle with centralized collection, storage and analysis of those logs. ArcSight Logger is a universal log management solution that unifies searching, reporting, alerting and analysis across any type of IT data. It consolidates silos of logs into a single indexed repository for fast detection and mitigation of operational issues.

Get Turnkey and Automated PCI Compliance
PCI compliance monitoring is seamless with the self-contained ArcSight PCI Logger solution for log collection, storage and analysis. No database administration expertise is required and a web-based interface simplifies deployment and ongoing management.

Swiss Bank Meets Compliance Requirements and Protects Customer Data
Due to long-term data retention requirements, Swiss bank EFG needed a cost-effective way to collect, secure and store audit-quality log data in an easily accessible log repository. ArcSight Logger helps EFG meet key requirements of Switzerland?s banking laws fast and cost-effectively.




Featured Webcasts
Featured Whitepapers
Featured Reports