Risk
8/7/2009
04:31 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

'Going Google' Worries Los Angeles Police

The LAPD isn't convinced that Google Apps is secure enough for its data. But Google says that its competitors are eager to see the deal delayed or derailed.

Echoing the concerns raised by the World Privacy Forum about the City of Los Angeles' proposed plan to start using Google Apps for messaging and collaboration, a group representing the city's police officers wants to make sure sufficient safeguards are in place to protect confidential information before the multi-million dollar contract gets approved.

The LAPD Protective League said on Thursday that it is very concerned about having its records stored on computers outside the city.

"Our concerns are well-founded and understandable, given that government and corporate computer network breaches have become more prevalent over the past several years," said Sgt. Paul M. Weber, president of the League, in a blog post. "Just recently, Twitter acknowledged that hackers were able to access confidential information stored with Google."

Google's systems were not hacked in that incident, however. The hacker obtained the password of a Twitter employee by abusing the password recovery process at a different online service. Because the Twitter employee used that same password for Google Apps, the hacker was able to use that password to log into the Twitter employee's Google Apps account.

If the employee had used different passwords for different services, or if Twitter had used two-factor authentication, as it now does, the hacker would not have gained access to Google Apps.

The $7.25 million contract under consideration in Los Angeles is expected to cost $8.31 million over five years and to save the city $6.25 million over the same period in license fees. Such fees presently go to Microsoft and Novell, the city's current providers of productivity software and e-mail.

Those figures assume that 30,000 workers will transition to Google Apps. If the LAPD opts out, only about 17,000 city employees would transition to Google Apps.

Google has been pushing hard to encourage businesses to switch to Google Apps. The company on Monday launched a billboard ad campaign to trumpet the benefits of "going Google."

Matt Glotzbach, director of product management for Google's enterprise group, says that any government agency or company moving to new systems should be careful and address security concerns. However, he notes that city officials believe Google Apps will be an improvement over existing computer security.

Indeed, Los Angeles' Information Technology Agency has said that the level of security for the city's data will be higher under the proposed contract than it is at present.

"There's a lot of misinformation out there and our competitors who did not get selected may have had a part in spreading this misinformation," Glotzbach said.

Glotzbach acknowledged the LAPD's legitimate security concerns but said the department's sensitive data is expected to remain in the many Microsoft Access databases that the department will continue to maintain. He said that the city's information policies won't change just because Google is providing e-mail and online applications.

"One of the big pieces of misinformation is that the LAPD is going to take all of their data and put in into Google and that's just not the case," he said.

Some 15 bids were submitted to Los Angeles to replace its e-mail system. Those not selected appear to be unhappy at the prospect of losing millions of dollars in business to Google. In a July 20 letter, Novell client executive Brian Hervey said that his company wants to continue providing e-mail service to the city and offered a 10% discount on the annual maintenance fee.

Glotzbach said that by moving to Google Apps, Los Angeles stands to save an estimated $13.8 million over five years and to free up six IT employees who'd otherwise be tending e-mail servers.

InformationWeek has published an in-depth report on leading-edge government IT -- and how the technology involved may end up inside your business. Download the report here (registration required).

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0640
Published: 2014-08-20
EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote authenticated users to bypass intended restrictions on resource access via unspecified vectors.

CVE-2014-0641
Published: 2014-08-20
Cross-site request forgery (CSRF) vulnerability in EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote attackers to hijack the authentication of arbitrary users.

CVE-2014-2505
Published: 2014-08-20
EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote attackers to trigger the download of arbitrary code, and consequently change the product's functionality, via unspecified vectors.

CVE-2014-2511
Published: 2014-08-20
Multiple cross-site scripting (XSS) vulnerabilities in EMC Documentum WebTop before 6.7 SP1 P28 and 6.7 SP2 before P14 allow remote attackers to inject arbitrary web script or HTML via the (1) startat or (2) entryId parameter.

CVE-2014-2515
Published: 2014-08-20
EMC Documentum D2 3.1 before P24, 3.1SP1 before P02, 4.0 before P11, 4.1 before P16, and 4.2 before P05 does not properly restrict tickets provided by D2GetAdminTicketMethod and D2RefreshCacheMethod, which allows remote authenticated users to gain privileges via a request for a superuser ticket.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Dark Reading continuing coverage of the Black Hat 2014 conference brings interviews and commentary to Dark Reading listeners.