Risk
8/7/2009
04:31 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

'Going Google' Worries Los Angeles Police

The LAPD isn't convinced that Google Apps is secure enough for its data. But Google says that its competitors are eager to see the deal delayed or derailed.

Echoing the concerns raised by the World Privacy Forum about the City of Los Angeles' proposed plan to start using Google Apps for messaging and collaboration, a group representing the city's police officers wants to make sure sufficient safeguards are in place to protect confidential information before the multi-million dollar contract gets approved.

The LAPD Protective League said on Thursday that it is very concerned about having its records stored on computers outside the city.

"Our concerns are well-founded and understandable, given that government and corporate computer network breaches have become more prevalent over the past several years," said Sgt. Paul M. Weber, president of the League, in a blog post. "Just recently, Twitter acknowledged that hackers were able to access confidential information stored with Google."

Google's systems were not hacked in that incident, however. The hacker obtained the password of a Twitter employee by abusing the password recovery process at a different online service. Because the Twitter employee used that same password for Google Apps, the hacker was able to use that password to log into the Twitter employee's Google Apps account.

If the employee had used different passwords for different services, or if Twitter had used two-factor authentication, as it now does, the hacker would not have gained access to Google Apps.

The $7.25 million contract under consideration in Los Angeles is expected to cost $8.31 million over five years and to save the city $6.25 million over the same period in license fees. Such fees presently go to Microsoft and Novell, the city's current providers of productivity software and e-mail.

Those figures assume that 30,000 workers will transition to Google Apps. If the LAPD opts out, only about 17,000 city employees would transition to Google Apps.

Google has been pushing hard to encourage businesses to switch to Google Apps. The company on Monday launched a billboard ad campaign to trumpet the benefits of "going Google."

Matt Glotzbach, director of product management for Google's enterprise group, says that any government agency or company moving to new systems should be careful and address security concerns. However, he notes that city officials believe Google Apps will be an improvement over existing computer security.

Indeed, Los Angeles' Information Technology Agency has said that the level of security for the city's data will be higher under the proposed contract than it is at present.

"There's a lot of misinformation out there and our competitors who did not get selected may have had a part in spreading this misinformation," Glotzbach said.

Glotzbach acknowledged the LAPD's legitimate security concerns but said the department's sensitive data is expected to remain in the many Microsoft Access databases that the department will continue to maintain. He said that the city's information policies won't change just because Google is providing e-mail and online applications.

"One of the big pieces of misinformation is that the LAPD is going to take all of their data and put in into Google and that's just not the case," he said.

Some 15 bids were submitted to Los Angeles to replace its e-mail system. Those not selected appear to be unhappy at the prospect of losing millions of dollars in business to Google. In a July 20 letter, Novell client executive Brian Hervey said that his company wants to continue providing e-mail service to the city and offered a 10% discount on the annual maintenance fee.

Glotzbach said that by moving to Google Apps, Los Angeles stands to save an estimated $13.8 million over five years and to free up six IT employees who'd otherwise be tending e-mail servers.

InformationWeek has published an in-depth report on leading-edge government IT -- and how the technology involved may end up inside your business. Download the report here (registration required).

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-0714
Published: 2015-05-02
Multiple cross-site scripting (XSS) vulnerabilities in Cisco Finesse Server 10.0(1), 10.5(1), 10.6(1), and 11.0(1) allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCut53595.

CVE-2014-3598
Published: 2015-05-01
The Jpeg2KImagePlugin plugin in Pillow before 2.5.3 allows remote attackers to cause a denial of service via a crafted image.

CVE-2014-8361
Published: 2015-05-01
The miniigd SOAP service in Realtek SDK allows remote attackers to execute arbitrary code via a crafted NewInternalClient request.

CVE-2015-0237
Published: 2015-05-01
Red Hat Enterprise Virtualization (RHEV) Manager before 3.5.1 ignores the permission to deny snapshot creation during live storage migration between domains, which allows remote authenticated users to cause a denial of service (prevent host start) by creating a long snapshot chain.

CVE-2015-0257
Published: 2015-05-01
Red Hat Enterprise Virtualization (RHEV) Manager before 3.5.1 uses weak permissions on the directories shared by the ovirt-engine-dwhd service and a plugin during service startup, which allows local users to obtain sensitive information by reading files in the directory.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.