Compliance Holds Up Los Angeles Google Apps Deployment

According to news leaked last week by a consumer advocacy group, a 2-year-old Google Apps implementation at the City of Los Angeles has been hung up for some time due to security compliance issues -- to the point where the municipality is asking for its channel partner, CSC, to not only waive Google licensing costs, but also to pay for the cost of running its old email systems during the lengthy transition.

While these kind of events might spook compliance-conscience organizations from implementing Google Apps in the future, Google proponents and security experts believe the company is making great strides to make Google Apps work in regulated environments.

"The way that the Google Apps administration console was when the product was created was not as sophisticated as many enterprises needed, but that has changed in the last six to nine months," says David Hoff, vice president of Cloud Sherpas, a Google Apps partner that has helped numerous regulated customers navigate compliance issues during deployments.

In the case of City of Los Angeles, the municipality originally entered an agreement with CSC in 2009 to provide email services through Google Apps to 30,000 city employees, moving from a Novell GroupWise implementation. While 17,000 employees have been transitioned to the SaaS email solution, 13,000 LAPD employees have not because CSC has not been able to comply with U.S. Department of Justice Criminal Justice Information Systems (CJIS) policy requirements. No details of what specific security requirements have remained the sticking points in the implementation surfaced in a letter to CSC from city officials published by advocacy group Consumer Watchdog, or by CSC, which released a statement in response to the publication of the letter.

"Subsequent to the award of the original contract, the City identified significant new security requirements for the Police Department," CSC said in an e-mailed statement. "CSC and Google worked closely with the City to evaluate and eventually implement the additional data security requirements, which are related to criminal justice services information ('CJIS'), and we're still working together on one final security requirement."

According to Hoff, some of the most common security compliance requirements Cloud Sherpas has helped customers deal with in Google Apps implementations include data retention for e-discovery, monitoring, and audit trail capabilities and multifactor authentication. "Those are things that are starting to get rolled into the product," he says.

Even those security features required for compliance that are not immediately available natively are often possible to build out through Google's developer platforms and APIs, he says.

"Google started to recognize very early on that it's one thing to interact with data directly through the browser, but it's another situation to interact with that data through integration via an API, and so they built this developer console, which is the tool that you use to go from a very tight bubble around all of your data," he says. "A lot of times there may be one or two things in somebody's current security requirements that isn't completely obvious how to implement, but we have enough tools in our bag to accommodate them."

At the moment, there are no SIEM plug-ins to Google Apps, Hoff says, but that might just be a matter of vendors waiting for a critical mass of deployments to strike out with a solution.

"I think we're close, but it is definitely not on the three- to six-month road map," he says.

As organizations consider Google Apps implementations, Mike Rothman, an analyst with Securosis, says that compliance might not outright preclude them from utilizing the SaaS service, but that it is important to do homework before committing to something that may not work with auditors.

"Not having control or infrastructure visibility is challenging for an auditor, which will definitely complicate things from a compliance standpoint," Rothman says. "Any time an organization is looking to cede control over a critical part of the technology infrastructure, it's always a good idea to include the auditors in the decision process. Most auditors aren't going to give a firm thumbs up or down until they are on the clock, but you'd at least be able to have a good conversation about the issues they see. If getting a service is a total nonstarter from an auditor's perspective, it's probably a good thing to know before you commit to the service."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.