Will security concerns darken Google's government cloud?
Google earlier this week said that it was planning on offering cloud services such as Google Apps to federal agencies starting in 2010. Google said it is speaking with several federal agencies about its offerings, which the company has assured will be fully compliant with the requirements of the Federal Information Security Management Act. A FISMA certification is required for a service provider, such as Google, to sell to federal agencies.
Google announced its plans to deliver a government cloud at a cloud computing event in California. At the event, a company executive noted that the government services would be hosted on Google's data centers, but on systems that are compliant with government regulations. The government cloud service will also be operated by individuals with the appropriate security clearances, and all data that is part of a government cloud service would remain in the U.S, the executive said.
How far such assurances will go in assuaging concerns related to cloud computing service, especially in a government setting, remains unclear.
Karen Evans, former de facto federal CIO under the Bush administration, said that using cloud services such as Google's could help federal agencies significantly reduce IT costs. But for many "the biggest concern is going to be the security and information assurance associated with a cloud service."
A lot will depend on the kind of FISMA certification and accreditation that Google's cloud services receive, she said. Under FISMA, federal systems are classified into three risk categories: low, medium and high. Each level has its own requirements, Evans said, adding that she hoped that Google will be certified and accredited at the highest risk levels. Then it's just a matter of agencies working out a service level agreement that spells out their security requirements. She added that agencies interested in using cloud services will probably be best served moving their external, Web facing applications first before considering more sensitive applications.
Meanwhile, Unisys Corp., a major provider of IT services to the government, Wednesday released the results of an online survey that looked at the issues affecting adoption of cloud computing.
Of the 312 respondents, about 51% cited security and data privacy concerns as the biggest impediment to adopting cloud services. The next highest barrier was integration of cloud-based applications with existing systems. Concerns about the ability to bring applications back in-house ranked third.
The results are consistent with previous Unisys surveys on the same topic and with what the company has been hearing from clients, said Sam Gross, vice president, global IT outsourcing at the company. "For us [the results] are not surprising," Gross said. "We have been surveying our customer base and doing quick polls for a long time. The numbers are always different, but never the ranking," Gross said. "Security continues to be the number one concern for cloud computing."
Many of the concerns are related to issues such as inadvertent access to enterprise resources in a shared cloud infrastructure and accidental release of protected data. Another big concern has to do with the level of access that a cloud provider might have to an enterprise's systems and data, Gross said.
"They want to know how a cloud provider can assure that an administrator within a shared cloud infrastructure cannot gain access to or view their data," Gross said.
In a report issued earlier this year the World Privacy Forum raised other privacy issues that can arise when a government agency outsources to a cloud provider. For example, a federal agency that uses a cloud service to host personal data could violate certain provisions of Privacy Act of 1974, especially if it doesn't have provisions for protecting the data in its contract with the cloud provider. In addition, federal records management and disposal laws may limit the ability of agencies to store official records in the cloud. The location of a cloud provider's operations may also have a significant bearing on the privacy laws that apply to the data it hosts, the report noted.
Such security concerns bubbled to the surface recently, when several groups protested a $7.25 million plan by the city of Los Angeles to replace its Novell GroupWise e-mail and Microsoft Office applications with Google Apps. Though city IT officials reiterated their plans to go ahead with the project, and Google itself has vigorously defended its security controls, the incident highlighted the continuing concerns with cloud computing.