Google’s LA Story: A Folly for Cloud Computing
December 19, 2011
The Los Angeles cloud adoption of Google Apps was intended to clear the way for more efficient and cost-effective use of technology. Instead, it’s turned into a smog bank and now serves as a lesson for how security and compliance issues could hinder the adoption of services provided by Google, Microsoft and other cloud providers.
Beginning in 2009, Los Angeles intended to improve collaboration and reduce communication costs for its 30,000 municipal employees by replacing its legacy Novel GroupWise email system with Google Apps. Google reseller partner Computer Science Corp. (CSC) led the deal, which was heralded as the model for government cloud adoption to come.
Novel didn’t take the lost account lying down and sued. That’s when the real problems came out. The lawsuit had a minimal impact, but it did force all sides to review security and compliance requirements. As it turns out, Google Apps does not comply with the FBI’s security requirements for connecting to the Criminal Justice Information System (CJIS), a clearinghouse of law enforcement data administered by the Department of Justice…
All in all, Los Angeles is getting a bargain, and Google and CSC are holding the bag.
The circumstances of this particular cloud case are unique. The FBI’s security requirements for connecting to CJIS were changed after the Los Angeles contract was signed. Google and CSC never made any claims Google Apps could comply with CJIS requirements. And the requirements with which Google Apps cannot comply are unknown, but some suspect they could be background checks for the administrators or the 128-bit encryption for data at rest.
The broader implications are clear: The Los Angeles experience shows the hazards of cloud adoption and how compliance – whether regulatory or operational standards – can derail cloud products.
Consider this: An enterprise races to adopt a cloud service to capture cost savings and management efficiencies. It pushes hard for a replacement of its well-known and stable on-premise legacy system. It gets halfway through the deployment only to discover the system doesn’t meet the policy requirements of key business partners, suppliers and/or financing service providers.
That’s essentially what happened in Los Angeles. In the city’s zeal to get to the cloud and Google’s desire to capture a significant account, both sides failed to effectively conduct due diligence to understand the impact of the cloud adoption on the city’s extended ecosystem.
This isn’t about security alone. Operational controls and regulatory compliance issues compel enterprises to impose certain operating requirements on their suppliers, partners and, in some instances, customers. This means the compliance issues cannot be easily templated, and each implementation will require its own due diligence.
And this story isn’t just about Los Angeles or Google. Every vendor and carrier is looking to push cloud on customers. The reason is self-evident: Cloud comes with predictable, recurring revenue and a lower cost-of-service delivery. By getting customers to go to cloud, vendors create a perpetual revenue stream. As such, every vendor and cloud reseller is open to this kind of compliance snafu if they don’t exercise due diligence from the outset.
The good news for solution providers is the opportunity for professional services. As part of cloud engagements, solution providers may impose a due-diligence service to protect themselves from costly chargebacks and amendments. By discovering the compliance issues in advance through a professional service, solution providers may save themselves and their clients many headaches.
The moral of this story is that cloud computing adoption is neither automatic nor fast. Speed to close deals could result in mistakes and overlooked landmines that could prove costly in the end.