Channel Insider content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

When CSC first landed the work to transform the City of Los
Angeles email system from Novell GroupWise to Google Apps in 2009, it was
lauded as a signal of major disruption in the productivity software world. But
two years later, only a little more than half of the city’s workers are
actually using Google Apps due to security compliance hang-ups, a fact that
some experts say should give both end customers and partners reason to plan for
as many of the the implications of a cloud deployment as they can before moving
forward.

The original deal between Falls Church, Va.-based CSC and
the municipality stipulated that the firm would help Los Angeles move 30,000
city employees to the SaaS email solution. But last week a consumer advocacy
group brought evidence to light that as of recently about 13,000 LAPD employees
are still using Novell solutions because CSC hasn’t been able to make the new
deployment compliant with U.S. Department of Justice Criminal Justice
Information Systems (CJIS) policy requirements.

According to CSC, those requirements weren’t known prior to
the original contract being awarded.

"Subsequent to the award of the original contract, the City
identified significant new security requirements for the Police
Department," CSC said in a statement. "CSC and Google worked closely
with the City to evaluate and eventually implement the additional data security
requirements, which are related to criminal justice services information
(‘CJIS’), and we’re still working together on one final security
requirement."

According to Scott Crawford, analyst with Enterprise
Management Associates, the issues plaguing this deployment likely came in part
due to lack of planning on the city’s part.

"There
are always tradeoffs when considering a hosted approach," Crawford says.
"Organizations must weigh the implications of a hosted approach against
the advantages, consider the capabilities a service provider offers, and make
the decision that is right for their organization.  I find myself
wondering in LA’s case if they fully considered the implications, given the
nature of data they handle."

It’s
still unclear what the specific security requirements were that caused the
delay, with just a few details going public as a result of a letter to CSC from
city officials that the group Consumer Watchdog published recently. However,
one thing is clear: Los Angeles is asking its partner to not just waive the
Google licensing costs but also but also pay for the cost of running its
old email systems until the deployment is settled.

 According to
Crawford, situations like these illustrate why service providers need to
enhance visibility through monitoring and improve data security measures to
spec with regulators’ measuring sticks. But the bottom line is that it is a
shared responsibility and the little details are critical in these cloud deals.

"The devil is in the details with issues
such as encryption key management, and organizations that lack the expertise
necessary to provide adequate protection for data security measures may be no
better off than they were before," he says. "Indeed, they may have a
false sense of confidence if they think they are protecting sensitive data better
than they really are."