CSC Google Apps Deal Delayed Over ComplianceBy Ericka Chickowski | Print
Cloud deployments can offer benefits, but for organizations that must follow security compliance rules, cloud deployments can be delayed. That's what happened in the City of Los Angeles, creating questions for other cloud deployments.
When CSC first landed the work to transform the City of Los Angeles email system from Novell GroupWise to Google Apps in 2009, it was lauded as a signal of major disruption in the productivity software world. But two years later, only a little more than half of the city's workers are actually using Google Apps due to security compliance hang-ups, a fact that some experts say should give both end customers and partners reason to plan for as many of the the implications of a cloud deployment as they can before moving forward.
The original deal between Falls Church, Va.-based CSC and the municipality stipulated that the firm would help Los Angeles move 30,000 city employees to the SaaS email solution. But last week a consumer advocacy group brought evidence to light that as of recently about 13,000 LAPD employees are still using Novell solutions because CSC hasn't been able to make the new deployment compliant with U.S. Department of Justice Criminal Justice Information Systems (CJIS) policy requirements.
According to CSC, those requirements weren't known prior to the original contract being awarded.
"Subsequent to the award of the original contract, the City identified significant new security requirements for the Police Department," CSC said in a statement. "CSC and Google worked closely with the City to evaluate and eventually implement the additional data security requirements, which are related to criminal justice services information ('CJIS'), and we're still working together on one final security requirement."
According to Scott Crawford, analyst with Enterprise Management Associates, the issues plaguing this deployment likely came in part due to lack of planning on the city's part.
"There are always tradeoffs when considering a hosted approach," Crawford says. "Organizations must weigh the implications of a hosted approach against the advantages, consider the capabilities a service provider offers, and make the decision that is right for their organization. I find myself wondering in LA’s case if they fully considered the implications, given the nature of data they handle."
It's still unclear what the specific security requirements were that caused the delay, with just a few details going public as a result of a letter to CSC from city officials that the group Consumer Watchdog published recently. However, one thing is clear: Los Angeles is asking its partner to not just waive the Google licensing costs but also but also pay for the cost of running its old email systems until the deployment is settled.
According to Crawford, situations like these illustrate why service providers need to enhance visibility through monitoring and improve data security measures to spec with regulators' measuring sticks. But the bottom line is that it is a shared responsibility and the little details are critical in these cloud deals."The devil is in the details with issues such as encryption key management, and organizations that lack the expertise necessary to provide adequate protection for data security measures may be no better off than they were before," he says. "Indeed, they may have a false sense of confidence if they think they are protecting sensitive data better than they really are."