In mid-December 2011, the city council of Los Angeles voted to amend their contract with Google Apps due to security and privacy concerns. Rather than transfer its email services to Google’s cloud, the Los Angeles Police Department (LAPD) decided to back out of its contract, instead opting to stay with its on-site Novell platform for its email needs.
As a result of security worries, the city council voted unanimously to amend the agreement that Google and Computer Sciences Corporation (CSC), the systems integrator on the project, have with the city of Los Angeles. Essentially, the amendment means that the LAPD, parts of the city attorney’s office, the Los Angeles Fire Department, Department of General Services and Department of Transportation will be removed from the contract. The contract was set to conclude in November 2012.
The council determined that it would change the terms of this $7.25 million contract with Google so that certain city employees could stay on the older Novell email system. Google will now have to pay up to $350,000/year in order for those employees to continue using the on-site system run by its competitor.
Furthermore, the CSC will have to issue a credit for any payments that may have been made for users who have not been able to migrate to Google. The CSC is also prohibited from seeking reimbursement of a $250,000 advance meant to be used by the city to encourage other government users to adopt Google services.
According to city officials, Google’s system “does not have the technical ability to comply with the city’s security requirements…. [and the requirements are] not currently compatible with cloud computing.”
Maggie Goodrich, the LAPD’s chief information officer, said that, “It will be difficult for law enforcement to move to a Cloud solution until the [security requirements] and Cloud are more in line with each other. There was definitely a time when Google seemed positive they were going to meet the requirements.
The project seemed to be successful until September 2010, when Google reported that 36 out of 40 city departments had migrated to Google Apps. At that point public-safety workers, particularly the LAPD, were the only ones not yet moved to the new systems. During that time, Los Angeles was one of the first US cities to embrace cloud computing, in order to help decrease IT costs and improve the efficiency of its IT operations.
The project then ran into some challenges regarding Google Apps; inability to meet security requirements mandated by the Los Angeles Criminal Justice Information Systems (CJIS) regulations. The consumer advocacy group Consumer Watchdog also released a letter regarding a proposed amendment on the issue.
According to Google spokesman Andrew Kovacs, “We’re disappointed that the city introduced requirements for the LAPD after the contract was signed that are, in its own words, ‘currently incompatible with cloud computing,” Kovacs also mentioned that the 17,000 employees currently using the Google system had already saved Los Angeles tax payers over two million dollars.
This is a relatively high-profile setback for the company, which had to beat out its major rival Microsoft in 2009. In that close competition, Google won the contract to replace the city’s aging email system for 30,000 employees. At the time, Google promised that its new cloud-based system would be faster and cheaper, and be able to offer better security than computers located in city basements.
In mid-December 2011, the Los Angeles City Council unanimously voted to scale back its contract with Google Apps as a result of privacy and security concerns. The City Council decided to change the terms of its $7.25 million contract with Google so that its public-safety employees (notably the Los Angeles Police Department) could continue using an on-site, rather than cloud-based, email system, hosted by Novell. This amendment increased doubts regarding the security and utility of cloud services for the public sector.
CCSK Exam Preparation
In preparation for the Certificate of Cloud Security Knowledge (CCSK), a security professional should be comfortable with topics related to this post, including:
- Contractual security requirements (Domain 2)
- Enterprise and information risk management (Domain 2)
- Contract enforceability (Domain 3)