Cloud Concerns in Los Angeles?

Posted on July 23, 2009 by

2


It looks like the City of Los Angeles wants to capitalize on the advantages of Cloud computing (see story here)  Then again, who wouldn’t?

It was based on this initiative that I received an e.mail from Mr. Rick Gordon, Managing Director at the Civitas Group, a professional services consulting firm serving the federal, state and local government sector.

Mr. Gordon’s comments were in reference to a recent post entitled, “Why wouldn’t you adopt cloud computing” and while I stand by my comments, Mr. Gordon brought up a number of issues with which I agree, namely, issues surrounding data security, privacy, and vendor lock-in.

With his permission, I am re-purposing his comments below, and in my next installment will respond to those concerns.

Dear Mr. DePena,

I have been reading a few of your articles related to cloud computing – particularly the one titled, “Why wouldn’t you adopt cloud computing”.

You might be interested in knowing that the City of Los Angeles is electing to migrate its email and office applications into the Google cloud.  My firm has been examining the security of cloud computing for some time, and we find this move interesting, if not disconcerting.

Given the immaturity of security and data control policies as they apply to cloud systems, we have a lot of concerns about the wisdom of the manner in which LA has proposed to do this migration.  The City released a staff report on Monday, and I had hoped to see a well-articulated plan related to data control, security audit standards, and data lock-in.  What I found was hand waving at its worst.

On the data control issue, it is absolutely critical to ensure that the personal information of LA residents and other sensitive data is protected.  To do this, LA said that it would use enhanced encryption methods, but did not articulate any approach to how the City would address data custodian requirements associated with healthcare, credit card and personally identifiable information.  Encryption alone is not sufficient.

At the very least, before LA moves forward, it should articulate how its service provider will provide transparency into the location of its citizens’ data and the mechanics to protect that data beyond encryption.  Troubling still is that Google is the cloud service provider – a company known for its opacity.

Around security audit standards, the City essentially said they would figure it out over the next six months, but the standards would be at least as good as the status quo.

I find that troubling from two perspectives: lack of a reliable audit standard and effective data lock-in with Google.  While the City will audit the service provider, neither has articulated a reliable standard to which the provider will be audited.  More troubling is that LA will rely on the contract winner to help define a security standard – an incestuous practice.  Rather than having the provider define the security itself, the city should be looking to established third-party standards that hold the provider accountable to a reasonable level of security.  There are a number of standards out there to look to, including ISO 27000 and SP800-53.

Worse yet, the City even states that if the performance of the cloud solution is inadequate, reverting to an alternative is likely to be cost prohibitive – highlighting the lock-in problem that most of us worry about with cloud-based systems.

While I think the promise of the cloud is exciting from both economic and security perspectives, this instance is very instructive.  So far, cloud architectures are new and unproven.  Cloud solution providers have not adequately addressed the implications of cloud systems to data security and privacy.  With this in mind, IT system owners need to be thoughtful about data security and control before being lured into the cloud.

My hope is that the City of Los Angeles’ decision is not a watershed event for other municipalities.  Given the current economy, the cost savings can be alluring.  But, that does not relieve data custodians of their contractual obligations to effectively control and protect the data of their constituents.

While I agree with many of the points brought up by Mr. Gordon, it is not unlike many other technological inflection points of the past.  The future will not wait, so it is incumbent upon business technology professionals to address these legitimate concerns while leading the way with the vision of cloud computing – Innovation, and the future, waits for no one.  So hop on board and lets see how we can figure this out together.

-Tune The Future-

Advertisements
Posted in: Uncategorized