Cloud
News
10/28/2013
11:14 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Los Angeles Gives Cloud Email Another Chance

After an FBI security rule prevented the LAPD from using Google Apps, the city was forced to backpedal from its move to the cloud. Now Los Angeles is trying again.

IBM Smarter Cities Challenge: 10 Towns Raise Tech IQs
IBM Smarter Cities Challenge: 10 Towns Raise Tech IQs
(click image for larger view and for slideshow)
Less than three years after being forced to suspend its ambitious cloud email rollout halfway through the process, the City of Los Angeles has decided to try again.

In 2009 Los Angeles was the first large city to attempt a total migration of its work force from a traditional on-premises email system to a cloud service. The city awarded a contract to Google Apps for 30,000 users, hoping to save millions by retiring an aging on-premises email system (Novell GroupWise).

But the project quickly ran off the rails when the Los Angeles Police department -- which accounted for about half the total seats -- informed the city CTO that Google Apps could not meet the FBI's strict security and privacy requirements for connecting to the bureau's national criminal history database, known as CJIS (Criminal Justice Information System).

The key sticking point for the LAPD was the FBI's rule that employees of outside service providers who may have access to police emails must themselves pass criminal history background checks, including fingerprinting. As it turns out, Google -- like many other large IT service providers -- had hundreds of lower-cost support staff in overseas locations, and apparently couldn't or didn't want to subject them to the FBI's background checks.

[ Could test drives help ease government cloud adoption? Read Datalink Lets Feds Test Drive Cloud. ]

After months of finger pointing in which Google and the city's CTO who had championed the contract attempted to pin the blame on the FBI, Google finally told the city it would not comply with CJIS. Los Angeles was forced to pull the plug on the LAPD portion of its Gmail deployment, but successfully demanded that Google pay the cost of maintaining the older GroupWise email servers at the LAPD for the duration of the Google Apps contract with the rest of the city.

Google's contract with Los Angeles expires in November 2014, and the city has just published a new RFP for a replacement solution. The city has indicated that it would prefer, if possible, a single cloud solution for its entire workforce, including the LAPD, for reasons of cost efficiency. Otherwise, it will be compelled to split the solution as in the previous contract, keeping the LAPD on an on-premises system while the rest of the city stays on the cloud. The city's ideal solution would thus be a CJIS-compliant cloud service that can be rolled out to everyone. Vendor proposals are due shortly and a decision is expected by the end of this year.

The point of the FBI's background check is to protect information in CJIS records from leaks by malicious or careless insiders. In these times of mega-leakers like Bradley Manning (WikiLeaks) and Edward Snowden (Prism), this seems like an eminently sensible precaution. But in 2009, providers of enterprise cloud email like Google and Microsoft weren't familiar with the CJIS requirements and weren't sure how to evolve their business practices to meet them. At the same time, the FBI, which had carefully crafted the CJIS rules over a number of years in close cooperation with state and local police forces, had not yet had to deal with large cloud deployments in these agencies.

Today there has been considerable progress on both issues. On the one hand, the FBI has updated its CJIS policy to make it more cloud-friendly. Interestingly, the bureau has also added language that prohibits cloud providers from "scanning any email or data files for the purpose of building analytics, data mining, or advertising," an apparent reference to the fact that some cloud providers base their enterprise offerings on consumer services originally designed as vehicles for targeted online ads. Although Google Apps turns ad serving off by default for government and education customers, it nevertheless states in its terms of service that customers can retain the option of turning ads back on (since Google specifies that in this case it will not share the resulting ad revenue, it is not clear why it thinks public sector customers would want this option).

On the vendor side, two approaches to CJIS compliance have emerged. First, a number of innovative startups such as CipherCloud and PerspecSys have developed devices that encrypt internal organizational email before it is sent to the cloud, thus making it impossible for cloud provider staff to access the content of the messages. The FBI has acknowledged that encryption is an acceptable method of achieving CJIS compliance. However, while technically ingenious, encryption may limit the functionality of cloud applications and will certainly bring additional costs as well as implementation complexity for the customer.

A second and more direct approach is for the cloud provider to agree to subject its data center staff to the FBI's criminal background check requirements in a process known as adjudication.

The adjudication approach is more costly for the cloud provider but is easier and more transparent for law enforcement agency customers. It is an approach that has thus far been enthusiastically embraced by Microsoft, but not yet by Google. Microsoft has recently signed CJIS compliance and adjudication agreements with the states of Texas and California, thus enabling law enforcement agencies in these states to adopt Office 365. Google has not publicly announced similar plans, and according to Los Angeles' new CTO has even taken the curious stance of recommending that the city adopt Microsoft's Exchange on-premises email system for LAPD while retaining the Google Apps cloud solution for the rest of the city.

However, one may suspect that Google will eventually be compelled to follow Microsoft's initiative on CJIS compliance if it wishes to remain a player in the state and local government market. The ultimate goal for public sector CTOs will inevitably be to roll all of their email systems into a unified cloud solution, thus offering a coherent and cost-effective technology platform as well as the proverbial "single throat to choke" vendor relationship. 2014 will be a crucial year in the U.S. public sector's transition to cloud computing, and developments in Los Angeles and elsewhere will bear watching closely.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
AustinIT
50%
50%
AustinIT,
User Rank: Apprentice
10/28/2013 | 5:27:46 PM
re: Los Angeles Gives Cloud Email Another Chance
Any Cloud deployment that values its security and user privacy would be wise NOT to include Google in the vendor choices. Google has proven over and over again where they butter their bread.
WKash
50%
50%
WKash,
User Rank: Author
10/28/2013 | 8:59:39 PM
re: Los Angeles Gives Cloud Email Another Chance
I agree with Jeff on this that LA's solution here will be closely watched. For many government agencies that have already moved to Google Apps, like GSA and NOAA, the experience has represented significant savings and improvements in collaboration. But it's also made Microsoft more competitive in the government space. That competition is a healthy development.
RIMMAN
50%
50%
RIMMAN,
User Rank: Apprentice
10/29/2013 | 4:01:40 PM
re: Los Angeles Gives Cloud Email Another Chance
"...have developed devices that encrypt internal
organizational email before it is sent to the cloud, thus making it
impossible for cloud provider staff to access the content of the
messages..."

One problem here is the vendor has the encryption key, not the client and that could pose a problem in future negotiations if not addressed in contractual T&C. Also, if it is encrypted prior to 'going to the cloud', it would have to be decrypted prior to use, so how would you be able to search across a repository of encrypted content to locate something?

"..A second and more direct approach is for the cloud provider to agree to subject its data center staff to the FBI's criminal background check requirements in a process known as adjudication..."

This fails to comprehend the manner in which 'cloud based services' are structured and offer services at a competitive (?) price. For a 'cloud' to work properly, the operator has to have the ability to remain 'agile'- to farm out less frequently accessed blocks of content to third parties and use their 'active storage' that they manage themselves for the most robust content. And in many cases, these third party providers are overseas, or subcontract to OTHERS who are overseas. Even in cases where the content remains "onshore", the whole concept of adjudicated staff goes out the window.

Micro$oft, G00gle or whomever can offer services to meet ANY CLIENT'S needs (or wants/desires) for a structure to manage their content.. as long as the client is willing to pay the cost of establishing and maintaining that relationship. But again, once the agility factor is lost, the ability to offer cost competitive services becomes problematic.

It's kind of like the sign in my barber's shop- "You can have any combination of TWO of the following choices: Good, Fast or Cheap... but choose wisely."
Gerry Grealish
50%
50%
Gerry Grealish,
User Rank: Apprentice
10/29/2013 | 6:26:51 PM
re: Los Angeles Gives Cloud Email Another Chance
An important update G㢠most forms of data encryption will limit functionality of cloud applications (in this article, with Google email). PerspecsysGăÍ approach to deploying encryption DOES NOT LIMIT functionality of cloud applications. More info on ways to deploy encryption and tokenization that will not affect cloud functionality: http://bit.ly/1irICdW
cbabcock
50%
50%
cbabcock,
User Rank: Strategist
10/30/2013 | 10:28:20 PM
re: Los Angeles Gives Cloud Email Another Chance
"...according to Los Angeles' new CTO, Google has even taken
the curious stance of recommending that the city adopt Microsoft's
Exchange on-premises email system for LAPD, while retaining the Google
Apps cloud solution for the rest of the city." That statement is a curious summary of the whole story. If you're serious about a marketplace, you meet the demands of the marketplace or fold your tent and go home.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/31/2013 | 3:55:06 AM
re: Los Angeles Gives Cloud Email Another Chance
Compliance issues like this really present a great opportunity for smaller cloud/XaaS solutions to step up to the plate to gain municipal and other government contracts -- touting their ability to comply w/ CJIS and other government regulations because of their size and locality. Great marketing promise here.
CJIS
100%
0%
CJIS,
User Rank: Apprentice
5/12/2014 | 11:16:25 PM
CJIS Solutions
Or you could just do the easy thing and host with CJIS Solutions who is currently the only CJIS compliant hosting provider.
2014 Next-Gen WAN Survey
2014 Next-Gen WAN Survey
While 68% say demand for WAN bandwidth will increase, just 15% are in the process of bringing new services or more capacity online now. For 26%, cost is the problem. Enter vendors from Aryaka to Cisco to Pertino, all looking to use cloud to transform how IT delivers wide-area connectivity.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of December 7, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program!
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.