Google For Government Signals Long Cloud March Ahead
Google's announcement Monday that it was formally releasing a version of its application suite for government doesn't just represent a Google sales push, but in some ways also indicates that although the federal government is stepping up its cloud computing push, much work remains.
Google's announcement Monday that it was formally releasing a version of its application suite for government doesn't just represent a Google sales push, but in some ways also indicates that although the federal government is stepping up its cloud computing push, much work remains.That's because Google's announcement didn't just include the formal release of new versions of its Google Apps services designed with the federal government in mind, but also the news that Google's offerings had passed the gates and traps inherent in the complicated certification and accreditation process required to meet federal cybersecurity guidelines under the Federal Information Security Management Act.
Behind the scenes, Google spent nearly a year running its services through what Google Federal business development executive David Mihalchik calls a "top-to-bottom review" of security, ultimately examining nearly 200 security controls and producing a document that totaled 1,500 pages.
"We followed the very same process that all government IT systems follow to be certified under FISMA," Mihalchik, who led the certification process for Google, said in an interview. Google based its certification work on NIST Special Publication 800-53 Revision 3 (aka "Recommended Security Controls for Federal Information Systems and Organizations"), which is the latest NIST guidance on FISMA-compliant IT security controls.
It's probably true that the length of time and number of dead trees spent on this certification is a bit higher than will be the case going forward for cloud computing services, if only because Google did the grunt work -- it's the first time the General Services Administration, which is leading the federal cloud computing program, has completed a certification for a cloud computing service. Other agencies and companies might be able to leverage some of the work that's now been done by Google (and, to be fair, is also likely nearly complete from Microsoft in its own bid at cloud certification and accreditation).
"This discussion around cloud computing has until now been a proxy for understanding security," he said. "I think that will fall away, and the government will now either say, it's either FISMA-certified, or it's not FISMA-certified."
It's also probably true, as Mihalchik suggests, that this certification could clear up some lingering misgivings about security in the cloud. Google's already sharing its documentation with other agencies.
"The government agencies that have reviewed our C&A package have universally said that the way we secure Google Apps is as secure or in some places more secure than the things the government does today to secure its email and collaboration services," he said. "What we think is most significant about that is that it allows agencies to do an apples-to-apples comparison of their environment and Google Apps."
However, Google and Microsoft are huge companies, and for them, a year spent on security certification is a drop in the bucket compared with the lucrative $76 or so billion federal IT market looming on the other side. For other companies, particularly many cloud start-ups with real innovation to offer and little capital to work with, however, this type of back-breaking work might end up being a deal-breaker. Cloud computing is supposed to lower the cost of doing business, not increase it.
To vendors, it's likely an exciting thing that with a new process called FedRAMP, the government aims to make this certification a one-time thing rather than something that needs to be repeated at each agency that wants to deploy the technology. However, although Google Apps' certification was supposed to be the first one to go through the new FedRAMP process, that doesn't seem now to be the case, which indicates that FedRAMP may not be as far along as some have said.
Instead, Google will have to settle for eventually having its documentation made part of FedRAMP. "GSA's efforts are in some ways a precursor to the FedRAMP program, and GSA has stated that once FedRAMP is up and running, the certification will be transferred to be managed by FedRAMP," Mihalchik said. The timeline for that, however, is unclear, just as is the time for a formal launch to FedRAMP.
Long story short: they're getting closer, but the clouds are not yet directly overhead for the feds.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.