[#Cloud #クラウド] ロスアンゼレス市の警察で全面採用されたGoogle Apps、セキュリティの懸念が俄かに上昇:先行きに不安が残る動き

LA市のCity Councilがセキュリティの懸念をさまざまな形で質問する中、どうもその説明が納得できる内容になっていない、というのが問題点として指摘されている。 


LA City Cloud Computing Update

By Rick Gordon

Since the July 24th entry, Cloud Concerns Over Los Angeles, I have continued to monitor closely LA City’s decision to migrate to a cloud computing environment.  As myriad organizations (e.g., Cloud Security Alliance, NIST, etc.) race to understand cloud computing risks, I continue to be baffled by LA City’s “Damn the torpedoes!” approach.

Throughout LA’s decision making process, various stakeholders have raised concerns about cloud security and privacy risks.  As the City Council sought to address these concerns, I had hoped to see LA transparently address how its cloud service providers would secure LA citizens’ sensitive information.

So far, it’s been a major disappointment.

To its credit, the City held an August 11th hearing to answer a number of pressing security questions.  In this regard, the City’s Information Technology Agency (ITA) General Manager, Randi Levin, thankfully offered “to clear up a few misconceptions.”  Unfortunately, Ms. Levin’s bumper-stickeresque testimony did little more than assert without any evidence that:

1)      Google’s security is better than LA’s; and

2)      Cloud computing is safe.

Unbelievably, Ms. Levin failed to disclose to the City Council any of the proven security vulnerabilities associated with cloud-based architectures (https://www.isecpartners.com/files/Cloud.BlackHat2009-iSEC.pdf).

On October 7th, the City’s Administrative Officer, Miguel Santana, released a final memo (http://clkrep.lacity.org/onlinedocs/2009/09-1714_rpt_cao_10-7-09.pdf) to highlight the changes that had occurred since the August 11th hearing.  Mr. Santana offered, “Google has announced a new proposal for protecting sensitive government data that is consistent with the approach preferred by the Police Department …”   The announcement that Santana is referring to is Google’s “Gov Cloud.”

To be clear, “Gov Cloud” represents an untested service that Google hopes will satisfy the immediate compliance needs of Federal government customers (the security controls remain unspecified).  Most importantly, it is not even scheduled to be operational until sometime next year.

At an October 19th hearing, Dave Girouard, President of Google Enterprise, further elaborated that Google intends for all government employees across the United States to “run inside what has been referred to as the government cloud”.  Unfortunately, Google’s vision only exacerbates current concerns that LA would not be able to effectively protect its citizens’ information from disclosure to other U.S. jurisdictions.

Of course, I realize that Ms. Levin, et. al., are still “selling” to the LA City Council.  But, at some point during this process at least one of them should have been able to offer a modicum of security insight to enable the City Council to make a fully-educated decision.

The fact is that the cloud is fraught with a number of uncertainties distinct to cloud architectures.  These uncertainties are different than with traditional computing models – scale, homogeneity, and opacity introduce new risks that information technologists are just now sorting out.

So, it’s not surprising that LA City stakeholders don’t fully understand these risks.  However, with so many unanswered questions, one has to ask – why on earth is LA still moving forward?


Posted via email from Ippei’s @CloudNewsCenter info database


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: