google and the government

The US Federal Government has given Google the FISMA certification needed to allow government agencies to outsource their (non secret) email and calendar systems to the search giant’s cloud data centers.  In order to get the feds’ stamp of approval, Google had to set up dedicated servers located in the continental United States for government data and have a third party perform an assessment of whether Google’s security practices were in alignment with FISMA, the Federal Information Security Management Act, which sets standards for security on government systems.  Apparently, the documentation provided by Google to back up their application ran to over 1500 pages.

So, does this mean that since the cloud is secure enough for Uncle Sam, all of us in the private sector can ditch our Exchange servers and move to the cloud?  I’m not yet convinced. 

• Not everyone in government is convinced about the security of Google’s offering – a planned implementation for the City of Los Angeles is currently delayed due to the LA Police Department’s concerns around email security.

• As private sector users, our data doesn’t get its own servers located in the US and presumably shielded from the great unwashed masses of the Internet and watched very carefully by a dedicated security team.

• Seeing the FISMA evaluation report would help the private sector determine whether the testing performed meets our requirements for security.  Google currently offers the report documentation to government organizations considering moving to Google Apps. 

I love the idea of being able to outsource non core functions like email and calendaring – the cost savings are very compelling.  But before making that kind of decision, I’d have to see a lot more disclosure from Google on their security practices.  I would also want some sort of assurance that my organization’s email would not be used by Google’s mighty data analysis machines for purposes other than providing services to my company.  The Googlers are great at mining the data they have for profit… I am not sure that I would want to add my corporate email (or my government’s email) to their ever expanding database.  

I still need a lot of convincing that this is a good idea.