Technology September 17, 2009, 4:23PM EST

Google Pursues Government Biz: Security Concerns Loom

In seeking contracts from Uncle Sam, Google will need to assuage fears that that cloud computing just isn't safe enough, says ComputerWorld

Story Tools

by Jaikumar Vijayan

When Google Inc. launches its cloud computing services for federal government agencies next year, one of its biggest challenges will be to overcome concerns related to data privacy and security in cloud environments.

Google earlier this week said that it was planning on offering cloud services such as Google Apps to federal agencies starting in 2010. Google said it is speaking with several federal agencies about its offerings, which the company has assured will be fully compliant with the requirements of the Federal Information Security Management Act. A FISMA certification is required for a service provider, such as Google, to sell to federal agencies.

Google announced its plans to deliver a government cloud at a cloud computing event in California. At the event, a company executive noted that the government services would be hosted on Google's data centers, but on systems that are compliant with government regulations. The government cloud service will also be operated by individuals with the appropriate security clearances, and all data that is part of a government cloud service would remain in the U.S, the executive said.

How far such assurances will go in assuaging concerns related to cloud computing service, especially in a government setting, remains unclear.

Karen Evans, former de facto federal CIO under the Bush administration, said that using cloud services such as Google's could help federal agencies significantly reduce IT costs. But for many "the biggest concern is going to be the security and information assurance associated with a cloud service."

A lot will depend on the kind of FISMA certification and accreditation that Google's cloud services receive, she said. Under FISMA, federal systems are classified into three risk categories: low, medium and high. Each level has its own requirements, Evans said, adding that she hoped that Google will be certified and accredited at the highest risk levels. Then it's just a matter of agencies working out a service level agreement that spells out their security requirements. She added that agencies interested in using cloud services will probably be best served moving their external, Web facing applications first before considering more sensitive applications.

Meanwhile, Unisys Corp., a major provider of IT services to the government, Wednesday released the results of an online survey that looked at the issues affecting adoption of cloud computing.

Of the 312 respondents, about 51% cited security and data privacy concerns as the biggest impediment to adopting cloud services. The next highest barrier was integration of cloud-based applications with existing systems. Concerns about the ability to bring applications back in-house ranked third.