How Secure is G-mail?

As the General Services Administration (GSA) migrates to a Google cloud services agencies are aware that a comprehensive security strategy is essential for the adoption of cloud-based computing. GSA is in the forefront of the government’s “cloud first” strategy, which is designed to lower IT costs through the adoption of cloud-based applications. Following the identical path are: the National Oceanic and Atmospheric Administration, Air Force Weather Agency, US Forest Service and Food and Drug Administration.

The new policy requires federal agencies to identify three "must-move" IT services that can be migrated into cloud computing applications and to complete the migration in 2012.
Here are some of the Google user security features as defined for GSA:

1. Unified directory service plus single sign-on software that covers all applications;
2. Two-factor authentication that meets regulatory mandates for information security. Passwords plus smart cards are used for authentication.
3. Qualifies for Federal Information Security Management Act (FISMA) certification for a multi-tenant cloud application.
4. Standard web single sign-on using SAML 2.0 is in place.

A key issue of trusting Google services involves the question of data ownership:
1. Google does not own user data. The data, which users put into a Google data center remains exclusively with the user. Data cannot be shared with others except as noted in the Privacy Policy statement (http://www.google.com/policies/privacy/).
2. Data retained by Google as long as specified.
3. Data can be used to work with external services or can be removed altogether.
4. Data is stored in Google's network of geographically distributed data centers that form redundant clusters. There is no single point of failure.
5. Access to data centers is limited to only a few security-certified Google personnel.
6. Google Apps received an unqualified SAS70 Type II certification, with the following controls in place:
• Logical security: Logical access to Google Apps production systems and data is restricted to authorized individuals
• Privacy: Policies are in place that Google has implemented procedures addressing the privacy of customer data.
• Data center physical security: Data centers that house Google Apps data are protected
• Incident management and availability: Incidents are properly reported, responded to, and recorded
• Change management: Testing and independent code review takes place prior to release into production

SUMMARY
The security of Google G-mail public cloud must be compared with the security of a private cloud based on a proprietary solution, such a Microsoft e-mail hosted at a DoD site, such as DISA’s DECs. Differences are found in costs (much higher costs for private clouds) and in execution (quality of personnel in the public cloud is greater).

The security requirements that were set for proceeding with the private cloud for the Army eliminated G-mail as an option altogether. Features were added that were satisfied only by modifications and custom features delivered by Microsoft at no cost. No efforts were made to negotiate modifications of services with other vendors.

No vendor choices other than Microsoft were used in the evaluation of prospective suppliers, including already established vendors such as Amazon, CISCO and HP.  It remains to be seen whether the DISA choice of proceeding with a Microsoft-based private cloud will justify the elimination of G-mail or any other cloud vendor.