Governments wondering if Google Apps would meet their security requirements need look no further than the City of Los Angeles. Last December, the city pulled its police department out of a planned move to Google Apps for Government after concluding that it did not meet the FBI’s Criminal Justice Information Systems (CJIS) requirements. The result is that the City of Los Angeles now uses two incompatible email environments: 17,000 city employees have moved to Gmail, while the 13,000-member police department continues to use Novell Groupwise.
With Microsoft, governments concerned about security and compliance have a better option. They can put some of their data in the cloud with Exchange Online, while keeping other workloads on-premise using Exchange Server. The advantage is that both versions of Exchange are seamlessly connected. This means that all employees, whether their data is stored in the cloud or on-premise, can access each other’s calendars to set up meetings. In addition, IT administrators can conduct searches and centrally manage mailboxes whether employee email is in the cloud or on-premise. It all adds up to higher productivity.
And with Microsoft’s commitment to meet the CJIS standard for Office 365, governments that eventually want to move all of their productivity software to the cloud will have the opportunity to do so.
A Lot at StakeLos Angeles isn’t the only city for which security is a priority. Indeed, in a survey by the firm KPMG, nearly half of government respondents cited security as their no. 1 concern.
Governments are the gatekeepers of some of the most sensitive data in existence. Many need to safeguard citizens’ personal information, and some are charged with protecting national security interests. To make things even more complicated, governments are often the target of hackers. “We are regularly under attack,” Ron McKerlie of the Ontario Ministry of Public Services, said in the KPMG study. “We have to make certain that whatever we implement in security terms is incredibly robust.”
Especially for governments, there’s a lot at stake. As Iain Gravestock, partner with KPMG in the UK puts it: “In the public sector, if you take a risk and succeed, you might get a pat on your back but not much more; but if you fail – if your pensioners don’t get their checks, or if you botch privacy protection – you will be in a world of trouble.”
Securing Your Data with MicrosoftSo what makes Microsoft the best choice when it comes to protecting data? Consider the following:
A hybrid environment – Legal or compliance reasons or complex auditing requirements may warrant some content staying on-premise. Rather than putting everything in the cloud, Microsoft gives you the option of moving some data into the cloud while keeping other, more sensitive data on-premise. By contrast, Google Apps is an all-or-nothing cloud solution.
Information Rights Management – Information Rights Management (IRM) technology, available within on-premise versions of Office, prevents authorized recipients of restricted content from forwarding, modifying, printing, copying and pasting the content. With Google Docs, the security settings are limited. For example, users can specify with whom email is shared. But one the email is sent, these people may print, copy and paste the document as well as share it with unauthorized users.
Privacy of information – There’s no ambiguity in Microsoft privacy statements as to the usage of customer data. With Google, ads can be served to users with a simple selection in the IT admin control interface. In addition, Google maintains the right to your information even after you’ve deleted it, creating privacy risks down the road.
Global and regional standards – Office 365 holds the U.S. Federal Information Security Management Act (FISMA) certification, and complies with U.S.-mandated Health Insurance Portability and Accountability Act (HIPAA). In addition, Office 365 is the first, major cloud productivity service to earn the ISO 27001 international standard certification for data security. It can also incorporate the EU Model Clauses, restricting the transfer of personal data outside the European Economic Area, into sales agreements with Office 365 customers. Google just recently received ISO 27001 certification, five years after Google Apps was released.
Email archiving – Unlimited email archiving is included with the Office 365 E3 subscription plan. Email archiving is both automatic and legally-compliant. With Google Apps, users must purchase an add-on service, creating additional cost and complexity.
Records retention – SharePoint Online includes built-in records retention capabilities that make it easy to determine what documents are declared records, who can access records, and how long to keep them. With Google Apps, governments must turn to third parties such as CloudLock for this functionality at additional cost.
The Importance of Robust Security Issues like these lead many governments to Office 365. One city for which security is important is the City of Augustine Beach in Florida. In the end, however, city officials concluded that Office 365 provides better email security than their legacy system. “Our City Clerk was concerned at first that there would be some way for a third-party to access our email, but that concern has been pretty much dispelled,” says Anthony Johns, an IT specialist for Augustine Beach.
Security is also a priority for the State of Minnesota, which examined data protection before moving its entire executive branch to Office 365. Says Tarek Tomak, Assistant Commissioner for the State of Minnesota: “The robust security and reliability that Microsoft was providing with Office 365 was essential—we would not have agreed to a hosted solution without making sure that the state’s data would be secure.”
Likewise, security is paramount for the State of Michigan. Officials evaluated Google Apps, but concluded that a Microsoft environment provided the best security. “The security of our communications is paramount,” says Mike Binkley, Director of Office Automation Services for the Michigan Department of Information Technology. “Google couldn’t guarantee that security … Google Apps weren’t ready to handle the state’s business.”
Indeed, when there’s so much at stake, why take the risk?
A great post summarising the differences
Do your research; there is, yet again, a lot of mis-information from MicroShaft in here. Would you really trust a "partner" that gives you false information on purpose? Really?
@XAML guy - Glad you liked the post. @Jim - It's hard to have a conversation without any specifics. We stand by the information in this post.
I will never understand the recent Micrsoft attack on Google Apps for having options available such as CloudLock and Postini. This is an attack on Google for not having everything in one package leaving the door open for third-party vendors to sell complementary products.
A strategy where one vendor creates all of the functionality is not good for businesses, governments, or anyone else. On the one hand, Microsoft tries to bribe developers to make Windows Phone / Windows 8 apps and on the other takes swipes at Google for having vendors integrate with them.
The irony is that Microsoft has been enjoying a strategy of letting other vendors integrate complementary products for years. Suddenly, Microsoft's new wave of marketing people insinuate that everything should be in one box if it happens to be cloud software. (A box that is not easily changed between "K" or "E", no less.)
Good article! It answered a number of questions I had. I think the hybrid approach for sensitive government information is spot on!!!
My concern with a hybrid scenario is that my company will end up incurring more cost and managing two environments just to 'feel safe'. I have people on my team saying we should just stay on premise. How should I respond to those who feel the cloud isn't trustworthy?
@Ian Ray -- Partners are important to Microsoft, and add-on products and services created by partners add a lot of value to the products Microsoft creates. But some features are so important they should really be included in the actual product, without the added time, effort, and money of having to purchase an additional product. The problem with Google Apps is that it's so bare bones, it doesn't even include important functionality.
@haydnguy -- glad the article was helpful. @Al Trewthe -- The benefit of a hybrid environment is that you can continue to leverage your existing IT investments while gradually moving some workloads to the cloud. A few years ago, giving your credit card information on Internet seems risky. You probably started out by trying a couple transactions to get comfortable. Today, buying online is now part of our life. The best way to convince your team that the cloud is trustworthy may be to move slowly and and evaluate the results as you go.