Google Apps, PRISM, and the NSA

With media attention and hype, leaked documents, Congressional hearings, and a great deal of explanation and back-peddling, the world now knows that the United States government spies on people.

Okay, we already knew that.

So, we learned that about a secret “FISA” court that can issue secret subpoenas letting the government look at information about us.

Okay, we already knew that, too (many of us just did not pay attention or really seem to care very much).

So, we learned that the Government had issued subpoenas for huge amounts of data about phone calls from Verizon as part of secret program called PRISM.

Now must be the time to panic?

As our 24-hour, instant, news machine struggled to find alleged experts on this top-secret program, we began hearing reports that the National Security Agency has direct, unfettered, complete access to all of the data on all of the servers of all of the major public cloud providers, and that they were capturing, recording, and saving all of this information.

Unfortunately, the cloud service providers are prohibited by law from disclosing the the number of FISA subpoenas and/or the number of users subject to those subpoenas.  We do know, however, that all of the service providers deny any direct connection between their systems and the NSA.

Without accurate information, myths become ‘facts’.

For those of us that promote and rely on the cloud, including those of us running Google Apps for Business, Education, or Government, we want assurances that our data remains private.

Google Apps and Your Privacy

On June 7th, Google posted this statement on the Official Google Blog regarding the matter.  In short:

  1. The NSA and other agencies do not have unfettered access to customer data
  2. Google was not participating in, nor aware of the PRISM program
  3. Google actively works to limit the number and scope of FISA requests

Coincidentally, CIO Magazine reported on June 4th (before the FISA/PRISM revelations in the media) about Google’s efforts to modify or restrict FISA subpoenas.  You can see the article here.

Media reports have been largely inaccurate about the scope of the PRISM program and FISA warrants and its use on American citizens on US soil.

Google is not allowed to release the numbers and scope of the requests by law.  On June 11th, Google made public an official request to release that information so that Google customers will have a more accurate picture and will understand that their data remains secure.


The Terms of Service and Privacy Policy for Google Apps for Business, Education, and Government have very specific rules for how private Google keeps your data and how Google responds (and lets you respond) to subpoenas Google receives for customer data.

There is no evidence, or any indication, that Google has acted outside the bounds of these terms and conditions, even as Google vigorously defends the privacy of customer data in court.


Moving to the Cloud: Too Many Choices?


Green_GaugeThis post is the ninth, and final, post in a series addressing concerns organizations may have that prevent them from moving the cloud-based solutions.

Good News; Bad News.

The Good News:  Organizations can choose from a rapidly growing myriad of cloud computing services and solutions.

The Bad News:  Organizations can choose from a rapidly growing myriad of cloud computing services and solutions.

When looking to move into the cloud, organizations have an abundant set of choices and options that offer similar functions and services.  Even more challenging, many cloud solutions offer features that overlap, creating redundancy at the intersection (i.e., the Google Drive component of Google Apps versus Dropbox).

For many organizations, the marketplace is confusing and full of claims that may be hard to verify.  Too often, the decision falls to price, not business value, and organizations end up getting what they pay for.

Start at the Beginning

Organizations looking to move into the cloud should start at the beginning step of any successful IT project — business requirements.  What are the business reasons for moving into the cloud?  These could be a simple as “keep the same functionality as in-house systems, but at a lower cost” or as sophisticated as “expand into international markets”.

The business requirements drive the technical requirements.  The technical requirements guide the selection of the solution.  Evaluate how well the solution meets your technical requirements and how well it supports your business requirements first.  Include relevant issues of customization, management, and support.   Then, look at the cost.

Vet the Vendor

While the concept of cloud computing dates back to mainframe time-sharing services in the 1970s and 1980s, today’s marketplace is new.  Every cloud vendor is new to the market as their services are relatively (no more than 5 years old) new.   Do not assume “name brand” companies are best.  Microsoft, for example, is a well-established mature business.  And yet, they have proven they are very capable of failing when it comes to providing a reliable cloud computing service.

Look at prospective vendors for their track record (as limited as it may be) with respect to performance, availability, reliability, support, innovation, and customer service.  Talk with customers and see out organizations that have dropped the service.

Understand where the vendor is financially.  Are they profitable?  Are they running on venture funds, and will they be sustainable before the funds run out?  Is the vendor’s financial position improving as their sales grow?

Use a Trusted Partner

Find a partner that knows cloud computing and can help you find your way through the myriad of options.  Work with cloud solution providers that do not push you only to what they currently sell.  Better CSPs will direct you to other resources and will either contract with them on your behalf or hand off the relationship.

If your current IT firm or your internal IT team cannot navigate the cloud computing territory, look for a partner that will work with, and will help educate, your current IT staff and/or team.  As with your cloud solutions selection, choosing a cloud solutions provider is about business value.

A good CSP can help you find, vet, select, and implement the right solution.


Moving to the Cloud: Internationalization


Green_GaugeThis post is the eighth in a series addressing concerns organizations may have that prevent them from moving the cloud-based solutions.

Cloud computing is global and a growing number of cloud solution providers are global as well.  Data stored in the cloud can end up in data centers in other countries and jurisdictions with differing laws and level of privacy protection.   In addition, organizations may be subject to laws or regulations that restrict data from being stored across national boundaries or in other jurisdictions.

Some risk exists in national or local laws related to data privacy and ownership.

Learn Before You Leap

Before signing on with a cloud provider, ask the questions about where data is stored and how the provider is protecting your data from foreign governments and other interests.  Review all contracts, agreements, and vendor policy statements to ensure they are consistent with the message you hear from the sales team.

Look for adherence to privacy standards based on international treaties, such as Safe Harbor and EU Safe Harbor. While these programs cannot eliminate all risk, they do set reliable standards and ensure the vendor has a process for managing any issues that arise.

Explore options with your vendor.  Many cloud vendors allow customers to select specific data centers in which their systems will run and/or data resides.

Seek out some knowledge about the privacy laws and regulations in the countries in which your data may reside (many Canadian firms, for example, see the US Patriot Act as a risk when data resides in the US).

With a small amount of due diligence, organizations can judge the vendor’s competency in managing data privacy and ownership across boundaries, and can ensure the cloud solution meets the organization’s needs above all.

Next Post in the Series:  Coming Monday June 10th

Previous Post in the Series:  Regulatory Compliance

Moving to the Cloud: Regulatory Compliance


Green_GaugeThis post is the seventh in a series addressing concerns organizations may have that prevent them from moving the cloud-based solutions.

Moving to the cloud often entails more than switching to an email service or spinning up a some cloud-based storage and servers.  For many businesses — including Small and Mid-Size Businesses (SMBs) — regulatory requirements place demands on IT systems and security.  And, while these requirements impact in-house and cloud solutions, moving to the cloud requires planning.

The most common regulations for SMBs relate to consumer (customer) privacy:  HIPAA, which protects personal health information, and PCI, which protects personal and credit related information.  Many SMBs, however, must also meet the requirements of Sarbanes/Oxley, FINRA, SEC, and various state regulations.

The solution:  Integrating Solutions.

Fortunately, the tools and systems exist to provide compliance with data security and privacy regulations.  Cloud vendors are creating environments and the management controls necessary for customer regulatory compliance and certification.

The challenge is to make sure that all of the pieces work together.

  • Message Archive/eDisovery:  Manages retention of email as official business records and provides the eDiscovery and audit tools necessary to meet federal subpoena requirements.
  • Message Encryption: Encrypts email at the individual message level based on content and rule sets, requires users to authenticate before accessing the message, and prevents forwarding.
  • Two Factor Authorization / Single Sign-On: Provides identity management services and audit trails beyond core products in order to meet regulatory or policy requirements 
  • Third Party Encryption:  Encrypts data in the browser or client before transmission to the cloud, providing a second level of encryption prior to the encryption provided by the cloud vendor.  In the event of a vendor data breach, the exposed data would be encrypted.

These types of solutions, and others, provide cloud environments with the capabilities to meet regulatory requirements.  Vendor contracts and policies should still be carefully reviewed for any terms and conditions that threaten compliance.

And remember, no vendor can ensure compliance.  Compliance exists when the technology meets the technical standards and is used in accordance with policies and procedures that meet the regulatory intent.

Next Post in the Series:  Internationalization

Previous Post in the Series:  Integration with Legacy Systems