Protecting Sensitive Government Data

Governments wondering if Google Apps would meet their security requirements need look no further than the City of Los Angeles. Last December, the city pulled its police department out of a planned move to Google Apps for Government after concluding that it did not meet the FBI’s Criminal Justice Information Systems (CJIS) requirements. The result is that the City of Los Angeles now uses two incompatible email environments: 17,000 city employees have moved to Gmail, while the 13,000-member police department continues to use Novell Groupwise.

With Microsoft, governments concerned about security and compliance have a better option. They can put some of their data in the cloud with Exchange Online, while keeping other workloads on-premise using Exchange Server. The advantage is that both versions of Exchange are seamlessly connected. This means that all employees, whether their data is stored in the cloud or on-premise, can access each other’s calendars to set up meetings. In addition, IT administrators can conduct searches and centrally manage mailboxes whether employee email is in the cloud or on-premise. It all adds up to higher productivity.

And with Microsoft’s commitment to meet the CJIS standard for Office 365, governments that eventually want to move all of their productivity software to the cloud will have the opportunity to do so.

A Lot at Stake
Los Angeles isn’t the only city for which security is a priority. Indeed, in a survey by the firm KPMG, nearly half of government respondents cited security as their no. 1 concern.

Governments are the gatekeepers of some of the most sensitive data in existence. Many need to safeguard citizens’ personal information, and some are charged with protecting national security interests. To make things even more complicated, governments are often the target of hackers. “We are regularly under attack,” Ron McKerlie of the Ontario Ministry of Public Services, said in the KPMG study. “We have to make certain that whatever we implement in security terms is incredibly robust.”

Especially for governments, there’s a lot at stake. As Iain Gravestock, partner with KPMG in the UK puts it: “In the public sector, if you take a risk and succeed, you might get a pat on your back but not much more; but if you fail – if your pensioners don’t get their checks, or if you botch privacy protection – you will be in a world of trouble.”

Securing Your Data with Microsoft
So what makes Microsoft the best choice when it comes to protecting data? Consider the following:

A hybrid environment – Legal or compliance reasons or complex auditing requirements may warrant some content staying on-premise. Rather than putting everything in the cloud, Microsoft gives you the option of moving some data into the cloud while keeping other, more sensitive data on-premise. By contrast, Google Apps is an all-or-nothing cloud solution.

Information Rights Management – Information Rights Management (IRM) technology, available within on-premise versions of Office, prevents authorized recipients of restricted content from forwarding, modifying, printing, copying and pasting the content. With Google Docs, the security settings are limited. For example, users can specify with whom email is shared. But one the email is sent, these people may print, copy and paste the document as well as share it with unauthorized users.

Privacy of information – There’s no ambiguity in Microsoft privacy statements as to the usage of customer data. With Google, ads can be served to users with a simple selection in the IT admin control interface. In addition, Google maintains the right to your information even after you’ve deleted it, creating privacy risks down the road.

Global and regional standards – Office 365 holds the U.S. Federal Information Security Management Act (FISMA) certification, and complies with U.S.-mandated Health Insurance Portability and Accountability Act (HIPAA). In addition, Office 365 is the first, major cloud productivity service to earn the ISO 27001 international standard certification for data security. It can also incorporate the EU Model Clauses, restricting the transfer of personal data outside the European Economic Area, into sales agreements with Office 365 customers. Google just recently received ISO 27001 certification, five years after Google Apps was released.

Email archiving – Unlimited email archiving is included with the Office 365 E3 subscription plan. Email archiving is both automatic and legally-compliant. With Google Apps, users must purchase an add-on service, creating additional cost and complexity.

Records retention – SharePoint Online includes built-in records retention capabilities that make it easy to determine what documents are declared records, who can access records, and how long to keep them. With Google Apps, governments must turn to third parties such as CloudLock for this functionality at additional cost.

The Importance of Robust Security
Issues like these lead many governments to Office 365. One city for which security is important is the City of Augustine Beach in Florida. In the end, however, city officials concluded that Office 365 provides better email security than their legacy system. “Our City Clerk was concerned at first that there would be some way for a third-party to access our email, but that concern has been pretty much dispelled,” says Anthony Johns, an IT specialist for Augustine Beach.

Security is also a priority for the State of Minnesota, which examined data protection before moving its entire executive branch to Office 365. Says Tarek Tomak, Assistant Commissioner for the State of Minnesota: “The robust security and reliability that Microsoft was providing with Office 365 was essential—we would not have agreed to a hosted solution without making sure that the state’s data would be secure.”

Likewise, security is paramount for the State of Michigan. Officials evaluated Google Apps, but concluded that a Microsoft environment provided the best security. “The security of our communications is paramount,” says Mike Binkley, Director of Office Automation Services for the Michigan Department of Information Technology.  “Google couldn’t guarantee that security … Google Apps weren’t ready to handle the state’s business.”

Indeed, when there’s so much at stake, why take the risk?