GSA switch to cloud-based e-mail sparks security debate

This story has been updated from the original version.

The General Services Administration's Wednesday announcement that it will become the first federal agency to move to a cloud-based e-mail system has prompted security and legal concerns from at least one observer.

"I don't think [the move to the cloud is] inherently good, or bad," said Larry Allen, president of the consultancy Allen Federal Business Partners. But "there are some questions about it that make it uncertain."

Allen said he is worried that security was not GSA's top priority when issuing Unisys Corp. a $6.7 million, five-year task order under the Alliant governmentwide acquisition contract. Unisys is partnering with Google, Tempus Nova and Acumen Solutions to implement the transition. The new e-mail system will run on the Google Apps for Government platform.

Cloud computing is a method of paying for and accessing information technology on demand and online through third parties, rather than via agency servers. Part of the concern over GSA's move is data could be hosted on servers in foreign countries, where the United States would have less control.

Depending on the specific location, housing data on foreign-based severs could be a violation of U.S. law, Allen said. Under the 1979 Trade Agreements Act, the government may conduct business only with countries that are signatory to a trade agreement, or part of the World Trade Organization government procurement agreement, according to Allen. India, for example, is not on that list, he added.

It is therefore "a material breach of U.S. government law to have storage provided on certain servers that are physically located in noncompliant" countries, Allen said.

"GSA did what [it could] to assure . . . security concerns," he said. "Whether or not there is a lot of meat behind that, I don't know. . . . Just because [GSA Chief Information Officer] Casey Coleman says so, it doesn't make it so."

Security is paramount, according to Allen, because GSA buys vital products for agencies such as the Defense and Homeland Security departments. "It's worth making sure you've got a secure communications" line for correspondence about those purchases, he said.

He also noted the potential liability, should the system be breached, is significantly higher than the $15 million GSA has estimated it will save over the next five years by moving to the cloud.

Microsoft Corp., which was one of the bidders for the contract, said in a prepared statement it was "disappointed" in the agency's decision, noting Microsoft made a "conscious decision to provide GSA with U.S.-only data center support, where data is maintained in the U.S. [and] administrated by U.S. citizens with background checks."

But location "does not matter because information security is the same . . . regardless of location," GSA's Coleman said. "All of these controls [in the contract] are applicable and going to be monitored regardless of location. . . . Information security is about much more than where your server sits."

The contract, she said, specifically requires that data ownership remain with GSA. All contractors who are responsible for administrating GSA information in the system will be required to undergo background checks and Unisys will manage the servers, Coleman said. She could not say whether any servers would be located outside the United States.

According to Google spokesman Dan Martin, G-mail and calendar data on the Google Apps for Government platform are in a segregated system, located in the continental United States. Martin also said in an e-mail the software "is built with security and reliability mind." It is unclear where the servers hosting other elements of the system, such as Google video, documents and sites, will reside.

"Google Apps for Government is provided in compliance with applicable law," Martin added.

Alan Paller, director of research at the cybersecurity organization the SANS Institute, argued the cloud is more secure than GSA's current setup. "It is safer because Google's commercial customers can ask for far more effective security controls than the paper-based reporting the federal government has required" under the 2002 Federal Information Security and Management Act, he said.