Need suggestions for new IMU features

Eclipse · July 24, 2010, 01:52:24 AM

Quote from: KyCAP on July 24, 2010, 01:22:23 AM
Quote from: davidsinn on July 19, 2010, 10:25:02 AMWe're not subject to those laws.

You all ran off in a different direction than the point that I was trying to make. I was making the point that Google isn't compliant with the "least" stringent security policies and procedures that are WIDELY held out for information sharing.

You need to be specific about which services you are discussing - the apps cloud or Gmail. I don't know or care about the security on a free Gmail account - you get what you pay for. We are discussing the Apps Cloud and the services there, which carry very specific SLA's and QLA's, especially when you are paying for it.

Quote from: KyCAP on July 24, 2010, 01:22:23 AM
If CAP were deemed to be "subject" to any kind of guidance it would be FISMA which is defined by as series of regulations from the Feds, specifically the NIST 800 series and others as required. I am CERTAIN that anything in the cloud would not be compliant for all of the ones that I used as generic examples PLUS anything in the NIST/FISMA guidance.

OK, first, I'd have to see some specific point where you believe the Apps Cloud would be non-compliant, and second, why bother since we aren't subject to those rules.

Quote from: KyCAP on July 24, 2010, 01:22:23 AM
I am also guessing that NHQ and the IT staff probably are glad to be PCI compliant for the e-commerce business and have not considered GIAC audits, OWASP compliance or other "day to day" IT security best practices, but I could be wrong.

How is NHQ subject to PCI on anything but as a Level 4 User? That's a self-assessment, period. And even at the highest level, it would have nothing to do with this conversation, because the only place PCI touches email is "don't send credit card numbers in emails". The only systems that would be in-scope for compliance would be the ones transiting or storing credit card data, which would have nothing to do with Apps.

CAP is not bound by HIPPA, Sarbanes Oxley, ISO, or any of a dozen other acronyms.

If you have an organization which is bound by compliance regulations, then you do your research in advance before you switch over, not after, and you don't blame the provide if their service doesn't match your needs.

With that said, Google has a suite of services for secure email, just like everybody else.

I will grant you that this is a complex discussion that can't be brought to a conclusion in a forum like this, but the average CAP unit/group/wing is much better off with a Google-hosted solution that it controls than a free email account at Hotmail or Juno.

KyCAP · July 24, 2010, 03:22:29 AM

Quote from: Eclipse on July 24, 2010, 01:52:24 AMOK, first, I'd have to see some specific point where you believe the Apps Cloud would be non-compliant,

OK - Start with Google itself in just a quick search.
http://groups.google.com/group/google-appengine/browse_thread/thread/aef13f580f46bd13

"App Engine is currently not HIPAA- nor SAS 70-compliant, so highly
sensitive data (HIPAA/PHI data, SSNs, CC numbers, etc.) should not be
stored on App Engine. it is not a good match for that type of data at
this point in time unless, as the previous poster pointed out, that
you've done some bulletproof encryption of that data. unfortunately, i
cannot currently comment on any timeline to get any sort of data
privacy certification.

If you have an organization which is bound by compliance regulations, then you do your research in advance before you switch over, not after, and you don't blame the provide if their service doesn't match your needs."

Here's an earlier review: http://it.toolbox.com/blogs/managing-infosec/google-apps-is-a-risk-management-decision-14666

Quote from: Eclipse on July 24, 2010, 01:52:24 AMand second, why bother since we aren't subject to those rules.

In order to know that we are NOT subject to FISMA there would have to be language in the contract between the US Air Force (AETC) that would EXCLUDE CAP, Inc from the flow down provisions that would govern any FISMA policies. I haven't seen that doc, have you?

Quote from: Eclipse on July 24, 2010, 01:52:24 AM
How is NHQ subject to PCI on anything but as a Level 4 User? That's a self-assessment, period. And even at the highest level, it would have nothing to do with this conversation, because the only place PCI touches email is "don't send credit card numbers in emails". The only systems that would be in-scope for compliance would be the ones transiting or storing credit card data, which would have nothing to do with Apps.

My anecdote was not to infer that an IMU like app would be subject to the scope of PCI compliance, but that NHQ probably is just swallowing PCI and probably hasn't given thought to other issues. Nothing more.

Eclipse · July 24, 2010, 04:32:58 AM

Quote from: KyCAP on July 24, 2010, 03:22:29 AM
In order to know that we are NOT subject to FISMA there would have to be language in the contract between the US Air Force (AETC) that would EXCLUDE CAP, Inc from the flow down provisions that would govern any FISMA policies. I haven't seen that doc, have you?

How do you figure that CAP needs to be excluded from Air Force regulations? We aren't a part of the Air Force, and we're only bound by a handful of their AFI's. This is likely one of those places not being part of the military helps.

Besides, for the most part FISMA only requires agencies and related organizations to "have a plan" - we don't have much of anything
that would fall into classified, and if we do, then those communications should be done with secure machines provided by the USAF with
CAC card login, etc. Not likely for the notice you failed your ECI-13. So the "plan" isn't going to involve retna scans and real-time DNA testing to get your SPAM.

Google's POSTINI services are secure and encrypted (and yes not free), whether they will get a company to compliance depends on the company, the industry, which agency is asking the questions, and how the services are used. There any number of banks and financial institutions using Apps right now.

I just spent about two years on a data security project around PCI for a major hospitality company - I'm not a CISSP by a long shot, but I have a pretty good handle on the compliance environment around HIPPA, SOX, and PCI. The short answer is "it depends", and requires more reading than just the FAQ, but spreading FUD about Google and security isn't cricket.

Robborsari · July 24, 2010, 08:19:33 PM

Maybe this needs a new thread unless there is a suggestion for security in this.

Eclipse · July 26, 2010, 08:03:24 PM

http://googleenterprise.blogspot.com/2010/07/google-apps-for-government.html

http://googleenterprise.blogspot.com/2010/07/supporting-us-navys-humanitarian.html

Monday, July 26, 2010 at 11:35 AM
Last September, we announced our intent to create a Google Apps environment dedicated to our government customers, and to complete United States government security certification for Google Apps. Today, we're delivering on both.

Today, we're pleased to introduce a new edition of Google Apps designed specifically for the needs of U.S. government entities. It's called – appropriately enough – Google Apps for Government. This new edition is available now to federal, state and local governments in the United States.

Google Apps is also the first suite of cloud computing applications to receive Federal Information Security Management Act (FISMA) certification from the U.S. government. With this federal government certification of our security controls, government agencies can use our cloud services with confidence.

A wide range of U.S. government customers are already taking advantage of Google Apps, from the U.S. Department of Energy's Berkeley Lab to the U.S. Navy's InRelief program, to the City of Los Angeles, to smaller governments across the country like Panama City, Florida and the City of Wooster, Ohio.

I'll just be over here with my coffee...Sumatra this week!

Capt Rivera · July 26, 2010, 11:02:33 PM

Capt Borsari,

Can you give us updates related to the next release or BETA?

KyCAP · July 27, 2010, 02:05:43 AM

Quote from: Eclipse on July 26, 2010, 08:03:24 PM
I'll just be over here with my coffee...Sumatra this week!

1) You need to buy a lottery ticket that is like some of the best timing on the planet.
2) NHQ now just needs to increase the annual budget between $1 mill to $2.75 mill to cover all of the members an account each year

I like Sumatra.

Eclipse · July 27, 2010, 02:31:26 AM

We don't need the Government-level accounts to get FISMA, as indicated by the article, Apps as a whole is FISMA, but the Government systems add additional levels of encryption, security, and commitments for CONUS-based systems only.

Apps for education would be plenty, and that is free, however providing every member with a secure government-level CAP email address and access to a collaborative environment would be the best money CAP has spent in a decade. Google Apps, of course, does not equal GMail.

I agree on the timing, however their work towards this compliance has been on their todo list since last Fall.

KyCAP · July 29, 2010, 03:28:00 AM

Quote from: Eclipse on July 27, 2010, 02:31:26 AM
Apps as a whole is FISMA

That is not correct as I have read through this. For FISMA compliance it appears they have had to retain the data in US data centers. Other APP service levels do not do that.

It's re-interated in the other reviews of the application that other APP service products are not FISMA compliant.
Like here: http://digitaldaily.allthingsd.com/20100726/certification-came-quickly-after-one-click-access-to-wikileaks-was-removed/

I am reviewing this for the security audits that we are performing now.

Eclipse · July 29, 2010, 03:35:40 AM

That's not how I read the initial press release, but you may be right - it makes sense based on the additional cost.

I may switch-over just "because" if individual users can change their Premium account.