L.A. critics of Google cloud services need a little perspective

Clarifying issues surrounding this emerging security architecture

A consumer group protesting the use of Google cloud services by the City of Los Angeles says the company is speaking out of both sides of its mouth about security, but the complaint may be overblown.

At issue is the risk statement in a recent filing Google made with the federal Securities and Exchange Commission that acknowledges that its technology and communications systems are vulnerable.

Specifically, according to Google’s second quarter 10-Q SEC filing, the systems are vulnerable to “earthquakes, terrorist attacks, floods, fires, power loss, telecommunications failures, computer viruses, computer denial of service attacks, or other attempts to harm our systems. Some of our data centers are located in areas with a high risk of major earthquakes. Our data centers are also subject to break-ins, sabotage, and intentional acts of vandalism, and to potential disruptions if the operators of these facilities have financial difficulties. Some of our systems are not fully redundant, and our disaster recovery planning cannot account for all eventualities. The occurrence of a natural disaster, a decision to close a facility we are using without adequate notice for financial reasons, or other unanticipated problems at our data centers could result in lengthy interruptions in our service. In addition, our products and services are highly technical and complex and may contain errors or vulnerabilities.”

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

A consumer group protesting the use of Google cloud services by the City of Los Angeles says the company is speaking out of both sides of its mouth about security, but the complaint may be overblown.

At issue is the risk statement in a recent filing Google made with the federal Securities and Exchange Commission that acknowledges that its technology and communications systems are vulnerable.

Specifically, according to Google’s second quarter 10-Q SEC filing, the systems are vulnerable to “earthquakes, terrorist attacks, floods, fires, power loss, telecommunications failures, computer viruses, computer denial of service attacks, or other attempts to harm our systems. Some of our data centers are located in areas with a high risk of major earthquakes. Our data centers are also subject to break-ins, sabotage, and intentional acts of vandalism, and to potential disruptions if the operators of these facilities have financial difficulties. Some of our systems are not fully redundant, and our disaster recovery planning cannot account for all eventualities. The occurrence of a natural disaster, a decision to close a facility we are using without adequate notice for financial reasons, or other unanticipated problems at our data centers could result in lengthy interruptions in our service. In addition, our products and services are highly technical and complex and may contain errors or vulnerabilities.”

Sounds pretty dire, but rather than representing a flaw in Google security they are clearly corporate legal butt covering. No system is invincible and this statement is an acknowledgement of that. Publicly traded businesses have to write this type of risk statement in the spirit of full disclosure to potential investors so they can’t claim the company was trying to hoodwink them into investing in an endangered enterprise.

The risks outlined are identical to the risks Los Angeles would face if it handled its own cloud.

The proper way to evaluate cloud services from Google or anybody else is not what they say in these broad financial statements, but what they say about the protections they put in place against these possibilities. For instance, in defending itself, the company points to its development of a cloud service specifically for government that meets Federal Information Security Management Act (FISMA) standards. These are well defined and can be checked out.

Similarly, any other security measures the company claims can be checked out by potential customers. And they should be. If security measures are lacking, customers should look elsewhere. But to advocate rejecting a service because a company acknowledges a set of risks that faced by any service provider is an extreme reaction. Maybe Los Angeles shouldn't use Google's cloud services, but the reason shouldn't be this SEC filing.

Read more about security in Network World's Security section.

Tim Greene is senior editor at Network World.