In case you missed it, the GSA recently announced that it had awarded Unisys (and its subs: Google, Tempus Nova, and Acumen Solutions) to implement Google Apps for Government for up to 17,000 GSA employees. With the deal (and a projected 50% savings on collaboration systems over the next 5 years), GSA has jumped out in front on the whole “cloud first” policy thing.
Yeah, yeah. Won’t see that again anytime soon. Here’s why. First of all, Google Apps is a public cloud solution, residing out on the naked Internet. While it may be FISMA compliant, the data still is all going to live in Google’s data centers, and there’s no private pipes to Google’s data centers–you have to traverse the public Internet to get to them. Depending on which agency you are, or what regulations you need to comply with, that may be an automatic non-starter.
For example, in Minnesota, when the state government was looking at cloud for collaboration, they ended up going with Microsoft because state regs are strict about state data not traversing public networks.
Google isn’t offering Google Apps for Government as an appliance, like they do with their search engine. There’s no hint that they’re considering offering it in a customer’s private cloud deployment model at all. They may be FISMA compliant, but they’ll never be DOD 5200 or 5015 or 5xxx.anything compliant as long as they’re in the public cloud. Ideally, they could offer a government private cloud version via Apps.gov. But I don’t see Google letting the government try to run Google Apps on anybody’s cloud hardware but their own, because they’ve tweaked the heck out of their hardware environment to support it. I can only imagine how long it would take to load my inbox if GMail was running on a 64x overprovisioned virtual server running in the secure data center of the lowest bidder.
And then there is FedRAMP. While GSA is accepting Google’s FISMA compliance for now, and certifying it as usable, it will have to go through certification with FedRAMP all over again. And more cautious agencies will no doubt wait until there’s more clarity about the FedRAMP process, and what will and won’t get certified by it, before they actually go out and contract someone to provide a public cloud service.
On the plus side, it would seem that Google Apps could play well with the never-ending directory services juggling that agencies (and especially DOD) have to do. Google has Google Apps Directory Sync to connect to LDAP for provisioning. There are ways to turn Google Apps into a managed directory service as well, which I would imagine would be interesting for organizations that create and dissolve communities of interest regularly for collaboration, many of which have agency acronyms with three letters. But again, the lack of a private cloud option sort of makes that moot.
In many ways, it’s a shame that Google hasn’t found a way to provide a private cloud service. Google Apps could take on a significant percentage of the collaboration needs of many government agencies as-is, if only they could run it in a private cloud configuration, or find some FISMA-compliant hosting sites to handle it for them. DOD has been stumbling over how to “SaaS-ify” email for a few years now. But I’m sure someone will take advantage of the opening…eventually.