Police Tech & Gear
with Tim Dees
The LAPD's not-so-smooth transition to Google Apps
Google's applications reside on the thousands of remote servers rather than on your desktop, which is both good and bad for security
The City of Los Angeles made a bold decision in moving their in-house network from a Novell network to Google Apps. The changeover isn't going especially well, particularly where the LAPD is concerned.
Nearly every business these days uses some kind of internal network. Networks allow users to access files created by others, print documents on printers not physically connected to a computer, and otherwise collaborate and share resources. Most use some variant of the networking systems offered by Microsoft or built into operating systems like Windows 7 and Vista.
In contrast, LA has been using a Novell network. Novell was a major player--maybe the major player--in corporate networks until the various flavors of Windows started eating away their market share. There is an element of voodoo to operating any large network, but Novell has their own protocols that make knowledge of other network systems negligible in understanding how to run Novell's.
The city decided to abandon Novell in favor of Google, issuing a contract with the search engine giant for $7.25 million to upgrade and convert their 30,000 users to Google Apps. The LAPD has 17,000 of those users--over half the city's network-using employees.
Many users city-wide are complaining about lack of functionality and missing features as compared with the Novell system they're used to. Google says this is mostly attributable to lack of familiarity with the system, and that users have the same capabilities they had with Novell. LAPD's concerns lie more with security.
Google Apps is a collection of computer services and applications that reside "in the cloud," that is, on the thousands of remote servers Google has all over the world. Where most users of Microsoft, Adobe and other major software players' applications run their programs on the user's computer, Google Apps places most of the code and the data in the ether. If the local machine crashes, is stolen, or gets sucked into a black hole, no worries--switch to another machine and pick up where you left off. The security concern comes from exactly the same place. If anyone can access this information from any computer, what is to keep the bad guys from doing it?
The concern is not unfounded. In May 2010, a hacker got access to internal files from Twitter, which uses Google Apps for their corporate networking. Supposedly, the hacker first made it into a Twitter employee's Google account via a compromised password, then guessed the answer to the employee's security question by examining other documents contained within Google Apps. From there, he was able to change the passwords on the accounts and take his time going through whatever he found.
Password security has always been a problem with computer networks. IT managers fight an ongoing battle with users who do their best to circumvent security protocols by using easy-to-guess passwords, or who start with a secure password and then alter it only slightly when they're required to change it. "98T%wG" is a reasonably secure password, but if its user changes only one character when required (say, to "98T$wG"), someone who has the first password won't find it all that difficult to obtain the second one.
Google Apps recently added two-factor authentication to its capabilities. With two-factor authentication, the password is Something You Know + Something You Have. A user might log in with a conventional password, and then Google would send a text message or voice call containing a second password. If you don't have a smart phone or another device that receives the second part of the password, you can't get access. It might also be possible to get the second password from an app running on a smart phone, so that a user could log in without a network cell phone connection. Two-factor authentication can also combine a password with a biometric token, such as a fingerprint or iris scan, or a physical RFID device.
Some critics argue that Google saw the City of Los Angeles coming by charging them almost $250 per user for the conversion, given that access to Google Apps and GMail accounts are free for individual users. In Google's defense, it wouldn't look all that great to have the LAPD chief's e-mail address be something like ChiefCharlieBeck@gmail.com, and this plan provides not only networking, but regular office applications that would otherwise be purchased separately. It is still a significant gamble to bet the security of sensitive investigations on tools that live "in the cloud."