Are security, compliance concerns deal-breakers for info sharing in the cloud?
From data storage issues to complex service level agreements, agencies have plenty to consider
Early on, agencies realized that public data, which was already being disseminated via websites and in the printed form, was a good fit for the cloud. It could be housed in the cloud to make information sharing quicker and easier. As cloud services gained in popularity — and the U.S. government’s cloud-first strategy picked up steam — new cloud-based information-sharing services started handling what many considered sensitive data. This is giving some IT managers pause because data that lives in the cloud, after all, is a little like an apartment-dweller: It may seem like it has its own space, but every once in a while, it may bump into neighbors unexpectedly.
It’s the problems that multi-tenancy cloud implementations may come with that has many in the government questioning whether cloud is worth pursuing across the board, said Robert Gellman, a privacy and information policy consultant based in Washington. At least many are questioning the use of the public cloud, he says. “If you are a commercial or government provider using a commercial, shared service there are all sorts of issues that come up: legal, archiving, classification, security. The cloud is not at all simple, even today,” he said.
Doing due diligence
Those agencies that agree may be more likely to tap the General Services Administration’s Apps.gov to find software-as-a-service and other cloud-based offerings such as storage, virtual machines, and web hosting, say experts. However, even these products — which have been vetted by the GSA — still present problems for those looking to share information via the cloud, said Graham Titterington, principal analyst and security expert at research firm Ovum.
“The main issue is compliance. It’s very hard to get good information out of public cloud providers,” he said. “The lack of transparency makes it very hard to find the evidence and information you might need such as where is the cloud provider going to put your data and all the backup copies of the data it creates? That’s one area that really needs some work.”
That’s not to say you can’t ensure privacy, governance and security in the cloud, said Kent Schneider, president and CEO of AFCEA International, a nonprofit membership association that serves the military, government, industry and academia as an ethical forum for advancing professional knowledge and relationships in the fields of communications, IT, intelligence and global security. “If someone is dealing with classified or sensitive information of any kind they should consider putting it into a government-operated cloud. The Defense Information Systems Agency is already providing infrastructure as a service to military and defense agencies. Those are the providers you want to look at first,” he said.
Those who can’t find an appropriate private cloud option may need to look at the risk/reward equation, says Schneider. “Look at the information you need to put into the cloud and make sure you really understand the risk of losing it or having it compromised by someone who shouldn’t have access to it,” he says. “Match the risk with the correct mitigation strategies.”
It is also crucial to make sure your service level agreement holds the provider completely accountable if something does go wrong. Too many people just assume the SLA will cover them without actually looking at the language of the document, said Gellman. Finally, consider why you’re looking at the public cloud at all. Are you looking to share your information across multiple cloud services? If so, are the right APIs available to do so? In addition, make sure you have an exit strategy for your data, said Steve Ressler, founder and president of GovLoop.com, a government social networking site. “Make sure cloud providers talk to each other and integrate,” he advised. “A lot of them offer solutions for exporting data, but you really need to be sure you have a full way out if you don’t like the vendor anymore.”