Information Technology never stands still and these days it appears to be moving faster than ever. The topic of cloud computing or simply ‘the cloud’ is everywhere you look. There hasn’t been this much buzz in the industry since the World Wide Web was introduced. While many businesses have made the jump to the cloud for a variety of services, many government agencies have been somewhat slower to make the move. This article will discuss some of the points to consider when evaluating whether to move your government agency data to the cloud.
There are a variety of definitions for cloud computing, but as the framework matures, the definition is finally becoming more stable. The National Institute of Standards and Technology has drafted a definition of cloud computing that can be found here. This cloud model promotes availability and is composed of five essential characteristics, three service models and four deployment models.
The Potential Benefits
There are several commonly touted benefits related to cloud services, the largest being the potential cost savings that can be achieved through the use of cloud offerings.
- Cost Avoidance – cloud computing can offer substantial cost avoidance opportunities, such as reducing investment for Capital expenditures (e.g., hardware, software, etc.) and operational expenditures (e.g., maintenance, software licenses, support staff, etc.)
- Cost Reduction – commonly referred to as ‘pay-as-you-go’, cloud services can provide the economies of scale only available through the use of enormously large-scale shared resources.
- Service Elasticity – commonly referred to as ‘only-pay-for-what-you-use’, cloud services allow usage to expand to meet anticipated service peaks and then scale back to normal.
- Anywhere Anytime Access – cloud computing requires little more than a reliable internet connection.
Going with a public cloud offering means that you do not need to spend your money upfront on hardware or software for whatever you plan to implement. Instead, there is typically a monthly fee for the length of time you utilize the service. In some instances, individual accounts may even be offered for free with restrictions on total storage or usage.
The Potential Risks
On the opposite side of the coin, there are a variety of potential negatives that can be lumped into the general category of risk. Listed below are examples of risks that must be considered when considering Government cloud computing:
- Legal Responsibility – regardless of whether your data is stored on a computer in your office, your building, a government data center or in the cloud in an off-site location, your agency cannot delegate the responsibility for protecting that data to anyone else. If anything happens to the data, you and your agency will be held publicly responsible for it. According to the latest Ponemon Institute data breach report, the average cost of a data breach is $214/record or $7.2 million per event. This doesn’t include the potential blow to your agencies credibility. There could also be legal issues related to open records requests, archiving, as well as access, compliance and audit tracking/reporting, among others.
- Perceived Savings – savings may or may not actually exist when you begin a true ‘apples’ to ‘apples’ comparison of cloud services to existing on-site services. In some instances, government regulations or other requirements dictate the type of services (archive, encryption, data storage in ContinentalUS, etc.) required, which can quickly add additional costs to the publicly displayed price. This can quickly double or triple the original price. Requesting private cloud versus public cloud services can also raise prices, although more large scale providers understand the concern of government data in the public cloud and are setting up ‘government only clouds’. It pays to ask the ‘tough’ questions to ensure your agency gets the deal you think you are getting.
- Classification of the Data – some data may simply be too sensitive or confidential to reside in an offsite location. Some extreme examples of this type of data include: undercover police officer records, municipal infrastructure maps, and many security related documents.
- Data Ownership – if your data is not guaranteed to be stored within the United States, it may be subject to the laws of the country where it resides. In some cases, this may give that country rights to utilize your data without requesting your agency’s approval. Similarly, if your data resides in a public/hybrid cloud, it could be confiscated by law enforcement agencies if a person or organization utilizing that same public cloud service is engaged in criminal activity. Data ownership can also become a significant issue when you determine that your agency no longer wants to have its data stored with a particular cloud vendor and wants to transfer it to another vendor or move it back within your government agency. These issues must be discussed and resolved before engaging with a cloud provider to ensure you have an exit strategy.
- Sanitation of Equipment – many agencies have policies requiring all IT equipment to be properly sanitized prior to disposal or release and sanitization procedures shall be properly documented to prevent unauthorized release of sensitive and/or confidential information that may be stored on that equipment and other electronic media. Cloud providers may or may not have similar policies and assurances to protect your data when their equipment fails or reaches ‘end of life’ status.
- Standardization – while standardization is usually considered a positive, in this case it may be a negative. Industry cloud providers develop an offering that meets a large baseline percentage of the industry needs. If your need falls outside that percentage of functionality, you will either need to modify your processes, which could include the need for lengthy legislative changes, or you may have to pay additional fees for customization, which counters the major positive of going to the cloud.
- Security – because of the relative immaturity of the cloud industry, many instances of security holes, data breaches and the implementation of applications raced to production without complete testing continue to occur and be reported across a variety of trade publications while not necessarily surfacing in the mainstream media. Few standards currently exist across the spectrum of cloud offerings. (Note: The NSIA recently completed the first version of the Cloud Data Management Interface (CDMI) standard.) Large-name vendors have agreed to work together to establish additional guidelines but currently just about anyone can buy some hardware, publish a website and call themselves a ‘cloud provider’ or even repackage the cloud services of another vendor. It is imperative that data risks be evaluated and prioritized when selecting a loud computing vendor. Data risks should be clearly identified, with well-defined responsibilities for both the vendor and the agency. According to the “Security of Cloud Computing Providers Study” sponsored by CA Technologies and conducted by Poneman Institute, 69 percent of cloud providers don’t believe securing data is their responsibility.
- Retention – cloud computing services often create multiple copies of the data that they store for an organization on geographically-dispersed computing resources in order to ensure that no data is lost and that it is constantly available to the end-user. Government agencies typically have records retention schedules that define the required timeframe for maintaining a particular document or piece of correspondence. It would be important to know how the vendor would ensure the destruction of all copies of records that had reached the end of approved retention periods.
- Location – cloud computing is often implemented in such a way that the end-user has no idea where their information is stored or processed. Some cloud service providers will let you place broad limits on where your data will be stored (e.g., in the continental United States, in a particular state, government cloud, etc.). If your organization is contemplating placing data in a cloud that must be maintained within jurisdictional boundaries, it will be important to establish that as a requirement before you procure services and ensure that it is included in the contract with the vendor
Government will seldom be on the bleeding edge of technology or change because of the sheer volume of people, organizations and legal requirements that need to be integrated. Agencies that have embraced cloud technology still do so with some caution. The Federal Government, even with the ‘Cloud First’ initiative wants to ensure that cloud services are appropriate. The apps.gov website, which provides a single location for federal agencies to go to find quality cloud services that have been vetted through the federal procurement system, contains a disclaimer to assure agencies comply with applicable mandates related to Information Technology, Security, Privacy, etc.
Cloud computing as a topic is receiving large amounts of press and is being touted as a possible panacea for everyone’s technology woes. When individual government agencies consider shifting services to the cloud, an in depth discussions should be had between the IT and business unit staff covering the full breadth of possible benefits and risks before a decision is made either way. Cloud computing will continue to hit pockets of turbulence and much of the industry is being designed as the plane is in flight. Government agencies wishing to enjoy a smooth ride into the cloud may want to consider waiting until the industry is more mature before committing themselves.