Cloud
News
8/25/2010
01:12 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Federal CIOs Issue Cloud Computing Privacy Framework

Poorly planned and executed cloud computing contracts could result in security disaster, warns CIO Council.




Slideshow: Cloud Security Pros And Cons
(click for larger image and for full photo gallery)
Although cloud computing represents a possible solution to the government's rapidly increasing on-premises storage needs, federal agencies need to be aware of "significant privacy concerns" associated with storing personally identifiable information in the cloud, the federal CIO Council says in a new document outlining a proposed policy framework on privacy and the cloud.

Federal privacy regulations control how and where federal agencies hold and process personally identifiable information, and the CIO Council warns that, without consulting their legal and privacy teams and putting a plan into place, federal agencies may run afoul of those regulations.

"Once an agency chooses a cloud computing provider to collect and store information, the individual is no longer providing information solely to the government, but also to a third party who is not necessarily bound by the same laws and regulations," the document says.

Federal agencies need to follow laws like the E-Government Act and the Privacy Act and regulations like the National Institute of Standards and Technology's Special Publication 800-53, but cloud providers are bound only so far as they don't stray so far from the regulations that they can't serve the federal government.

Among the risks include improperly setting the contractual terms of service in such a way that allows the provider to analyze or search the data; possibilities that the data could become an asset in bankruptcy, that foreign law enforcement may search the data pursuant to a court order or other request, or that the service provider doesn't inform the government of a breach; and the possible failure of the cloud provider to provide a full and accessible audit trail to the government.

Certain privacy laws may also make it harder for agencies to host data on the cloud. For example, the document notes, the Health Insurance Portability and Accountability Act (HIPAA) requires formal agreements before the government can share records with a cloud provider.

Despite the risks, however, the CIO Council notes that "a thoughtfully considered" cloud deployment can, contrary to its earlier warnings, actually enhance privacy and make agency information more secure.

The document recommends agencies maintain a focus on contract language that meets federal privacy needs and regulations, conduct what the CIO Council terms a Privacy Threshold Analysis to determine whether a new system creates privacy risks, and then carry out a Privacy Impact Assessment to assess and help mitigate those risks.

According to the document, Privacy Threshold Analyses should address things like changes in how data is managed, consolidation of data, and new public and inter-agency access and use, while Privacy Impact Assessments should address specifics about the data itself -- what it is, why it's being collected, with whom it will be shared, and so on.

Comment  | 
Print  | 
More Insights
2014 Next-Gen WAN Survey
2014 Next-Gen WAN Survey
While 68% say demand for WAN bandwidth will increase, just 15% are in the process of bringing new services or more capacity online now. For 26%, cost is the problem. Enter vendors from Aryaka to Cisco to Pertino, all looking to use cloud to transform how IT delivers wide-area connectivity.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July10, 2014
When selecting servers to support analytics, consider data center capacity, storage, and computational intensity.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join InformationWeek’s Lorna Garey and Mike Healey, president of Yeoman Technology Group, an engineering and research firm focused on maximizing technology investments, to discuss the right way to go digital.
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.