The U.S. government has adopted a "cloud first" strategy -- a policy baked into the Office of Management and Budget’s new IT reform plan -- and federal IT pros are mulling how to get started. They might begin with this question: Where exactly will my agency’s data be stored in the cloud?
Cloud computing is a borderless concept, where workloads are distributed across global data centers, yielding the benefits of scale, efficiency, and resilience. Theoretically, you shouldn't have to worry about the physical location of virtual servers and storage because the cloud is engineered for optimal -performance.
But ignorance isn't bliss when it comes to data governance in the cloud. What you don't know about the whereabouts of your organization’s data can hurt you. The risks include security breaches, violations of U.S. laws and regulations, and even snooping by foreign governments.
Marsha McIntyre, an attorney with Hughes Hubbard & Reed who specializes in export control law, recently laid out a slew of issues associated with data that is subject to U.S. export controls, such as the International Traffic In Arms Regulations and the Export Administration Regulations. Those rules can apply to blueprints, drawings, models, specifications, photos, and plans, all of which are common in government offices. "Providing export-controlled data to a data center located outside the U.S. could be considered an export to the data center location, which could require export authorization," McIntyre wrote in a column for InformationWeek. Penalties for violating the law can reach $1 million and 20 years in prison.
Given OMB's top-down push for cloud computing adoption, you'd think it would have articulated a formal policy on where cloud data gets stored. So far, however, there is no such guidance, which could explain why two agencies -- the General Services Administration and the U.S. Department of Agriculture -- outlined different requirements in their pursuit of cloud services contracts.
GSA announced earlier this month that it has awarded a five-year, $6.7 million contract to Unisys, which will be working with Google to provide Google Apps to 17,000 GSA employees and contractors. The deal raised the ire of Microsoft, which called attention to the fact that GSA's request for proposals -- which originally specified that "data at rest" must reside within the United States -- had been modified to allow for the offshoring of its data.
Why the change? That's not clear, but the implication is that it was done to accommodate one of the cloud vendors bidding on the job, which went to Unisys-Google. When asked about it, GSA CIO Casey Coleman acknowledged that "GSA did not constrain the offerers geographically," but she emphasized that data security and compliance with federal regulations are of utmost importance, and that those are more a function of appropriate processes and procedures than location.