Amid the Obama administration's 'cloud first' strategy, federal agencies face the prospect of seeing their data go offshore. There's a lesson to be learned from WikiLeaks.
(click image for larger view)
Slideshow: Top 20 Government Cloud Service Providers
The U.S. government has adopted a "cloud first" strategy -- a policy baked into the Office of Management and Budget’s new IT reform plan -- and federal IT pros are mulling how to get started. They might begin with this question: Where exactly will my agency’s data be stored in the cloud?
Cloud computing is a borderless concept, where workloads are distributed across global data centers, yielding the benefits of scale, efficiency, and resilience. Theoretically, you shouldn't have to worry about the physical location of virtual servers and storage because the cloud is engineered for optimal -performance.
But ignorance isn't bliss when it comes to data governance in the cloud. What you don't know about the whereabouts of your organization’s data can hurt you. The risks include security breaches, violations of U.S. laws and regulations, and even snooping by foreign governments.
Marsha McIntyre, an attorney with Hughes Hubbard & Reed who specializes in export control law, recently laid out a slew of issues associated with data that is subject to U.S. export controls, such as the International Traffic In Arms Regulations and the Export Administration Regulations. Those rules can apply to blueprints, drawings, models, specifications, photos, and plans, all of which are common in government offices. "Providing export-controlled data to a data center located outside the U.S. could be considered an export to the data center location, which could require export authorization," McIntyre wrote in a column for InformationWeek. Penalties for violating the law can reach $1 million and 20 years in prison.
Given OMB's top-down push for cloud computing adoption, you'd think it would have articulated a formal policy on where cloud data gets stored. So far, however, there is no such guidance, which could explain why two agencies -- the General Services Administration and the U.S. Department of Agriculture -- outlined different requirements in their pursuit of cloud services contracts.
GSA announced earlier this month that it has awarded a five-year, $6.7 million contract to Unisys, which will be working with Google to provide Google Apps to 17,000 GSA employees and contractors. The deal raised the ire of Microsoft, which called attention to the fact that GSA's request for proposals -- which originally specified that "data at rest" must reside within the United States -- had been modified to allow for the offshoring of its data.
Why the change? That's not clear, but the implication is that it was done to accommodate one of the cloud vendors bidding on the job, which went to Unisys-Google. When asked about it, GSA CIO Casey Coleman acknowledged that "GSA did not constrain the offerers geographically," but she emphasized that data security and compliance with federal regulations are of utmost importance, and that those are more a function of appropriate processes and procedures than location.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
2017 State of IT ReportIn today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.