As cloud computing initiatives take hold in government, agencies need to consider the contracting implications of this new technology model. Managing a relationship where government data could reside on privately owned computing infrastructure located anywhere in the world demands that agencies ask some crucial questions of cloud vendors before they close the deal.
Daren Orzechowski, an intellectual property attorney who specializes in IT and outsourcing issues, said government agencies need answers to four fundamental questions before they choose a cloud computing provider.
1. Where is my data?
Server virtualization technology allows cloud vendors to optimize their use of computing hardware and other IT resources. That can cut costs, especially as the volume of cloud computing customers grows and vendors achieve economies of scale. But virtualization also has a downside.
"Your data could be broken up -- or the instance of your application could be broken up if it's a platform provider -- so your data and software could be in a lot of different places. In the government space, I think this is particularly important to have a handle on," said Orzechowski, a partner in the New York City law firm of White & Case. "On one hand, you have to recognize that the provider gets an economic benefit from being able to break up the data and store it in different places, or virtualize it. At the same time, depending on the sensitivity of the data, the government needs to know where that information is."
Keeping your data within the United States should be a key requirement, he added.
"When you look at what people's expectations about their rights are, they come at it with a very American-centric view. In a lot of places that are popular for offshoring -- like India and China -- your rights may not exactly be what you think they are. So there's a comfort level with keeping data within the U.S. borders."
2. How do I access my data?
Cloud computing involves accessing remote applications and data through a client interface, typically a Web browser or perhaps a mobile device. Government cloud customers should consider negotiating service-level agreements for routine access and system uptime.
In addition, agencies need to understand how their cloud vendor will help them respond to specialized data requests.
"What happens if there is litigation?" Orzechowski said. "What happens if there is a subpoena? Or since we're talking about governments, it's very possible you'll have a FOIA [Freedom of Information Act] request. How will the vendor pull this data for you? These are points that are worthwhile to negotiate. It's very important to have a vendor that can actually respond to a subpoena. They need to pull only the information relevant to the subpoena and not put other cloud-based information at risk."
Also, find out how much your vendor intends to charge for responding to a FOIA or e-discovery request. "That can be a very big surprise," he said. "You may even want to prenegotiate the rate for that type of work when you do the initial contract."
3. How secure is my data?
Cloud vendors need to satisfy two types of security requirements: physical and logical.
Your agency may have specific physical security requirements. Background checks, fingerprinting or drug tests may be required for staff working in data centers that house your data. Make sure your cloud computing vendor understands and can comply with these rules. Luckily vendors are becoming more accustomed to meeting these requirements, Orzechowski said.
Large cloud computing providers also are becoming more transparent about their logical security processes, and they're typically subject to regular security audits and penetration testing. Still, cyber-terrorism and hacking represent the biggest threats to cloud