As cloud computing initiatives take hold in government, agencies need to consider the contracting implications of this new technology model. Managing a relationship where government data could reside on privately owned computing infrastructure located anywhere in the world demands that agencies ask some crucial questions of cloud vendors before they close the deal.
Daren Orzechowski, an intellectual property attorney who specializes in IT and outsourcing issues, said government agencies need answers to four fundamental questions before they choose a cloud computing provider.
Server virtualization technology allows cloud vendors to optimize their use of computing hardware and other IT resources. That can cut costs, especially as the volume of cloud computing customers grows and vendors achieve economies of scale. But virtualization also has a downside.
"Your data could be broken up -- or the instance of your application could be broken up if it's a platform provider -- so your data and software could be in a lot of different places. In the government space, I think this is particularly important to have a handle on," said Orzechowski, a partner in the New York City law firm of White & Case. "On one hand, you have to recognize that the provider gets an economic benefit from being able to break up the data and store it in different places, or virtualize it. At the same time, depending on the sensitivity of the data, the government needs to know where that information is."
Keeping your data within the United States should be a key requirement, he added.
"When you look at what people's expectations about their rights are, they come at it with a very American-centric view. In a lot of places that are popular for offshoring -- like India and China -- your rights may not exactly be what you think they are. So there's a comfort level with keeping data within the U.S. borders."
Cloud computing involves accessing remote applications and data through a client interface, typically a Web browser or perhaps a mobile device. Government cloud customers should consider negotiating service-level agreements for routine access and system uptime.
In addition, agencies need to understand how their cloud vendor will help them respond to specialized data requests.
"What happens if there is litigation?" Orzechowski said. "What happens if there is a subpoena? Or since we're talking about governments, it's very possible you'll have a FOIA [Freedom of Information Act] request. How will the vendor pull this data for you? These are points that are worthwhile to negotiate. It's very important to have a vendor that can actually respond to a subpoena. They need to pull only the information relevant to the subpoena and not put other cloud-based information at risk."
Also, find out how much your vendor intends to charge for responding to a FOIA or e-discovery request. "That can be a very big surprise," he said. "You may even want to prenegotiate the rate for that type of work when you do the initial contract."
Cloud vendors need to satisfy two types of security requirements: physical and logical.
Your agency may have specific physical security requirements. Background checks, fingerprinting or drug tests may be required for staff working in data centers that house your data. Make sure your cloud computing vendor understands and can comply with these rules. Luckily vendors are becoming more accustomed to meeting these requirements, Orzechowski said.
Large cloud computing providers also are becoming more transparent about their logical security processes, and they're typically subject to regular security audits and penetration testing. Still, cyber-terrorism and hacking represent the biggest threats to cloud
computing, especially in the government space, Orzechowski said.
"As you have more and more customers going to certain cloud providers, and those providers become bigger and are housing more data, they'll become bigger targets for hackers and terrorists," he said. "What will happen the first time there's a real big hit, especially if there's government data housed with that vendor? A terrorist or major hacker attack is a test that in the back of everyone's mind may be coming."
The last point to cover during contract negotiations is what happens when the deal is over. How will you get your data out of one vendor's cloud and into another, or back into your own data center?
"There's been talk among some of the big players on having data standards for the cloud space. As a consumer, you are probably are very interested in that," Orzechowski said. "You want to have your data in a form that can easily be ported over to a new vendor. It may not always be in your current vendor's interest to allow for this because they want to keep you captive."
The key is to avoid being held hostage, he said.
"This is something to think about when you're negotiating. What is the template, what are the data sets and how are the fields defined? Get a sense of this and understand it," Orzechowski recommended. "From there, negotiate for migration assistance. Find out how the vendor will help you move to someone else, and how much they'll charge to do that."