Cloud Computing Gains Momentum but Security and Privacy Issues Persist

SaaS and other Web services attract state and local governments, but some host their own private cloud services.

by / September 25, 2009

It's official: Cloud computing has arrived -- and it appears to be the hit of the party. The Pew Internet & American Life Project released survey results in September 2008 reporting that 69 percent of Americans who are online use Web-based e-mail, store data or use software applications over the Internet. In October 2008, the market research firm IDC forecast that spending on IT cloud services would reach $42 billion by 2012.

Government agencies are starting to use cloud computing for storage, applications or development; these services are hosted on a remote server in order to save money on implementation and management. Cloud services are increasingly pervasive and may forever transform how government employees access and manage digital information.

Cloudiness Ahead

But with so many clouds on the horizon for IT, some people worry about potential storms ahead.

"What tends to worry people [about cloud computing] are issues like security and privacy of data -- that's definitely what we often hear from our customers," said Chris Willey, interim chief technology officer of Washington, D.C.

Willey's office provides an internal, government-held, private cloud service to other city agencies, which allows them to rent processing, storage and other computing resources. The city government also uses applications hosted by Google in an external, public cloud model for e-mail and document creation capabilities.

Cloud computing is delivered to users via three main delivery models: software as a service, platform as a service and infrastructure as a service (known as SaaS, PaaS and IaaS, respectively). With SaaS, customers use applications stored on a provider's server. In a PaaS environment, the provider gives customers tools to create their own applications that are stored on the provider's server. IaaS allows customers to rent networking, storage or other IT resources from providers to support in-house infrastructure.

In all arrangements, the clients' data wind up in someone else's hands somewhere along the way. For government, citizens' data is sacred, as is data involving internal business processes. Even when a third-party provider is reputable, it's understandable to experience a tinge of anxiety. You can't control another company's activities the way you can your own.

"For the last 15 years, people have been used to the client-server model," said Kevin Paschuck, vice president of public sector for RightNow Technologies, a company that delivers SaaS. "They've been used to hugging their servers. They walk out the door, and they can see their data and their hardware. They control their own destiny."

But remote hosting can inhibit that feeling of control.

"I don't know exactly where my data is,'" said Tim Grance, a computer scientist in the Computer Security Division of the National Institute of Standards and Technology. "It could be cut into tiny little pieces and dispersed across a large geographical area, and that inherently makes people nervous."

These qualms, however, don't just come from apprehension about the activities of third-party partners. They may stem from external threats too. If an agency's server is hacked, the agency's employees know how they'll handle it, but they don't know how someone else might. It's a given that, and other big companies aren't slouches in the security department, but their size makes them attractive targets for cyber-attacks.

"Google has had to spend more money and time on security than D.C. government will ever be able to do," Willey said. "They have such a robust infrastructure, and they're one of the biggest targets on the Internet in terms of hacks and denial-of-service attacks."

The fear of major corporations' inability to safeguard data may be more imagined than real. After all, if theoretically a company the size of Google couldn't protect its data, its customers likely would leave in droves.

"We're all in the business of security. If you have a breach in security, you're out of business," Paschuck said.

Journeys Through the Mist

The security infrastructure in most environments isn't always aligned with the cloud infrastructure. One reason is because the cloud is evolving to meet changing customer expectations, but the technology that safeguards it isn't evolving fast enough to keep up. Another reason is because the mindset of people focused on security is different from those who are concerned primarily with technological simplicity and innovation.

According to Gregory Ness, senior director of network services company Infoblox, sometimes one group of people is eager to switch to cloud technologies so their organizations can pool resources, simplify service delivery and save money. This doesn't always jibe with what security-minded officials are thinking. They don't want to pool data. They want to segregate it for compliance and regulatory reasons.

"There are two competing mindsets here," Ness said.

In the middle of this push-pull environment is an IT network that must be configured to simultaneously meet the demands of those who want to simplify data in order to share it and those who want to protect it.

Network performance and security are prime reasons why some might avoid the cloud for certain functions -- although these concerns haven't stopped legions of public- and private-sector customers from trying it. Those who are uneasy will likely wait for cloud technology to grow before giving it the go-ahead in the workplace.

"If I have personally identifiable information -- credit cards, Social Security numbers -- I wouldn't use cloud computing," said Dan Lohrmann, Michigan's chief technology officer. "But if it's publicly available data anyway -- [like] pictures of buildings in downtown Lansing we're storing -- I might feel like the risk is less to use cloud computing for storage."

Keeping Things In-House

Instead of a public cloud, a government can build a private cloud and deliver services to agencies in-house. A custom-built private cloud might be worth considering for those with privacy and data ownership issues, and may be an ideal option for tasks that the public model can't deliver yet.

But once you put your information in the hands of any hosted provider, can you ever take it back?

"One that I hear from other IT leaders within D.C. government is, 'What's going to be the migration plan?'" Willey said. "Let's say Google decides to stop delivering Google Docs, for example. What's the solution? What's going to happen to all my documents?"

He's confident in his office's migration plan and its arrangement with Google, but he's aware that the fear is out there. For example, let's say a cloud provider suddenly goes out of business. What then?

"The cloud disappears," Lohrmann said. "They're gone. They're bankrupt. What happened to my data? What happens to that? Those are fundamental questions."

In March 2009, InfoWorld published an interview with Brad Templeton, chairman of the Electronic Frontier Foundation, in which he argued that the Fourth Amendment -- unreasonable searches and seizures -- might not apply to cloud computing.

"The courts have ruled that if you put information in the hands of third parties, even if only for a very specific purpose, you can lose that expectation. So the [U.S. Department of Justice] regularly acts to seize data in third-party hands without warrants -- for example, from webmail providers -- and this will surely expand to all sorts of cloud data," he

said in the interview.

Is a spreadsheet made online as protected as a written piece of paper sitting on a bedside desk? Templeton isn't so sure.

"I'm not saying your cloud files are totally unprotected today, but the standard is much less than the protection given the files on your own computer," he told InfoWorld. "It's also important to understand that even when they do need a warrant to get at your data, the warrant will be served on the hosting company, not you. Many hosting companies will fight for your rights, but nobody is as interested in challenging the warrant as you are."

A Federal Forecast

Does this question of ownership mean people will start canceling their contracts for cloud services? Likely not. But it may play into the development of standards and technology as cloud computing matures. In fact, the federal government may be working on them.

Grance co-authored a working definition of cloud computing with Peter Mell, another computer scientist who works for the National Institute of Standards and Technology. The definition was released by the federal government and included a lengthy description of the technology's characteristics, delivery models and deployment models.

Since cloud computing is still new as an umbrella term for various hosted Web services, however, the debate continues about what it is and how it should be implemented. Consequently the federal government plans to release more drafts of the definition, followed by recommendations on how it should be implemented. Perhaps these might allay some consumer anxiety when they're finalized -- if they ultimately recommend a road map to safe, optimum deployment.

"We plan to write a publication that outlines what we see cloud computing is, its challenges, benefits, things people should consider when deploying applications to the cloud, what the general challenges and issues are, and what might be some things that you can do to enhance the powerful parts of it and mitigate the challenges that come with it," Grance said.

Hilton Collins

Hilton Collins is a former staff writer for Government Technology and Emergency Management magazines.