We use cookies and other similar technologies (Cookies) to enhance your experience and to provide you with relevant content and ads. By using our website, you are agreeing to the use of Cookies. You can change your settings at any time. Cookie Policy.

ebizQ's Business Agility Watch


Privacy in the Public Cloud: Talking With Tarak Modi

Vote 0 Votes

Listen to my podcast with Tarak Modi, Vice President and CTO of CALIBRE Systems. Tarak is an industry thought leader in IT transformation and current enterprise modernization technologies. In this podcast we discuss one of the hot cloud topics: privacy in the public cloud. Also, here's the link to an image Tarak references in the podcast.

Listen to or download the 12:38 minute podcast below:

Download file


PS: To start out with, what are the issues around privacy of information in the public cloud?

TM: Well Peter, we've all heard about the concerns about the commercial and government sectors have about cloud computing in a wide variety of topics such as security, governance, and privacy. Privacy is a complex matter when it comes to the federal government with lots of laws and regulations that limit what can and cannot be done with government-controlled information about its citizens.

The primary regulations they're talking about include the Privacy Act of 1974 and the E-Government Act of 2002. Both of these regulations emphasize the need to clearly define how the information that federal agencies collect and retain can be used, shared, and disclosed both internally and externally. It also specifies how the individuals of the concerned information are to be notified of changes affecting their information or privacy rights. Also, as one would expect, these regulations also state the minimum security requirements for protecting access to and the integrity of the information. But perhaps most importantly, these fundamental rights about privacy are applicable and enforceable regardless of where the information is stored.

So what is this information the feds are so worried about protecting? The information that we're talking about is referred to as Personally Identifiable Information or PII. And to avoid any debate, the Office of Management and Budget, OMB, issued Memorandum 7-16, which defines PII as information which can be used to distinguish, or trace an individual's identity all by itself such as a name, social security number, or biometric record, or when it's combined with other personal information linked to an individual such as a date, or place of birth, or a mother's maiden name.

PS: Interesting. Now, to me that sounds like it could be a serious roadblock to the feds actually using public clouds. So what are the feds doing to overcome this?

TM: Yes Peter, you're absolutely right. Privacy and security concerns are at the top of the minds of federal agency CIOs and privacy officials. After all, which agency would want to be on the front page of the Washington Post for a breach of privacy of millions of U.S. citizens? So yes, using public clouds in which these agencies have little or no direct control over their data is indeed a serious concern. And given what's at risk, these guys tend to follow the model, think a million times and act once. And while it's definitely good to be skeptical, misguided fear can severely impede progress.

So to help agencies evaluate their fears in an objective and rational manner, the Cloud Computing Subcommittee of the Federal CIO Council published their privacy recommendations for the use of cloud computing by federal agencies last month, in August. The paper provides privacy issue related guidance to agencies considering moving their information systems that contain PII to cloud computing providers. At the same time, the paper is not meant to be an end all, as each agency must still consult their own legal counsel and privacy offices to obtain advice and guidance on particular laws and regulations governing their own information.

I think it's worth pointing out that the paper clearly states that its purpose is not to discourage agencies from using cloud computing. In fact, they mention a couple of times that a thoughtfully considered cloud computing solution can actually end up enhancing information privacy and security.

PS: That makes sense. Now what are some of the specific risks that federal agencies face as they store the PII on public clouds?

TM: Well, the Federal CIO Council has identified nine specific risks that agencies need to be wary of as they select and partner with a cloud computing provider. The first risk revolves around the permanent use of information collected by the provider with the provider using data for its own profit. A second risk is if the provider ever went bankrupt, the data could become an asset of another party, which might use the data in ways that could violate the privacy of the citizens. The third risk is actually rooted in the very foundation of cloud computing in which data could geographically dispersed even across international boundaries, which could expose the data to foreign law enforcement authorities and violate the requirements of the privacy act.

And then there's the risk that the provider might not notify the government of security breaches, hence, putting the citizens in harm's way. This might be a result of the provider either not properly implementing federally required security controls, perhaps thinking that they're redundant cost prohibitive or cumbersome.

A further risk is that the provider might not keep adequate access records that would allow agencies to conduct audits to determine who has access to data. Poor data availability might increase the risk that citizens cannot access their data as required by law or the risk that the agency may not be able to access the data to perform necessary audits exposing the agency to a breach of public trust.

And finally, if the agency does not keep an up-to-date copy of its data, a disaster at the provider might result in the complete loss of data, once again, exposing the government to serious liabilities. So Peter, what's the common theme across all these risks? The root cause of each one of these risks lies in the fact that once an agency chooses a cloud provider to collect and store information, the individual is no longer providing information only to the government, but also to a third party who may not necessarily be bound by the same laws and regulations.

PS: That makes sense and that's certainly is a lot of risk. Now, exactly how do the agencies mitigate these risks?

TM: Oh, that's a great question. Successful mitigation of the risk identified in the previous question is key to the widespread adoption of cloud computing in the federal government. So let's look at three very specific recommendations made by the Federal CIO Council in their paper. Number one, agencies should prefer contracts over provider's standard terms of service agreements because most if not all such terms of service agreements are not written with federal privacy and security requirements in mind.

In fact, most providers, for example, reserve the right to change their terms and policies at will, which is a major risk in itself. For both of these reasons, an explicit contract is better suited to comply with and audit the privacy concerns outlined in the previous questions rather than trying to modify the provider's boiler plate agreements.

Appropriate contract language can help ensure that providers are transparent about how they use the data they store. Without such precautions, there's no way an agency can ensure that the provider does not either use the information itself or share the information with other third parties without the knowledge and approval of the contracting federal agency.

Number two, agencies should conduct privacy impact analysis of the data [indiscernible] proposed by the provider for cloud storage. Section 208 of the E-Government Act and OMB Memorandum 3-22 clearly defines the circumstances under which an agency should perform a privacy impact analysis. A privacy impact analysis should also be conducted even if the federal system that's being transferred to the cloud is already covered by an existing assessment to be 100% sure, that the privacy risks have not changed because of the provider.

And last but not least, agencies should ensure that selected providers comply with FISMA, especially, if agencies plan to collect and store information that's characterized at a moderate level. Agencies must also consider [indiscernible] reporting obligations that are imposed by FISMA and related federal policy which would apply in the event that there are maintained by the agency and the cloud is compromised.

Currently, federal agencies must report PII related information security incidents to the US Computer Emergency Readiness Team or US-CERT at the Department of Homeland Security within one hour of discovering the incident. Now obviously, this requirement would flow down to the provider as well via a legally binding contract. Most importantly, an agency considering a provider to store PII must also include the senior agency official responsible for privacy from the very beginning of the selection process to ensure that the privacy rights of individuals continue to stay protected.

PS: That's excellent to know. Now, what other developments do you think that people still need to be aware of?

TM: Oh, there's lots going on in the federal government related to cloud computing. So let's start with the not so exciting news. The Senate Appropriations Committee recently voted to reduce the Fiscal 2011 spending on key Obama IT initiatives including cloud computing. The two main cuts include a $10 million cut to the integrated efficient and effective use of IT aimed at developing a shared set of online applications, which would have been ideal for a software-as-a-service type cloud computing platform.

The second blow came as senators designated only $20 million of the President's $35 million request to consolidate IT infrastructure through cloud computing. Now, let's move onto the good news starting with FedRAMP, which is getting even better with Version 2 of the security requirements for cloud providers almost ready for release. So people who have listened to my previous podcast might recall that FedRAMP is truly a blessing to the adoption of cloud computing and the federal agencies by providing a unified government wide risk management framework that centralizes the cumbersome certification and security management of cloud computing platforms and solutions. And Version 2 of FedRAMP is going to be even a bigger blessing.

The other exciting news is that Google Apps, a public cloud platform, just got FISMA certified. That is simply amazing and it sets the precedent that, yes, it's possible for a public cloud to get FISMA certified despite the red tape. Google Apps is certified as moderate. This means that it can hold sensitive but not classified information and that's not really an issue since 80% of the federal information is not classified anyway.

And finally, there's one more success story to share with the Department of Energy's launch of a private cloud that lets researchers automatically request virtual servers on demand. The story is definitely one for the books as it is actually the culmination of an effort that started over four years ago when the lab decommissioned 100 physical servers and deployed 300 virtual machines on just 13 physical servers. Today, the lab has over 400 virtual machines running on these same 13 servers and has saved over $1.4 million in the process. So Peter, as you can see there's no shortage of exciting activities that are on clouds in the federal government.

ebizQ’s expert blog team covers a broad range of BPM, business integration, business analytics/monitoring, collaboration, content and related issues.

Peter Schooff

Peter Schooff is Contributing Editor at ebizQ, and manager of the ebizQ Forum. Contact him at pschooff@techtarget.com

Recently Commented On

Monthly Archives