As part of my Grumpy Old Man series, today I’m taking a look at the challenges that lie ahead of todays most widely hyped technology — cloud computing.
Before government agencies can realize the benefits of cloud computing, a number of challenges must be overcome. Government information technology must conform to rules and regulations that are quite different from those that commercial entities follow.
The following is a list of the top ten “gotchas” that we have experienced when implementing cloud solutions with governments around the United States.
- Workstation lockdown. Many agencies lock down the workstations of users, including browser settings that may be required to access cloud-based services. Users who are unable to configure their browser settings may be constantly challenged for login credentials or even unable to see certain pages or content. Users are unlikely to have permission to install applications or applets in a government environment, leading to significant effort in deployment.
- Foreign citizens in the data center. Many countries, including the United States and Canada, have regulations regarding the nationality of people who have physical access or administrative access to computers in a data center. Larger cloud providers are creating hosting facilities which restrict the people who are eligible for hire and implement security and background investigations.
- Product certification. Agencies often maintain a list of software applications which have been tested and certified. The certification process requires time so that new versions of products are not available immediately, sometimes for a period of several months.
- Authorization of upgrades. For commercial customers, instant upgrades seem like a desirable feature. For government agencies this is not necessarily the case. Many agencies test new versions (see number 3) and any new features could also require training of users, so government customers would prefer that no upgrades or enhancements be made without explicit authorization. This would mean that a hosting provider would have to maintain different versions of software for different customers.
- Government data center certifications. To meet government requirements, data centers must meet some industry standards and other standards that are unique to government. In the United States, for instance, the Federal Information Security Management Act of 2002 (FISMA) standard is required for federal data centers. Large cloud providers are likely to have this certification. An important consideration is that certifications and security guidelines were written before cloud computing took off, so they do not specifically address the concerns of cloud deployments. Regulations are likely to catch up with today’s technology eventually and call for stricter behavior by vendors.,
- Hard to find the throat to choke. Despite the marketing promises of a carefree cloud lifestyle, bad things can happen in the cloud. Recently, hackers from foreign countries have successfully attacked servers in the Pentagon and the NASDAQ stock exchange despite servers housed in their own secure facilities. Will shared cloud hosting facilities withstand these attacks better? Google, Amazon, Salesforce.com and Microsoft have all experienced outages that affected thousands of companies and have lasted for longer periods than customers might expect from the service level agreements. In press accounts, none of these major cloud vendors has been forthcoming with detailed explanations of why the disruptions have occurred.
- Prohibitions on Peer-to-Peer. Many of the hottest software packages in the commercial world use technology that is forbidden by government, especially when it comes to real time collaboration such as chatting, video, and desktop sharing. These peer-to-peer technologies are controlled tightly when they involve connections outside the government network.
- Privacy Rules. Standards such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in the United States impose significant restrictions on the disclosure of health information and require data owners to ensure that their cloud providers are capable of fulfilling these rules. In addition to U.S. federal requirements, states including Arkansas, California, Connecticut, Maryland, Nevada, Oregon, Rhode Island, Texas and Utah have enacted their own privacy laws. In Europe, privacy rules are even more restrictive and vary from one country to another.
- Classified Data. As one might expect, classified data is not suitable for cloud solutions. This means that the military and intelligence communities can leverage cloud technology only in dedicated environments under their physical control. Classified data is more common than one might expect, however, even outside military and intelligence agencies.
- Legal Contracts. Government customers demand contractual provisions that may be unpalatable for cloud providers. Large systems integrators such as HP, Lockheed and Northrop Grumman have years of experience behind them in negotiating these contracts but for new cloud providers (and contractors new to government) these will be choppy legal waters.
This blog post is from http://www.infostrat.com/home/TopTenLists/TopTenGovtCloudGotchas.htm
If I may…
I don’t see any of this as a road block to the cloud, rather things to put in the contract and policy when considering the move. Is this is a list of, “you can’t do it because”, “Gotcha”, hmm.
I would like to field some of these:
5) Google Apps for Gov is FISMA certified
10) All contracts are negotiable
8-9) This keeps getting kicked around and I don’t know why. If it needs to be that secure it should always be encrypted. Plenty of software, very good software, that makes files uncrackable or so much so that in 300 years when it is finally broken no one will care. Your cloud provider should offer at rest and in transit encryption, our’s does. But if that is still not enough encrypt before storing. I would bet that less than 1% of all gov agencies encrypt files at rest on their own internal servers.
1) if you are providing could services why would you lock out your own people?
I could make statements on the rest but thinking about it we have addressed them all internally and I am happy that you have posted such a list for others to follow.
Thanks for reading and for your comments, James.
Jim: Regarding the negotiation of legal terms between a government and a cloud provider, have you seen any public discussion describing the specifics of such a negotiation? I’m looking for examples of terms that were negotiated. Thanks.