by Bernard Golden

Cloud Computing Meets Washington: Lots of Data Security and Privacy Questions

Mar 26, 20095 mins

There's a great deal of uncertainty how data security and privacy laws and regulations apply in a cloud computing environment. That's not good news for policymakers or users.

Last week I was invited to participate in a cloud computing panel at the Newseum, located smack dab between the U.S. Capitol Building and the White House. The Washington D.C. event marked the release of a new report, Envisioning the Cloud: The Next Computing Paradigm. I appeared with the two report authors, Jeffrey Rayport and Andrew Heyward. Rayport is a former Harvard Business School Professor who currently chairs Marketspace LLC, which provides digital strategy consulting services and is part of the high-end strategy consulting firm, The Monitor Group. (Rayport also coined the term “viral marketing.”) Heyward, the former head of CBS News, serves as a senior advisor to Marketspace. My role was to provide commentary on their presentation of the report’s findings.

The overall findings of the report echo its title. The authors conclude that cloud computing offers immense potential and predict that it will shake up many established markets—technology (obviously), but also content.

Something the report highlights is a potential tension between government policy and market competition. Essentially, the authors identify a number of key areas in which the cloud is rapidly evolving or requires sustaining capability: Cybercrime enforcement, universal connectivity, privacy, interoperability, etc. They range them on a continuum between government responsibility and market appropriateness (i.e., that the area is one in which the market, rather than the government, is the best place for the issue to be worked out). The report is an excellent overview of the domain and well-worth reading. Its elegantly crafted prose also recommends it as a senior management briefing tool.

Something that fascinated me was the attitude and receptiveness of the audience. Attendees were a mix: White House, Congressional, and Agency technology policy folks; social media consultants, a few technology development types, and a goodly representation of media. One thing was clear: even if policy folks are not especially tech-savvy, they’re all aware of the concept of cloud computing and recognize that it has real promise.

After presenting the slides, during which I made some observations about cloud issues and opportunities, the floor was opened for questions. I would say that half of the questions revolved around data security and privacy. Many in the audience were familiar with current government laws and regulations relating to these issues, but have not yet begun to consider how cloud computing will impact them (Heyward commented that today’s laws are based on a mid-80s computing environment).

What many in the audience were not familiar with, however, is the pace of cloud adoption. I pointed out that these issues relating to data are not prospective, they’re in the here-and-now. Most troubling for cloud users are two things:

There is a great deal of uncertainty in how the circa-80s laws and regulations apply in a cloud computing environment. Consequently, it is difficult for individual companies to determine exactly what their responsibilities are with respect to data being placed in cloud environments. This has the inevitable effect of restricting cloud adoption, as many companies will choose to take a wait-and-see attitude, preferring to avoid taking steps that they may later find out are inappropriate, or, worse, put them into non-compliance with penalty-laden laws and regulations.

Clarifying and making laws and regulations more appropriate for cloud computing environments is not something within the purview of individual companies. That is to say, these restrictions cannot be changed by any one organization. Most other aspects of cloud computing can be addressed by individual organizations and settled according to their own preferences. So, for example, on the question of whether cloud computing make financial sense, a company can look at its own applications and operations, assess the costs of migrating one or more applications to external cloud environments, and decide whether it makes sense—for them. Their decision can be entirely separate from other companies, which can make their own evaluations, based on their circumstances. But the legal strictures that define what data requirements obtain within cloud environments—those lie beyond the capacity of any individual actor to address.

For this reason, I suggested that, despite the obvious wisdom of government staying out of trying to define cloud winners, operating conditions (e.g., SLA requirements), etc., there is a real need for the government to get involved in cloud computing around the issues of data security and privacy. Only with cloud-appropriate laws and regulations that make clear what individual company’s rights and responsibilities are, the adoption of cloud computing will be impaired. As I noted, this issue is especially relevant because cloud computing is being embraced very rapidly. I included a chart in a recent posting that showed cloud computing job postings as being nearly vertical, indicating enormous growth in implementation. I met with a venture capitalist yesterday and he echoed this, saying that all of their portfolio companies are leveraging Amazon EC2 to reduce capital expenditure in the startup phase. So this issue is a right-now one.

It’s probably even more relevant given that the government itself is moving toward making data more accessible. The same day that the cloud computing event was held also featured an open government conference with participation from the new Federal CIO, Vivek Kundra. His mantra is making data more available to allow citizens more visibility into their public servants’ activities. So the Federal government itself will be confronting these issues of data security and privacy in the coming months. You can read more about both the open government event as well as the cloud computing event here.

I predict that data privacy and security will prove to be the thorniest issue regarding cloud computing going forward and that the government will recognize that it needs to move quickly to clarify and support this technology trend.