Spurred by former Federal CIO Vivek Kundra’s Cloud First Policy, technology hype, and an increasingly tight budget environment, Federal agencies have begun to select services for migration to the cloud. Most of the IT systems identified so far are public-facing websites, enterprise email or business applications (e.g., capital planning, power management, HR) – all generally non-mission-critical applications.[1] These deployments, whether implemented or planned, use a mix of public, private and hybrid cloud environments.[2]
While many of the services on the current list of planned deployments do not necessarily contain taxpayers’ personally identifiable information (PII), there are myriad government systems that do. Significant caution should be exercised when considering transporting systems with U.S. taxpayer PII into public cloud environments.
Taxpayers, in general, put trust in the government to collect, maintain and use their personal information in a secure and reasonable manner. Given the knowledge with which the government is entrusted, this proposed, broad-based migration to the cloud raises numerous concerns. Notably, how does the handling and use of sensitive data (e.g., PII) change from a security and privacy perspective as services move from government-owned and -managed systems to a vendor-owned and -operated public cloud?[3] What additional risks are introduced, particularly when consolidating sensitive data in one environment? Are the baseline security controls established by the National Institute of Standards and Technology (NIST) and in the new FedRAMP regulations, as well as the agency-specific security controls, sufficient? What risk is there of a third party vendor poaching information within the public cloud?
Service level agreements (SLAs) and Certification & Accreditation (C&A) documents associated with government cloud implementations that are not readily available for public review do not provide much comfort to taxpayers about the manner in which their data could be used in a public cloud environment. Ultimately, this lack of transparency leaves too many questions unanswered and could undermine public trust in the government handling of taxpayer information.
Federal agencies and IT managers need to carefully think through the cloud migration process and determine the appropriate combination of and balance between the various deployment models (i.e., public, private, community, hybrid) and delivery models (i.e., SaaS, IaaS, PaaS). While no data systems containing taxpayer PII are currently slated for migration to public cloud environments, certain agencies are evaluating the possibility and will continue do to so in the coming years. It would be prudent for the Federal government to limit initial public cloud deployments to services and systems that do not involve sensitive taxpayer information until these outstanding questions are properly and thoroughly addressed.
The final FedRAMP security controls released in January 2012 address some of these concerns by delineating a set of minimum controls largely based on NIST standards. The previously released draft framework also listed a series of privacy-related questions that should be addressed by government IT managers prior to systems migration. The answers to these questions should be transparent to the American public; it is, after all, the American taxpayers’ information that is at stake, not that of the government official who is responsible for transitioning that information. Key questions vital to U.S. citizens and taxpayers include:
- Will the ownership of data remain under the sole ownership of the Federal Government at all times? How will backup information be returned to the Federal Government in the event the contract [with the cloud provider] is ended or the cloud provider files for bankruptcy?
- Is there a documented process to address the removal or control of PII upon the termination of the contract between the agency and the cloud provider?
- Can the cloud provider utilize any data stored on their systems for any purpose outside agency use?
- Does the contract contain language to restrict the sharing of privacy data with any entity not explicitly authorized in the contract?
While these questions are meant to provide some clarity regarding privacy practices prior to the awarding of contracts and information migration, what audit, oversight, and enforcement mechanisms do government managers actually have? Moreover, what mechanisms do U.S. individuals actually have?
The Federal government, without a doubt, holds vast amounts of data about U.S. taxpayers, whether in the form of financial information (IRS), health records (VA), criminal records (FBI) or children’s test scores (U.S. Department of Education). Given that the overall transition to the cloud remains in its nascent stages, it is imperative that, prior to pursuing any migrations to a public cloud, the risk to taxpayer information is fully considered and appropriate, transparent controls are in place to maintain public trust.
[1] See list of 78 identified systems at http://www.cio.gov/documents/IT_Reform_Agency_Cloud_Migrations_FINAL_(w_DOD).pdf.
[2] For example, the Department of Homeland Security’s (DHS) E-Verify Self Check program has been deployed in a private cloud environment, while the Department of Veterans Affairs’ (VA) Veterans Benefits Management System (VBMS) is slated to operate in a hybrid (i.e., both public and private components) cloud environment.
[3] Granted, many legacy systems currently run in off-premise datacenters – ultimately, the greatest difference in operating environment arises when a service transitions from a fully government-controlled, single-tenant environment to a multi-tenant, vendor-controlled, public cloud environment. The shift from a legacy server-based government-operated computing environment to a government cloud computing environment does not signify a meaningful change in data governance or oversight that should concern U.S. taxpayers.
