Although the term "cloud computing" was only coined in 2007, the 9th Cloud Expo concluded in November with three key takeaways: private Platform as a Service (or PaaS), movement from proof of concept to production environment for cloud applications, and the need for attention to policy and governance. The latter may be the technology's elephant in the room. In the abstract sense, cloud computing is touted as easy to implement, scalable for storage and user "licenses," and agnostic to desktop environments. Being agnostic to desktop environments, however, does not translate to the business environment. The well-publicized dissatisfaction of the Los Angeles Police Department (LAPD) over its initiative to implement Google Docs is clear evidence that ignorance of business context is no excuse. A $7.2 million lawsuit and unfavorable publicity underscore the need for due diligence, on both the client and vendor sides, when defining assumptions and expectations before embarking on a significant cloud computing project.
Policy management information assurance and governance considerations reflect the real operational business environment. It is where adaptation based on the business' survival - not the technology's affordability - takes priority. In the LAPD case, information use is constrained by agreements with external organizations like the FBI and other law enforcement agencies. Organizations must clearly articulate requirements about how data is managed. Will third parties be involved in storing data? How will incidents of data compromise be handled? Who will be notified and when? What privileges does the client retain to track and audit data usage? How will e-discovery requests be addressed? And, significantly, where will the data reside physically -- what rules apply under that legal jurisdiction? Will companies be liable for illicit use of their resources by employees?
In November, the special agent who directs the FBI's regional forensics lab addressed Regis' computer forensics class. When asked about the prevalence of cloud-based storage for illegal materials, he indicated that the local forensics lab has not seen cloud storage as yet. The cases they have handled have been worked using standard operating procedures (SOPs), bench warrants and international governmental agreements. He did, however, acknowledge that storage of illegal images (child porn) is an issue that is being discussed, but that case law is needed to clarify control and collection of evidence.
The UK's CIO proposed G-Cloud as a private government cloud computing infrastructure with an onshore presence as a way of delimiting legal jurisdiction and ensuring that data governance standards, with respect to privacy and ownership for example, are consistent with stated national policy. Private clouds may also offer some protection from the unintended consequences of the 1986 Electronic Communications Privacy Act. In the early days of email when mailbox size was limited by service providers, the common practice was to download messages to one's hard drive and delete them from the carrier. The law's provisions reflect that practice, although it is no longer relevant. Documents (including email messages or photos) are deemed abandoned property after being stored on third party servers online (for example, Hotmail, Google, AOL, Facebook, Dropbox -- all components of "the cloud"). As such, they may be obtained by government agencies without warrant if deemed relevant to an investigation. Legislation (S.B. 1011) has been introduced to revise these terms in recognition of the evolved practice of "stow and go" by many individuals and organizations in our data-retentive culture. Congress has not taken definitive action as of November 29, 2011.
If 2012 indeed heralds more movement into production mode for cloud yea-sayers, results from recent surveys by CompTIA and Synergy suggest that small- and medium-sized businesses (SMBs) are more likely to use public cloud platforms than larger enterprises. At least 35 percent of the SMBs who responded have already implemented cloud computing practices to take advantage of simpler application rollout, flexible storage capacity, and reduced hardware investment. The challenge will be for them to define their data policy and governance standards prior to selecting a vendor. Again, the LAPD can serve as an object lesson for the consequences of not establishing clear business context parameters. Once the vendor choice is made, negotiating leverage for desired terms on policy and governance is weakened.
Cloudbook: The Cloud Computing & SaaS Information Resource. Retrieved November 29, 2011 from: http://www.cloudbook.net/directories/gov-clouds/gov-program.php?id=100018.
Cullen, S. CompTIA Study Shows Cloud and Mobility Top Priorities for SMBs. Symantec Official Blog (August 16, 2011). Retrieved from: http://www.symantec.com/connect/blogs/comptia-study-shows-cloud-and-mobility-top-priorities-smbs
Geelan, J. Cloud Expo Takeaways: Cloud Policy and Governance is the Missing Link. Cloud Computing Journal (November 28, 2011). Retrieved from: http://cloudcomputing.sys-con.com/node/2073684
Kravets, D. Aging ‘Privacy’ Law Leaves Cloud E-Mail Open to Cops. Wired (October 21, 2011). Retrieved from: http://www.wired.com/threatlevel/2011/10/ecpa-turns-twenty-five/
Cloud Security Alliance -- A member-driven organization whose mission is to promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing. (https://cloudsecurityalliance.org)
Information Law Group -- David Navetta and Richard Santalesa offer a free one-hour webinar on "Contracting for Cloud Computing." (http://www.infolawgroup.com/tags/cloud-users-bill-of-rights/)
National Institute for Standards and Technology (NIST) -- US Government agency that has recently added a draft computing technology roadmap to its authoritative series on information security. (http://www.nist.gov/itl/csd/cloud-110111.cfm)