Cloud Computing Trend Sparks Compliance Concerns
By Heidi Salow, Jeremy Meier and David P. Goodwin
A network security breach affecting the Epsilon Internet and email marketing company in April provides an important reminder of the perils inherent in consolidated and integrated data storage. Though the breach reportedly affected only 2 percent of Epsilon’s customers, it included many popular U.S. retailers and financial institutions. This incident further highlights the data privacy and security concerns that will arise with the expansion of “cloud computing.”
Cloud computing is maintaining data, applications and programs on a remote server that can be accessed through many devices, such as desktop computers, netbooks or smartphones. Proponents often describe it as the ultimate on-demand or as-needed computing service. With traditional information technology solutions, customers must buy equipment for computing and storage and buy software to run on those systems.
In the traditional model, customers must always have sufficient capacity to cover their heaviest possible load, regardless of how rarely this heavy load will occur. This results in long time lapses during which customers pay for unneeded equipment. Cloud computing allows for server and computing capacity scalable to any specific need.
This flexibility requires trade-offs. First, customers no longer store their own data on devices they possess. Second, data stored in the cloud must always be accessible from any location, thereby increasing hacker vulnerability and the need — without degrading fast encryption and decryption — for robust measures to deflect security breaches. These trade-offs in turn have data privacy law and regulation implications.
They are most pressing for IT contractors, but even contractors of non-IT products and services should be mindful of the dependency on and integration with many day-to-day resources that will employ cloud computing.
The Obama administration is clearly focused on the cloud for future information technology needs, which will impact many facets of the defense industry. Late last year, the Office of Management and Budget announced the third element in the president’s information technology procurement reforms, under the broader umbrella of the accountable government initiative, which, along with broad reforms, calls for “cloud first” acquisition strategies and computing solutions.
The broad, amorphous nature of cloud computing makes it difficult to quantify exactly what the government is buying. Many functions addressed in the past through acquisition of items such as networking equipment and software may now be procured through service contracts, which afford more flexibility for and greater demands by the procuring activity. This better facilitates detailed performance work statements, complex evaluation factors and more focus on key personnel.
Pricing mechanisms will also shift. The services contract model also lends itself to a subscription type pricing structure with different concepts of pricing and adjustment of pricing. This pay-as-needed model increases flexibility, but it also eliminates a steady revenue stream.
The shift to a service procurement model also creates potential challenges for resellers who have served as key intermediaries between technology companies and government customers. Master service agreements or master subscription agreements can bridge this gap but they also bind the reseller to set terms, which some agencies may find undesirable. The most successful resellers will be those willing to work collaboratively with cloud computing partners to tailor services and contract terms procurement by procurement.
Contractors should be prepared for request for proposals from federal, state and local entities seeking certifications as to adequate data protection procedures. Primes or subprimes seeking to integrate cloud computing services should consider their specific needs and all associated risks before procuring such products for existing IT systems. International, federal and state data security laws will vary, so this too must be taken into account.
The following are some of the more important cloud computing best practices for prime and subcontractors or for customers purchasing cloud computing services:
• Domestic Data Storage: In addition to specific contractual requirements for government customers, compliance with international privacy laws can pose major regulatory hurdles and expense. These regulatory concerns can be substantially mitigated by ensuring data is physically stored in the United States.
• Supporting Agreements: Adequate service level agreements and non-disclosure agreements are key to avoiding uncertainty and mitigating potential unintended use of information. Cloud computing service providers also should spell out well-defined contractual terms which will lend comfort to potential customers, whether government or higher tiered contractors.
• Facility Security: As noted above, cloud computing hubs are an attractive target for information thieves and those interested in disrupting cloud computing capabilities. Such attacks can plague remote networks, and they just as easily can take the form of physical intrusions and attacks. This renders comprehensive data center physical security and information redundancy at multiple locations an absolute must.
Heidi Salow (firstname.lastname@example.org) and Jeremy Meier (email@example.com) are shareholders and David P. Goodwin (firstname.lastname@example.org) is an associate with the international law firm of Greenberg Traurig LLP. The views expressed are solely those of the authors.