Twitter Facebook Google RSS
 
Ethics Corner 

Cloud Computing Trend Sparks Compliance Concerns 

2,011 

By Heidi Salow, Jeremy Meier and David P. Goodwin 

A network security breach affecting the Epsilon Internet and email marketing company in April provides an important reminder of the perils inherent in consolidated and integrated data storage. Though the breach reportedly affected only 2 percent of Epsilon’s customers, it included many popular U.S. retailers and financial institutions. This incident further highlights the data privacy and security concerns that will arise with the expansion of “cloud computing.”

Cloud computing is maintaining data, applications and programs on a remote server that can be accessed through many devices, such as desktop computers, netbooks or smartphones. Proponents often describe it as the ultimate on-demand or as-needed computing service. With traditional information technology solutions, customers must buy equipment for computing and storage and buy software to run on those systems.

In the traditional model, customers must always have sufficient capacity to cover their heaviest possible load, regardless of how rarely this heavy load will occur. This results in long time lapses during which customers pay for unneeded equipment. Cloud computing allows for server and computing capacity scalable to any specific need.

This flexibility requires trade-offs. First, customers no longer store their own data on devices they possess. Second, data stored in the cloud must always be accessible from any location, thereby increasing hacker vulnerability and the need — without degrading fast encryption and decryption — for robust measures to deflect security breaches. These trade-offs in turn have data privacy law and regulation implications.

They are most pressing for IT contractors, but even contractors of non-IT products and services should be mindful of the dependency on and integration with many day-to-day resources that will employ cloud computing.

The Obama administration is clearly focused on the cloud for future information technology needs, which will impact many facets of the defense industry. Late last year, the Office of Management and Budget announced the third element in the president’s information technology procurement reforms, under the broader umbrella of the accountable government initiative, which, along with broad reforms, calls for “cloud first” acquisition strategies and computing solutions.

The broad, amorphous nature of cloud computing makes it difficult to quantify exactly what the government is buying. Many functions addressed in the past through acquisition of items such as networking equipment and software may now be procured through service contracts, which afford more flexibility for and greater demands by the procuring activity. This better facilitates detailed performance work statements, complex evaluation factors and more focus on key personnel.

Pricing mechanisms will also shift. The services contract model also lends itself to a subscription type pricing structure with different concepts of pricing and adjustment of pricing. This pay-as-needed model increases flexibility, but it also eliminates a steady revenue stream.

The shift to a service procurement model also creates potential challenges for resellers who have served as key intermediaries between technology companies and government customers. Master service agreements or master subscription agreements can bridge this gap but they also bind the reseller to set terms, which some agencies may find undesirable. The most successful resellers will be those willing to work collaboratively with cloud computing partners to tailor services and contract terms procurement by procurement.

Contractors should be prepared for request for proposals from federal, state and local entities seeking certifications as to adequate data protection procedures. Primes or subprimes seeking to integrate cloud computing services should consider their specific needs and all associated risks before procuring such products for existing IT systems.  International, federal and state data security laws will vary, so this too must be taken into account.

The following are some of the more important cloud computing best practices for prime and subcontractors or for customers purchasing cloud computing services:

• Domestic Data Storage: In addition to specific contractual requirements for government customers, compliance with international privacy laws can pose major regulatory hurdles and expense. These regulatory concerns can be substantially mitigated by ensuring data is physically stored in the United States.

• Supporting Agreements: Adequate service level agreements and non-disclosure agreements are key to avoiding uncertainty and mitigating potential unintended use of information. Cloud computing service providers also should spell out well-defined contractual terms which will lend comfort to potential customers, whether government or higher tiered contractors.   

• Facility Security: As noted above, cloud computing hubs are an attractive target for information thieves and those interested in disrupting cloud computing capabilities. Such attacks can plague remote networks, and they just as easily can take the form of physical intrusions and attacks. This renders comprehensive data center physical security and information redundancy at multiple locations an absolute must.

Heidi Salow (salowh@gtlaw.com) and Jeremy Meier (meierj@gtlaw.com) are shareholders and David P. Goodwin (goodwind@gtlaw.com) is an associate with the international law firm of Greenberg Traurig LLP. The views expressed are solely those of the authors.


Reader Comments

Re: Cloud Computing Trend Sparks Compliance Concerns

I, like most people, have been really excited about cloud computing. But with all the recent security breaches, it does have me a bit on edge. I'm looking forward to the implementation of new security measures.

Nan King

Nan on 05/17/2011 at 15:22

Submit Your Reader's Comment Below
*Name
 
*eMail
 
The content of this field is kept private and will not be shown publicly.
*Comments
 
 
Refresh
Please enter the text displayed in the image.
The picture contains 6 characters.
*Characters
  
*Legal Notice

NDIA is not responsible for screening, policing, editing, or monitoring your or another user's postings and encourages all of its users to use reasonable discretion and caution in evaluating or reviewing any posting. Moreover, and except as provided below with respect to NDIA's right and ability to delete or remove a posting (or any part thereof), NDIA does not endorse, oppose, or edit any opinion or information provided by you or another user and does not make any representation with respect to, nor does it endorse the accuracy, completeness, timeliness, or reliability of any advice, opinion, statement, or other material displayed, uploaded, or distributed by you or any other user. Nevertheless, NDIA reserves the right to delete or take other action with respect to postings (or parts thereof) that NDIA believes in good faith violate this Legal Notice and/or are potentially harmful or unlawful. If you violate this Legal Notice, NDIA may, in its sole discretion, delete the unacceptable content from your posting, remove or delete the posting in its entirety, issue you a warning, and/or terminate your use of the NDIA site. Moreover, it is a policy of NDIA to take appropriate actions under the Digital Millennium Copyright Act and other applicable intellectual property laws. If you become aware of postings that violate these rules regarding acceptable behavior or content, you may contact NDIA at 703.522.1820.

 
 
  Bookmark and Share