Priorities in Secure Cloud Storage: Where or How?

March 4, 2014 - For federal agencies, cloud computing holds promise for significant gains in information sharing, mobility, and cost savings, but also presents challenges in terms of how best to secure the nation’s sensitive data from unauthorized disclosure.

In the wake of allegations that the National Security Agency may have used its capabilities to infiltrate databases housed by major multinational cloud providers, governments around the globe are turning inward in hopes of strengthening security and privacy protections for their consumer and proprietary data.

Proposals under consideration in Germany, France, Brazil, and elsewhere would force tech giants like Google, Yahoo, and Amazon to build onshore data centers to protect domestic entities from data mining and prevent foreign governments from ordering those firms to disclose sensitive information . The European Union is currently courting exclusively European cloud vendors to develop a common secure cloud for all E.U. and member state public sector data. In March, European Parliament could vote to suspend the U.S.-E.U. “safe harbor” agreement , which would effectively bar American firms from storing European customer data on U.S. servers.

Experts predict that the new regulations and public backlash will cost both American and international IT service providers between $21 and $35 billion between now and 2016. Less obvious, say experts, is that widespread nationalization of cloud infrastructure may compromise the open nature of cloud computing and unnecessarily hamper its functionality. An ensuing wave of “data protectionism,” spurred by fears of espionage, could undermine the very economies of scale that give the cloud its value, raising costs for both consumers and producers, inhibiting international trade, and stifling innovation.

Mandating that data be stored domestically also does not necessarily guarantee a state’s control over that data, given that other states can assert jurisdiction based on the nationality of the entity that owns the data, the entity accessing the data, or the service provider.

As a December 2013 report by the Information Technology and Innovation Foundation points out, data security depends much more on the measures used to secure it than where it is stored geographically. Therefore, governments can benefit substantially from using resources toward establishing sound guidelines for implementing security procedures and technologies, continuously monitoring systems, identifying breaches, and coordinating responses in partnership with the private sector.

Federal initiatives like FedRAMP and the new NIST Framework aimed at securing the United States’ cloud and critical infrastructures may prove to be valuable tools in preventing unauthorized data disclosure. These cybersecurity efforts can also be bolstered by U.S. diplomacy with international partners to develop common standards for data privacy and intellectual property protection.

- Chris Cornillie, Research Analyst