The Cloud Seen from the U.S.A. Stephen R. Bell, Counselor to the U.S. Coordinator, International Communications and Information Policy, U.S. Department of State
OUTLINE Commercial drivers of Cloud services Economic and Technical U.S. Government drivers of Cloud services Economic and Technical Government consumers face many of the same issues as commercial consumers Security Standards Procurement issues U.S. Government has undertaken a systematic public examination of the issues and has begun to formulate responses
Commercial Drivers Cost savings Complex issue not many good studies Market demand growth: $40 billion in 2010 to $241 in 2020 may be a reasonable proxy Improved efficiencies Shift from capital expenditures to operating expenditures Improve utilization Improve management oversight Improve lead times Access innovation No good studies of the value of these efficiencies
Cost Savings Government Drivers Federal government spends $80 billion on IT annually $ 20 could be shifted to Cloud services Early adopters savings have been identified GSA email migration $15 million, Dept. of Ag. email migration $27 million, Air Force Personnel Services Delivery $4 million annually By FY 2013 estimated savings of $100 million annually from email alone
Improved efficiencies Same list as commercial consumers Some specificity about results Air Force Personnel services delivery improved customer search times from 20 minutes to less than 2 minutes Dept. of Ag. email consolidated 21 fragmented email system GSA email system eliminated redundant email infrastructure at 17 locations HHS Electronic health records reduced time to go live from 1+ years to 3 months Private Cloud solutions are being implemented by the USG From 1998 to 2010, Federal government went from 432 data centers to 2094, IBM went from 235 to 12 By the end of 2012, 429 data centers will be closed
Business and Contracting Models Must Be Changed in the Public Cloud Environment* Select appropriate provider TOS and other agreements (NDAs, Choice of law) SLAs CSP Integrator Roles Appropriate standards Security Privacy E-Discovery FOIA E-records
SLAs Definition of acceptable service Uptime definitions vary Availability is another complicated concept that should be clearly understood and specified Performance including response time, mitigation time, availability should be defined Customer should be promptly advised of a failure by the CSP to meet performance metrics Enforcement mechanisms should be credible and provide clear incentives to the CSP to meet requirements All the relationships in the transaction e.g., CSP, customer, and integrator should be clearly defined and responsibilities clearly identified
Standards Use of international, voluntary consensus standards is mandated by Cloud First Conceptual models, reference architectures, and standards to facilitate communications, data exchange and security are under development Some of these are already in place NIST Spec. Pub 500-291 lists relevant standards for security, interoperability and portability Reference architectures enable the consumer to under the role of all the actors and reach a successful implementation.
Robust Security Analysis FISMA, implemented through FedRamp seeks to implement government wide security assessment and authorization Conduct analysis and categorize security requirements Require CSPs to implement a continuous monitoring system Require CSPs to implement an effective incident reporting mechanism and accept liability for data breach incidents in their environments Work with CSPs to implement a key escrow procedure that will meet Agency needs Limit changes to CSP environment to pre-agreed terms and conditions Employ 2 Factor authorizations June 6, 2012 FedRamp announced government wide security authorization process
Privacy another intense concern Five key factors for agencies to consider in selecting a CSP relate to privacy Compliance with the Privacy Act of 1974 Privacy Impact Assessments(PIA) are required when new processing technologies are adopted Policy training for CSPs related to agencies special requirements Data Breach Response provisions should include clear duties with respect to reporting, mitigation, and cost associated with notice, credit monitoring and addresses termination of service and retrieval of data Data Location consideration involve an analysis of the sensitivities of the data, an understanding where the data will be stored, consultation with legal counsel on the laws of that country The contract should cover the requirements for data in motion, incorporate security controls and define procedures that the CSP must follow if requested to provide data.
E-Discovery Not unsurprisingly USG has substantial and robust guidance with respect to records management and discovery Information management who owns the records Locating relevant documents to respond to discovery Preservation of data including metadata Cost savings in responding FOIA requests This guidance applies only to the procurement of CSP services by the Federal Government but it may be useful to other policy makers addressing the same issues and the relevant documents might provide a useful part of a check list for other consumers