Cloud technology has matured in recent years, as rising adoption rates have led to new success stories. Despite mounting confidence in the technology, however, standards have yet to be established with regard to data protection in the cloud. As Washington Technology writer Julie Anderson recently noted, this has created disparate practices and policies among cloud providers working with U.S. government agencies.
"The introduction of cloud and mobile services introduces new variables to the protection of these systems," Anderson wrote. "As a part of their services, some vendors may be collecting and processing government information. At stake in this growing trend are the potentially negative implications of the secondary use of government information by contracted service providers - a risk that the current government standards do not adequately confront."
It may be tempting to think that highly regulated agencies may be relatively protected against vague cloud contracts, but Anderson pointed out that laws and existing agreements have not clearly outlined the full role that cloud vendors should play in the data security ecosystem. For example, initiatives such as FedRAMP have outlined basic guidelines for vetting providers, but these fall short of establishing protocol for data ownership and collection practices after an agency moves to the cloud.
This ultimately suggests a more pressing need for cloud buyers to take control over their data protection strategies. As Anderson pointed out, cloud vendors themselves may be analyzing the data they collect. Data encryption software eliminates this risk, whether the threat stems from a hacker or from a cloud vendor's overzealous information collection practices.
Cloud disrupts compliance
The risk extends beyond government agencies, as most businesses collect private data from customers, employees or both. One of the pain points created by the cloud is compliance. As Ed Moyle, founding partner of consulting firm SecurityCurve, recently discussed, safely implementing the cloud requires greater collaboration between the IT department and compliance teams.
Maintaining compliance in the cloud requires an assessment of the vendor's infrastructure. Writing for TechTarget, Moyle suggested IT should play a crucial role in this evaluation because technology staff have a greater understanding of architecture requirements and of the company's own safeguards. This allows IT to better identify gaps in the vendor's infrastructure and close them by implementing their own data-centric security solutions.