Where's Government Data In The Cloud?

A week later, the USDA disclosed its own cloud services contract award, this one going to Microsoft and partner Dell. In this case, USDA CIO Chris Smith made the use of U.S. data centers a requirement. "We saw that as important," Smith told me.

Microsoft was quick to play up the fact that it committed to keeping USDA data on home soil. "We've heard from our federal customers pretty clearly that the majority of them do require that data they put into our services remains in the United States," said Ron Markezich, VP of Microsoft Online. Within its data centers, Microsoft has cordoned off the servers that serve its government customers and allows only employees who are U.S. citizens to get near them.

Because most government agencies have little experience with cloud services, many are confronting such issues for the first time. When Steve Ferguson, the CIO of San Jose, began evaluating cloud-based applications as a potential replacement for its outdated PC apps, the city’s lawyers wanted to know who would be on the receiving end of any subpoenas that might come in as a result of law enforcement activities or legal proceedings. Would it be San Jose's legal department or, say, Google's? And what if the servers were located not in Oregon, but in France or Ireland?

The ongoing WikiLeaks saga could hold some lessons. According to gadget site Gizmodo, some of WikiLeaks’ data is running on servers located in a data center operated by OVH, a Web hosting company in France, while other data is said to be housed on servers in an underground data center in Sweden. In August, Forbes writer Andy Greenberg speculated that a new Web surveillance law in Sweden could one day be used to “make a legal attempt to gain direct access” to WikiLeaks' data in that country. Greenberg quoted an executive of data center operator Bahnhof as saying that Swedish authorities had not yet attached surveillance equipment to its broadband network, but the exec added, "That day will come."

IT pros who work for the U.S. government must consider "what if" scenarios and the jurisdictional boundaries that could come into play if legal or law enforcement authorities in a foreign country were to come knocking on the data center door of their cloud service provider. For that matter, what if Joe Schmoe came knocking on the data center -- a potential customer, a tech vendor, or a someone else? Bahnhof, the WikiLeaks hoster, apparently gave a tour of its data center to a journalist with the Al Jazeera news network, as you can see from this video report. Who will be within arm's reach of the servers processing your agency's data?

The government's Federal Risk and Authorization Management Program (FedRAMP) and FISMA security certification should go a long way in addressing many of the security issues that are inherent in the cloud, but it would be a mistake to rely on those without doing some first-hand, agency-specific assessment of commercial cloud services.

It's worth noting that the U.S. Army, via an RFP issued in July, is looking to deploy a private cloud and that the Army is open to the possibility of the cloud data center being located outside of the United States. But the Army’s requirements are unique -- using a containerized data center to provide IT support in Afghanistan, for example. And a private cloud would give the Army more control over the environment than it would have over commercial cloud services.

There may be situations where it makes good sense for government agencies to have their data stored in data centers located in distant lands, but government IT pros must evaluate all aspects of the move -- including data security, governance, compliance, and foreign laws -- in making the decision. In many cases, they may determine that there’s no place like home.

Amid many threats, the feds are shorthanded. Here's how they're acquiring hard-to-find skills. Download this issue of InformationWeek Government now (registration required).