Cloud Computing Gains Momentum but Security and Privacy Issues Persist

It's official: Cloud computing has arrived -- and it appears to be the hit of the party. The Pew Internet & American Life Project released survey results in September 2008 reporting that 69 percent of Americans who are online use Web-based e-mail, store data or use software applications over the Internet. In October 2008, the market research firm IDC forecast that spending on IT cloud services would reach $42 billion by 2012.

Government agencies are starting to use cloud computing for storage, applications or development; these services are hosted on a remote server in order to save money on implementation and management. Cloud services are increasingly pervasive and may forever transform how government employees access and manage digital information.

Cloudiness Ahead

But with so many clouds on the horizon for IT, some people worry about potential storms ahead.

"What tends to worry people [about cloud computing] are issues like security and privacy of data -- that's definitely what we often hear from our customers," said Chris Willey, interim chief technology officer of Washington, D.C.

Willey's office provides an internal, government-held, private cloud service to other city agencies, which allows them to rent processing, storage and other computing resources. The city government also uses applications hosted by Google in an external, public cloud model for e-mail and document creation capabilities.

Cloud computing is delivered to users via three main delivery models: software as a service, platform as a service and infrastructure as a service (known as SaaS, PaaS and IaaS, respectively). With SaaS, customers use applications stored on a provider's server. In a PaaS environment, the provider gives customers tools to create their own applications that are stored on the provider's server. IaaS allows customers to rent networking, storage or other IT resources from providers to support in-house infrastructure.

In all arrangements, the clients' data wind up in someone else's hands somewhere along the way. For government, citizens' data is sacred, as is data involving internal business processes. Even when a third-party provider is reputable, it's understandable to experience a tinge of anxiety. You can't control another company's activities the way you can your own.

"For the last 15 years, people have been used to the client-server model," said Kevin Paschuck, vice president of public sector for RightNow Technologies, a company that delivers SaaS. "They've been used to hugging their servers. They walk out the door, and they can see their data and their hardware. They control their own destiny."

But remote hosting can inhibit that feeling of control.

"I don't know exactly where my data is,'" said Tim Grance, a computer scientist in the Computer Security Division of the National Institute of Standards and Technology. "It could be cut into tiny little pieces and dispersed across a large geographical area, and that inherently makes people nervous."

These qualms, however, don't just come from apprehension about the activities of third-party partners. They may stem from external threats too. If an agency's server is hacked, the agency's employees know how they'll handle it, but they don't know how someone else might. It's a given that Salesforce.com, Amazon.com and other big companies aren't slouches in the security department, but their size makes them attractive targets for cyber-attacks.

"Google has had to spend more money and time on security than D.C. government will ever be able to do," Willey said. "They have such a robust infrastructure, and they're one of the biggest targets on the Internet in terms of hacks and denial-of-service attacks."