Experts say security concerns about cloud computing are overstated

Think tank and industry experts downplayed widespread security concerns surrounding a government transition to cloud computing Thursday, saying the cloud may actually be safer than traditional storage of government information in federally owned data centers.

Technology has been developed, though not widely implemented, that allows cloud storage providers to host encrypted data that only the data's creators can decrypt, not its hosts, said Dan Reed, Microsoft's vice president for technology policy.

That technology also includes monitors that tell a government agency or other data creator if the cloud provider babysitting the data makes any attempt to decrypt it, he said.

There's also new technology in the pipeline that would allow agencies and other data creators to analyze and sift their own data while it's in the cloud without first decrypting the data itself, he said.

Reed was speaking at a panel discussion on the not-yet-introduced 2011 Cloud Computing Act, hosted by the Brookings Institution. There's been a great deal of speculation about what that act, sponsored by Sens. Amy Klobuchar, D-Minn., and Orrin Hatch, R-Utah, will include.

The act is expected out in a matter of weeks.

Cloud computing providers essentially sell information storage space on remote computer servers much like a utility sells electricity or water, with buyers paying only for the amount of space they actually use. Critics have said cloud storage limits federal agencies' ability to safeguard their own data.

Consolidating data into a cloud storage facility -- which may be the size of a football field or larger -- creates a larger target profile, according to Darrel West, director of Brookings' Center for Technology Innovation and the panel moderator, but it also creates economies of scale. "You can bring to bear some more best practices [and] professionals whose only job is to think about these kinds of issues," he said.

"There are some collateral advantages of cloud consolidation in terms of raising security standards," he said. "If you're a small business, odds are your security is not very good. You likely don't have the revenue or the IT expertise to procure world class security."

Another major question about cloud computing is the ease with which information will be able to be stored across international borders.

U.S. and European officials have been meeting regularly to try to reach standard or nearly standard agreements about how one nation's information should be treated when it's stored in another nation and what legal rights the hosting nation might have, according to Philip Verveer, the State Department's deputy undersecretary for information policy.

The Japanese tsunami wiped out personal records for many people in the worst-hit areas, Verveer said, which has prompted the Japanese government to consider storing duplicates of some of its vital government information in North America.

Japan and the host nation would have to negotiate a very complex agreement about Japan's control over that information before that could be a possibility, he said.