Consider Cloud Computing Consequences

As agencies move to cloud computing - accessing basic computing services and applications over the Internet - some unforeseen consequences will occur. The Office of Management and Budget and the CIO Council want to head them off before they become serious.

Case in point: Private information could be compromised when a cloud computing provider changes its terms and policies without notifying clients (like an agency), a common provision included in provider's agreements with customers, Federal News Radio reported on Tuesday. If that happens the public's personally identifiable information could be exposed.

The warning is included in a document the council released on Aug. 19 outlining risks agencies should consider when pursuing cloud services - and make provisions to mitigate them. Other risks include (CCP stands for cloud computing provider):

1. The data could become an asset in bankruptcy, particularly if the Terms of Service or contract do not include retention limits.

2. Depending on the location of the CCP's servers or data centers, the CCP might allow or be required to permit certain local or foreign law enforcement authorities to search its data pursuant to a court order, subpoena, or informal request that would not meet the standards of the Privacy Act of 1974.

3. The individual providing the information has no notice that explains that his or her information is being stored on a server not owned or controlled by the U.S. Government. Thus, when the individual person attempts to access his or her data, he or she is unable to do so and is left without proper redress.

4. The data stored by the CCP is breached and the CCP does not inform the government or any of the individuals affected by the incident.

5. The CCP improperly implements Federal security requirements (i.e., finds them cost-prohibitive or cumbersome) and thus inadvertently allows the data it is storing in the cloud to be viewed by unauthorized viewers.

6. The CCP fails to keep access records that allow agencies to conduct audits to determine who has accessed the data.

7. The Federal government cannot access the data to perform necessary audits. The data has been moved to a different country and a different server and the government suffers a loss in reputation and trust.

8. The Federal government fails to keep an up-to-date copy of its data. The CCP accidentally loses all of the government's data and does not have a back up.

It's a good bet that more risks and consequences will be exposed in due time.