What Happens if There’s a Massive Data Breach in the Cloud?

Government IT systems have taken a beating lately, with the recent Office of Personnel Management’s breach exposing some 21-plus million federal employee records being just the cherry on top of what’s been a cybersecurity sundae from hell for most agencies.

But coincidentally, none of these breaches involved cloud systems.

Federal cloud security standards, governed by the Federal Risk and Authorization Management program, have been hugely successful thus far in ensuring cloud service providers that serve government customers aren’t bringing knives to gun fights.

It should be noted that while the Obama administration intends to spend some $7.5 billion on provisioned services like cloud computing next year, it still spends tens of billions more on legacy data centers, which store most of the data the government collects.

That’s true in the private sector as well.

High-profile hacks of Sony, U.S. health insurer Anthem and Target all hit those companies’ internal data centers, and perhaps that shouldn’t be surprising. Statistics vary, but it’s likely that less than 10 percent of all data held by private sector companies worldwide is stored in the cloud, so most of what’s vulnerable is sitting on premises somewhere.

That cloud service providers can automate software patching – something the government has a hard time doing – for customers is a huge argument against the myth that cloud computing isn’t as secure as traditional data centers.

But what happens if and when the first big federal system is breached in the cloud? Will all the efforts in building up cloud’s reputation as secure go by the wayside?

“My fear is that we’ll have a break-in in the cloud in the next three to five years and blame it on the cloud instead of the lack of effective authentication mechanisms,” said Patrick Stingley, chief technology officer at the Interior Department’s Bureau of Land Management. “I’m afraid when something blows in the cloud, we’ll blame cloud and it won’t be the cloud.”

Stingley expressed his concern on a panel at Thursday's ATARC Federal Cloud Computing Summit. He seemed to suggest that goodwill built up toward cloud computing platforms in the risk-averse government in recent years might evaporate if there’s a big breach.

Yet, as other panelists, including Defense Intelligence Agency Chief Innovation Officer Dan Doney pointed out, even the intelligence community has embraced cloud. The Defense Department, too, continues to move slowly toward cloud, even as other federal agencies, like the Federal Communications Commission, have moved all in.

At some point, the odds suggest cloud providers with government customers will be hit by data breaches. What happens then?

Leo Wong, chief information security officer for the Agriculture Department’s Food and Nutrition Service, said the response would depend specifically on the agreement between the agency and the cloud provider. He also gave very direct advice to agencies pondering cloud.

“Read the fine print on your service level agreements for who is responsible for intrusions,” Wong said.

(Image via wk1003mike/ Shutterstock.com)