Talking Cloud Privacy in Washington, D.C.

Posted by Susie Adams
Chief Technology Officer, Microsoft Federal

Greater adoption of cloud computing is considered an inevitable trend by regulators and lawmakers from both sides of the political aisle, according to my fellow panelists at Tuesday’s “@Microsoft Conversations on Privacy” at the Microsoft Innovation & Policy Center in Washington, D.C.

However, we all agreed that the pace of cloud adoption is largely going to be determined by the speed at which cloud providers, consumers and policymakers can clarify roles and responsibilities when it comes to protecting data held by cloud service providers.

This was one of the chief conclusions to come out of our spirited discussion at Tuesday’s event, “Privacy in the Cloud: How Can Cloud Providers Address the Privacy and Safety Concerns of Government, Consumers and Corporate Users?”

I had the pleasure of representing Microsoft on the panel. Joining me were David McClure, Associate Administrator of the U.S. General Services Administration; Ari Schwartz, Senior Policy Adviser at the U.S. Department of Commerce, and Paula Bruening, Vice President, Global Policy of the Center for Information Policy Leadership. Christopher Wolf, Hogan Lovells US LLP Privacy & Information Management practice and co-chair of the Future of Privacy Forum, joined us as moderator.

David McClure said he is questioned frequently about cloud computing by Democrats and Republicans in Congress, and saw little difference in their attitudes towards the technology. Both parties want to know if cloud computing is reliable, secure and economical, McClure said.

“All organizations, public and private, are looking for cost-effective IT,” he said.

Ari Schwartz concurred, and added that he has been convinced about the economic advantages of cloud computing for small and medium-sized businesses for some time. He also believes cloud providers can provide greater security and privacy protections than most smaller organizations can afford to provide for themselves.

Also, as David and I discussed, cloud computing is not radically different than IT outsourcing or the shared services environments that government and corporate customers are used to. What is different and challenging is helping cloud customers understand who is responsible for what when it comes to securing and maintaining the privacy for their data. The responsibilities change for both the cloud provider and consumer depending on the cloud deployment (public, private, hybrid) and service model (i.e., infrastructure as a service, platform as a service, software as a service) chosen.

Paula noted that the complexity of cloud computing is even more difficult for consumers who want to know how to protect the privacy of their information, increasing the importance for companies to embrace the concept of privacy accountability, and to take greater responsibility for the protection and responsible use of their customers’ data.

Everyone agreed that one particularly valuable tool to help clarify privacy roles and responsibilities for government cloud customers will be FedRAMP (short for Federal Risk and Authorization Program), a program that both David and Ari have contributed to that aims to create baseline security and privacy controls for federal agencies considering adoption of cloud services.

Up to now, David said, every agency has been creating their own baselines and applying them in their own ways, resulting in a lot of excess spending on duplicative analyses of cloud providers and risk assessments.

As I expressed to the panel, FedRAMP – which is expected to be released soon – will be extremely helpful to cloud providers as well as to public sector customers. Having a standard approach to Assessing and Authorizing (A&A) cloud computing services will help develop a common security risk framework that cloud providers can build our services to meet. It will also allow agencies to share the burden of the traditionally costly and time consuming A&A process required to use these services by facilitating joint authorizations that will speed the adoption and deployment of cloud services across government.

I want to thank all of my fellow panelists and everyone who attended Tuesday’s event, and we look forward to continuing this important discussion around cloud privacy in the weeks and months to come. Below is video from the Tuesday panel discussion: