Capitalizing on cloud adoption while complying with U.S. and international government regulations

David Canellos

As former Secretary of Homeland Security Michael Chertoff discussed a few months ago in The Washington Post, global privacy laws and cloud adoption don’t exactly seem to readily mix. While the cloud is viewed as the “promised land” for data storage and application management, taking advantage of it in the government sector can present some major challenges -- especially considering the sensitive nature of government data and the myriad of regulations at play (including the new FedRAMP rollout).

And the process becomes even more complicated after taking international regulations into account, which suggests that the public cloud, or even some private clouds, simply can’t meet federal requirements.

So what’s the solution? Do you put all of your applications and data in the cloud to take advantage of the benefits of lower costs, time to market and improved flexibility, and hope you can secure your data in the process? Or, do you forgo everything the cloud offers and keep your applications and information in-house? In my experience the answer is neither. 

The key for governmental agencies is to use a cloud strategy that offers specific data privacy, residency and security capabilities that smart commercial enterprises have already deployed. With the right data protection policies and technology in place, all sensitive information can be kept in-house within an organization’s complete control.

Sensitive data never leaves an agency’s network, so they can adopt cloud applications, public or private, without concerns about the level of security their cloud partner is providing. Through tokenization or encryption technologies to obfuscate data that is processed or stored in the cloud, information remains undecipherable and thereby protected. Employees accessing the protected data can enjoy cloud application functionality and the same user experience -- such as searching and sorting, on encrypted or tokenized data, with the standard cloud SaaS application -- all while staying within compliance requirements. 

And, while you may be thinking “easier said than done” in the government sphere, there are proven solutions already operating in heavily regulated corporate settings. The key is to consider the following three things when evaluating them:

Prioritize what needs to be protected

What sensitive data needs to remain private and protected? What level of protection is required? Who needs access to the data? What laws and jurisdictions govern information and are they likely to change over time? Questions such as these complicate any governmental cloud adoption strategy.

With encryption technology, organizations can store their encryption keys within the nation of origin, keeping sensitive data, such as personally identifiable information (PII), protected in the cloud. When encrypted, the information in the cloud is undecipherable, and can only translate the data back into a readable form when it is paired with the encryption key held by the organization.

Tokenization is another approach that organizations are taking. This technique assigns randomly generated values, or tokens, to sensitive data. The tokens are then sent to the cloud for processing and storage, remaining completely undecipherable to anyone accessing the information outside of the government agency. Unlike encryption, where only the encryption keys stay resident within an organization, tokenization provides the additional benefit of full data residency, since the sensitive data never moves beyond the government agency’s firewall. 

Along with the question of what protection approach should be used, agencies need to address the critical issue of how much of their data needs to be protected. True, sensitive government data must be under control in a regulated space, but which data needs to be protected, specifically?

There’s a world of a difference between encrypting a few dozen fields of sensitive information and all fields, which, for a federal agency, could reach well beyond terabytes of information. In the interest of flexibility, cost-savings and time-savings, be sure to determine just how much of your organization’s data needs to be tokenized or encrypted before going to the cloud.

Realize what needs to stay resident

Data-privacy compliance requires most federal, state and local government agencies to keep sensitive data, and applications that interact with that data, within the organization (i.e., out of the cloud). Only non-sensitive information can be stored or processed in the cloud. These regulations become even more critical when government organizations work internationally. Not only must they honor U.S. laws, but they must consider international privacy mandates as well.

Chertoff’s recent story highlighted the European Union’s call to hold parties dealing with European consumers accountable for European data protection laws. In some markets, such as Switzerland, organizations need to adhere to very strict standards. For instance, Switzerland’s Data Protection Act declares that “no personal data may be transferred abroad if the personal privacy of the persons affected could be seriously endangered, and in particular in cases where there is a failure to provide protection equivalent to that provided under Swiss law.” Rules such as this make cloud adoption a challenge when public cloud SaaS applications host information in data centers across national borders, which is a common practice.