Will the government get serious on cloud security, data privacy?

When the federal government finally does undertake the task of legislating around cloud computing, it seems very likely that security measures and data privacy will drive the ship. On Tuesday the TechAmerica Foundation’s CLOUD2 commission announced a data- and security-heavy set of recommendations to guide the federal government’s efforts in regulating, adopting and promoting the cloud, following up on a recent Brookings Institution discussion on a proposed Cloud Computing Act that focuses on those two issues. This isn’t surprising, given that these are two areas in which the government can most directly affect the nature of the cloud.

I covered TechAmerica’s CLOUD2 commission when it kicked off in April, highlighting its mission to advise the Obama administration on cloud computing best practices. The commission is comprised of representatives of more than 70 organizations and is spearheaded by Salesforce.com (s crm) CEO Marc Benioff. Of the 14 recommendations it made today, 8 of them are focused on security and/or data privacy. They call for everything from the creation of an industry-wide security framework to updating the Electronic Communications Privacy Act (also the goal of the Digital Due Process coalition) to leading the charge to open up transnational data flows across cloud infrastructure.

The commission also calls for, among other things, increased data portability among clouds — something Commissioner Kurt Roemer of Citrix (s ctxs) told me it would back in April — and for the modernization of our broadband infrastructure to better support cloud services.

Here’s one particularly meaty recommendation from the report summary released today:

Transnational Data Flows – Recommendation 6 (Government/Law Enforcement Access to Data): The U.S. government should demonstrate leadership in identifying and implementing mechanisms for lawful access by law enforcement or government to data stored in the cloud.

Under this recommendation, the Commission suggests three steps to increase clarity around the rules and processes cloud users and providers should follow in an international environment. Without U.S. leadership and cooperative international efforts, the world will face a far more complex legal environment, one that is not conducive to fully leveraging the cloud. The three steps are: (1) modernize legislation (the Electronic Communications Privacy Act) governing law enforcement access to digital information in light of advances in IT; (2) study the impact of the USA PATRIOT Act and similar national security laws in other countries on companies’ ability to deploy cloud in a global marketplace; and (3) have the U.S. government take the lead on entering into active dialogues with other nations on processes for legitimate government access to data stored in the cloud and processes for resolving conflicting laws regarding data.

A fuller version of the report is available here.

The CLOUD2 commission’s recommendations come just more than a month after the Brookings Institution convened a panel to discuss proposed legislation called the Cloud Computing Act of 2011. As I explained at the time, that potentially forthcoming bill will focus on cybersecurity practices and punishments, as well as providing clarity on moving and storing data across international boundaries. The transcript of that panel is available here.

Again, it’s not surprising that much of the talk about how the federal government might get involved with cloud computing focuses on security and privacy. After all, these are areas where it can more easily effect change because it can define policy rather than trying to dictate technological standards. Only the federal government can enact federal security-breach-notification laws like CLOUD2 suggests or rewrite the ECPA to bring the Fourth Amendment up to speed to how and where data is stored in the cloud. The federal government is certainly the only institution in our country that can enter into the international data treaties that both CLOUD2 and the senators proposing the Cloud Computing Act think are necessary.

On topics such as interoperability and uniform security protocols, though, the government likely will have to tread lightly and lead with its checkbook. Although both are laudable goals, they’re probably best left for the companies involved to solve. Cloud computing might be a sea change in the way we access IT, but it’s ultimately not too different from past standardization efforts that were driven by the private sector looking to increase revenues while making consumers’ lives easier. They weren’t always pretty, but it’s probably not the government’s place to decide how clouds will be built or how they’ll work together.

In fact, private-sector efforts around both interoperability and security standards already in place. The Cloud Security Alliance is focused on security, and a new organization called the Open Cloud Initiative launched today to push for interoperability among cloud platforms.

The government does have a mega IT budget, though, and is pushing a cloud-first strategy when it comes to buying new resources. Amazon Web Services, Google and others already have proven willing to bend to the government’s needs in order to get its business, so perhaps it can drive industry standards around interoperability and security by demanding certain levels of both in order to get federal business.

Image courtesy of TechAmerica Foundation