ORLANDO, Fla. -- Pamela Jones Harbour, a former commissioner of the Federal Trade Commission (FTC) and now a partner with law firm Fulbright & Jaworski LLP, has a message for cloud computing providers: Keep your houses in order or you may not catch on.
If a cloud provider can pass all these NIST requirements, they can use that for any other assessment because it's a superset.
Peter Nicoletti, vice president of engineering security for Terremark,
Speaking at the first annual Cloud Security Alliance (CSA) Congress 2010 in Florida this week, Harbour said that it was in the best interests of the newly emerging cloud industry to regulate itself on user privacy and data protection before the federal government stepped in.
Harbour said she was hopeful that market pressure for safe, secure and private cloud services would drive the industry towards better practices. Right now, consumers had a choice between applications in the cloud that had compromised security assurances or no visible security at all. She said it was past time for service providers, be they Web apps or telecoms, to make a declaration of intent.
"I believe it is crucial for all firms to clarify their responsibility and obligations," she said.
Harbour said that right now, the best place to work for cloud security was at the provider level. She thinks competition can create that safety. If consumers remained uninformed of risks and unsafe, however, the federal government might crack down.
"Market forces may not be enough and regulators may find it necessary to step in," she said.
Past is prologue for Harbour
Harbour knows whereof she speaks, too. As a chairwoman at the FTC in 2006, she dissented against the controversial merger of Google and ad firm DoubleClick, saying that the combination would gather too much power in one place when it came to personal information being used for commercial purposes. She was right.
"Google made assurances to us that they did not intend to enter the behavioral ad market -- interestingly, in March  they did just that," she said.
Harbour said there were manifold difficulties with current privacy and data protection laws that were holding back cloud, among them questions of legal jurisdiction and unsettled law in individual and corporate privacy. She cited the Third-Party Doctrine and the Fourth Amendment as areas in question. "Law enforcement has argued, with some success, that [the Third-Party Doctrine] remove Fourth Amendment protections for data stored in the cloud," she said.
That would include your Gmail, your Simple Storage Service (S3) storage, your IMs, Skype calls; you name it. Businesses can't function in the cloud in that uncertainty, said Harbour. She held out hope that the CSA could solve the problem and provide industry-wide guidance.
Feds preparing themselves for possible leak
If it becomes a matter of national security, Harbour said, as in sensitive information being compromised at an American service provider that would harm the reputation of the U.S. (a la WikiLeaks), the federal reaction would be swift and unpleasant.
"I think they're terrified," said Roy Hadley, a business lawyer with Atlanta-based Barnes and Thornburg, LLP. Hadley has an IT background and came to the CSA Congress to assess the state of the industry. Hadley said that the fed is being uncharacteristically aggressive on leading the charge for cloud standards and security because it sees the writing on the wall. Data and services are only getting more distributed and more diffuse.
It's almost incumbent on the fed to step in on this, Hadley said. He thinks the U.S. sees itself at a strategic disadvantage and desperately wants to be a leader in distributed security. After all, Hadley added, with a few exceptions, the government doesn't have control over the Internet or its content. "China, on the other hand, has a switch. They can shut everything off," he said.
But the federal government also doesn't want to legislate; that's a last resort in today's poisonous political climate. Instead, it's trying to lead by example.
I believe it is crucial for all firms to clarify their responsibility and obligations.
Pamela Jones Harbour, former commissioner of the Federal Trade Commission (FTC),
One of those examples is the Federal Risk and Assessment Management Program (FedRAMP), a broad set of guidelines that service providers can meet for many agencies at once, instead of laboriously recertifying for every new government customer, which is now the case.
"If a cloud provider can pass all these NIST requirements, they can use that for any other assessment because it's a superset," said Peter Nicoletti, vice president of engineering security for Terremark. In contrast to some security certifications available in the private sector, FedRAMP (which is still under review) uses a comprehensive and apparently meaningful set of security guidelines and requirements.
Nicoletti said that unlike other audits, the NIST guidance required continuous monitoring of security procedures; a change in a protocol meant an immediate re-auditing and certification, and that happened constantly. He said that had pushed Terremark into a highly automated, highly managed security model that suited the idea of cloud computing.
"Our company gets audited literally two or three times a week," he said. "Think about what that does to our operations."
Terremark, of course, makes a point out of cultivating government customers, so they're a poster child for how to apply the federal suggestions on cloud. Will the rest of industry follow along, or will Washington find itself reaching for the steering wheel?
Carl Brooks is the Senior Technology Writer for SearchCloudComputing.com. Contact him at firstname.lastname@example.org.