Monday, February 08, 2010

Cloud computing complications

Not too long ago the Taoiseach and the Green Party were telling us that cloud computing is the way of the future for Irish business. Now it emerges that the Department of Finance has emailed government departments and public bodies warning about the risks of cloud computing. Is this a case (as some amused observers are saying) of the left hand not knowing what the right hand is doing? Or, as some sectors of the Irish technology industry are putting it, simple technical ignorance?
A Microsoft spokeswoman said that Ireland should "embrace the cloud across all aspects of public services".

"Microsoft’s software plus services offering provides enhanced security for data over and above what has traditionally been available for private and public organisations, and this is one of the primary reasons why so many public and private organisations across the globe are beginning to deploy solutions in the cloud."

Ed Byrne, general manager of Hosting 365, which provides cloud computing services, described the e-mail as "damaging" and showed a "lack of knowledge" of what the technology involves.

The technology is "mature and not nascent" said Philip Nolan, a partner in legal firm Mason Hayes + Curran. He said any contractual issues were surmountable, and he has large clients who use cloud computing for their core systems.
So are these criticisms justified? While it's understandable that providers might be defensive, these responses seem out of place given the very moderate tone of the original email, which is not a blanket ban on the use of cloud computing but simply a reminder to take legal advice before buying these services:
The Department of Finance has warned Government departments and public sector bodies that they should not purchase cloud computing services without obtaining legal advice.

The warning e-mail, which carries the subject "cloud computing warning", says that the Chief State Solicitor’s Office has "advised that issues such as data protection, confidentiality and security and liability are not necessarily dealt with in a manner that would be necessary for public sector responsibilities".
Far from being ignorant of the nature of cloud computing, this seems to show a good awareness of the challenges it can present. As Simon McGarr points out in today's Irish Times, unless properly thought out in advance cloud computing may result in the transfer of personal information outside the EU and in inadequate security measures being put in place by data processors. Suitable contracts can deal with these risks - but not all cloud computing providers (particularly those headquartered outside the EU) seem to be fully aware of their responsibilities under European data protection law, making detailed legal advice essential in all cases.

In addition, public sector storage of data presents further problems which are distinct from those faced in private sector use of cloud computing. For example, how will the public body ensure that data held in the cloud is available to meet a Freedom of Information Act request? How will departmental records held in the cloud be preserved and archived as required by the National Archives Act 1986? Will data in the cloud be sufficiently searchable as required by the Reuse of Public Sector Information Regulations? These and other complications make the advice from the Department of Finance seem eminently reasonable.

Update (27.02.10) - Microsoft's new secure cloud product for the US government shows some of the ways in which cloud computing products may have to be tailored for public sector use.

1 comment:

  1. While the technology has come along quite a bit recently, as noted by Oisín Tobin, it's not as if massive technical failures are unknown to cloud computing (specifically in the case of Microsoft, in fact).