By Kim Hart
Washington Post Staff Writer
Tuesday, March 31, 2009
Consumers save their e-mail and documents on Google's data centers, put their photos on Flickr and store their social lives on Facebook. Now a host of companies including Amazon and Microsoft wants government agencies to similarly house data on their servers as a way to cut costs and boost efficiency.
But federal officials say it's one thing to file away e-mailed jokes from friends, and another to store government data on public servers that could be vulnerable to security breaches.
The push toward "cloud computing," so named because data and software is housed in remote data centers rather than on-site servers, is the latest consumer technology to migrate to the ranks of government. Companies such as Amazon and Salesforce, which do not typically sell services to the government, want a piece of the business.
Google opened a Reston office last year to sell applications such as Google Docs to federal employees. Silicon Valley-based Salesforce, which has focused on selling to corporations, established a team dedicated to government contracting. Microsoft spent $2.3 billion in 2007 to build data centers for cloud computing, and IBM, Sun Microsystems and HP want to provide the government cloud.
"We're all putting our lives on the Internet," said Zach Nelson, chief executive of online application provider NetSuite, which has shifted its focus to federal sales. "If it works for business, why not for government?"
Instead of storing information on computers, an agency would store e-mail and other data on servers maintained by companies such as Amazon or IBM. Employees would access information through an Internet browser, and in many cases from outside the office, just like they would access a Hotmail account.
Already, the Defense Department's technology arm has set up a cloud to let the military rent storage space or use remote software programs. But skeptics say information is not protected on public servers. Some worry that data may be impossible to remove after it has been socked away in commercial data centers. Unlike destroying hard drives to erase sensitive data, traces could remain on outside servers for years.
The Electronic Privacy Information Center, a public interest group, two weeks ago asked the Federal Trade Commission to bar Google from offering its online tools to consumers until it takes necessary steps to safeguard consumer data. The complaint comes after reports that Google inadvertently shared access to users' documents stored online.
Deniece Peterson, principal analyst for market research firm Input, said storing personal information such as health records or Social Security numbers in the "cloud" could spark concern for consumers.
Many consumers, she said, think personal information should be housed on private government networks, rather than a larger one shared by a number of parties.
Moving information "to the cloud" would mean that government agencies would have to trust third parties to provide security support, store and organize the information and make sure only authorized employees can access it.
"The government may be outsourcing functions to contractors now, but this takes it to a whole new level," said Jimmy Lin, assistant professor of information studies at the University of Maryland, which has received funding from Google and IBM to research cloud computing.
"And what happens if Google gets hacked by a third party?" he said. "The answer is, nobody knows."
Storing information on servers run by Amazon or Google could prove to be safer than storing it on government-owned databases, said Peter Mell of the National Institute of Standards and Technology, which advises federal officials on technology. Large providers typically have more resources to ward off security threats because their business depends on it, Mell said. Agencies, on the other hand, often can't afford to hire as many employees to keep watch over the servers.
If data storage, security and software services are handled by a third party, agencies can spend less on buying their own servers and hiring employees to maintain them. In addition, agencies can rent extra capacity on those servers when they need more computing power instead of buying extra equipment they only use once in a while.
Proponents say cloud computing could mean a big shift for traditional government IT providers, such as defense contractors SAIC and CACI.
"We think this thing is going to fundamentally change the way we leverage, procure and utilize IT," said Michael Farber, a Booz Allen Hamilton vice president. "We're not looking to buy packaged software anymore -- we're downloading and subscribing to things."
Acumen Solutions, a Vienna-based technology consulting firm, has launched a public-sector cloud-computing practice. Apptis, an IT services company in Chantilly, changed its strategy last year to focus on cloud computing rather than helping agencies integrate disparate software systems.
The U.S. Census Bureau is using Salesforce's cloud to manage the activities of about 100,000 partner organizations across the country. But it will store personal information gathered from citizens on its own private servers.
"People have to trust us, otherwise they won't give us the data," said J.R. Wycinsky, a Census program analyst.
One major hurdle is that there are no uniform standards for cloud providers. NIST is working with six industry consortiums to develop requirements for how companies can handle government information and how the "clouds" can share information.
Yesterday, IBM spearheaded an effort with companies including Cisco and Rackspace to make their cloud-computing technologies work together around common standards, in part to prevent agencies from being locked into working with a single cloud provider.
"Whenever we see new technology, security people are very leery," Mell said.
Firing up fewer servers is also more energy-efficient, IT companies say. "Getting rid of one server is the equivalent of taking one and a half cars off the road for a year," said Aileen Black, director of federal sales for Palo Alto, Calif.-based VMware. "Imagine the impact of taking 450 servers away."