Perceived Government Cloud Risks: Depends Where You’re Standing
Adoption of cloud services by government agencies is steadily increasing, albeit at a slower rate than in other sectors. Take-up is often held back by the perceived risks related to security and jurisdiction, but agencies need to look at cloud services based on their specific circumstances rather than adopting a generic approach.
Potential Benefits: That Depends on What You Have Now
As the variety of cloud service offerings has proliferated, there has been an ongoing debate regarding the relative risks when compared to traditional in-house deployments.
This has been particularly prevalent in the public sector, where a traditionally risk-averse approach to significant business change has fostered concerns regarding the security of systems that are no longer directly under the agency’s physical control. This reluctance has been exacerbated by the disjunction with legal systems based on unambiguous physical location, which are becoming increasingly irrelevant when considering data that could potentially be stored anywhere in the world.
Early international concern regarding the theoretical ramifications of the US Patriot Act have been bolstered by the stream of revelations exposed by Snowden and others that confirm just how pervasive nation-state digital surveillance activities have become. In such a climate, the response of many large government organizations has been that “going into the cloud is too risky.”
Staying Out of the Cloud: Too Risky
However, such a black or white response loses sight of the fact that there are no zero-risk options. Smaller and less well-resourced organizations can be at considerable risk through their current in-house IT operations, which are often lacking capacity in security, governance, and business resilience. In fact, for smaller organizations it can be more appropriate to state that “staying out of the cloud is too risky.” Identifying the right approach depends on understanding your organization’s profile and honestly assessing the existing risks embedded in your current operational model.