Wednesday, May 31, 2017
Data Providers Need to Catch up to Cloud
In my recent project looking to see if we could migrate to cloud in this generation for HPC another topic kept arising.
We cannot yet take enough of our data or software off our owned systems and facilities.
Beyond HIPAA, and BAA's there are a raft of other data regulations that data are provided to our researchers under. Last I checked there was thousands of faculty with hundreds of data sources in a campus environment.
Right now because most campus projects are small, it is not worth it in both time, nor upsetting the data provider, to get any agreement in place with a cloud provider to host said data. Many of these plans require revealing information about your physical security and practices that you cannot have in general from a cloud provider. Or refer to standards that existed before clouds existed (anyone who looked at FISMA training pre-FedRamp, and any agreement with physical isolation will recognize this limitation).
Some data types (FISMA / NIST 800-171) come to mind that are actually easier to do in the major public clouds because you don’t need sign off from each of the data providers but just the agency who has already done the work with that public cloud provider. (NOTE: I am still early in looking into this, this is my current understanding, but I could be wrong). Thus after doing the last mile work (securing your host images, your staff policies, patch policies etc) you can actually respond to these needs faster in the cloud and get an ATO.
So where does this leave the data providers that each have their own rules and require each project to have sign off form the provider making the fixed cost of each project high? As a community we should be educating them to move them towards aligning with one of the federal standards. Very few of these projects I have seen are actually stricter than NIST 800-171, thus if these data providers would accept these standards, and an ATO (Authority to operate) from the federal agencies, they would probably get better security/less under the desk 'air gaped' servers, but increase the impact / ease of access to data for the work they are trying to support.
This would make funding go further, get technical staff and researchers back at what they do best and less time looking at data use agreements.