Below are five baskets of cloud governance goals, and means being considered for their attainment. These items highlight the scope and complexity of the cloud governance challenges involved.

Overlapping Issues

  • Data Localization
  • Cross-Border Data Transfer
  • Portability
  • Interoperability
  • Privacy
  • Market Concentration

Security and Robustness

  • Systemic controls and operational defenses to protect against unauthorized access, disruption of services, and manipulation of data, apps, and algorithms
  • Law enforcement and homeland security access
  • Allocation of responsibility and accountability for security between providers and consumers
  • Applying safeguards to cloud supply chain and infrastructure
  • Reliable processes for migration to the cloud
  • Localizing data and cloud operations to prevent compromise
  • Cross-border data transfer arrangements
  • Scrutiny and moderation of uses and content to prevent misuse
  • Designating the cloud as critical infrastructure

Resilience

  • Assured service continuity under duress (contingency planning portability and interoperability of cloud service providers [CSPs], data retrievability)
  • Institutionalized process for reporting and learning from incidents
  • Insurance coverage and carrier solvency for adverse events
  • Governmental backstopping for catastrophes

Consumer Protection

  • Preventing biases against consumers in services and applications
  • Informing and rewarding users for utilization of their data
  • Protecting consumer privacy (data localization)
  • Standardizing contracting clauses to offset market concentration and power asymmetry between CSPs and consumers
  • Informing and redressing compromise of confidentiality, integrity, and/or availability
  • Preventing vendor lock-in (portability)
  • Mandating interoperability among cloud services

Resilience

  • Assured service continuity under duress (contingency planning portability and interoperability of cloud service providers [CSPs], data retrievability)
  • Institutionalized process for reporting and learning from incidents
  • Insurance coverage and carrier solvency for adverse events
  • Governmental backstopping for catastrophes

Employment, Growth, Innovation, and Sustainability

  • Offsetting effects of excessive CSP market concentration (antitrust)
  • Regulating CSP ownership, domicile, and location of infrastructure, and maintaining data sovereignty
  • Cross-border data transfer and safeguarding arrangements
  • Establishing widespread broadband access
  • Government support for developing, disseminating, and operating cloud infrastructure
  • Emissions and energy efficiency standards
  • Environmental siting/construction standards

Human and Civil Rights

  • Protecting privacy, freedom of expression, and association: moderating/conditioning government access for tracking, surveillance, censorship, repression, and propaganda
  • Upholding political neutrality in access and content moderation
  • Restricting access to databases containing citizens’ identities and vital information
  • Establishing cloud access as civic right
  • Restricting exports of cloud services to human rights abusers

Note: Many items listed here cut across different goals. In addition, items often exist in tension with one another; policies in the same category, as well as those oriented toward different goals, and even the goals themselves, can potentially conflict with each other, adding to the challenges of governance.

Data Localization

Countries may enact cloud and data localization policies that require facilities and data to be sited, stored, backed up, and/or processed in certain jurisdictions, often within national borders. These policies can have profound effects on the availability and operations of cloud services for multinational companies and consumers. Countries often pursue cloud and data localization measures for several key reasons, which are frequently justified as a matter of national security and/or sovereignty.

Motivations

Security

A country may use localization policies to reduce dependence on foreign cloud service providers, whose operations outside the state’s jurisdiction may leave their citizens’ data and use of cloud services vulnerable to disruption, theft, or manipulation by foreign actors.

Privacy

Localization policies may also address concerns that the privacy of citizens’ data sent across borders could be compromised in foreign jurisdictions that do not have adequate privacy protection or accountability mechanisms in place.

Economics and Competitiveness

Data and cloud operations are often treated by national governments as valuable commodities, and localization policies are one way of preserving these commodities and the economic advantages they provide within the country.

Law Enforcement and Homeland Security Interests vs. Privacy Concerns

By:
  • Ariel (Eli) Levite
  • Gaurav Kalwani