For the U.S. Patent and Trademark Office, the public versus private cloud debate centers on security and performance concerns.
The agency, which will deploy a hybrid model, plans to use the public cloud to offload search and retrieval capabilities of publicly available data and to handle periodic workload bursts, says USPTO Deputy CIO Kevin Smith.
Today, the agency uses a public cloud provider to host its Trademark Document Retrieval system, making data accessible to the public through a portal. The agency is considering migrating other patent and trademark read-only applications to the public cloud, where appropriate, but it will keep the authoritative source and primary storage of patent and trademark applications in-house in a private cloud for data integrity and security reasons, he says.
USPTO IT leaders are also working with an open-source vendor to build a private cloud using their existing virtualized infrastructure. USPTO IT staffers are currently rewriting the agency’s legacy applications to make them cloud-friendly and compatible with different types of cloud models. They hope to launch the private cloud within the next six months to a year, Smith says.
Smith is comfortable with putting public data out in the public cloud to utilize the elasticity benefits, meaning the USPTO can increase or decrease the amount of servers and storage as demand requires. But until the public clouds can prove that they can safeguard sensitive data, he will keep copies of that data in-house.
“If it’s publicly available data, we can put a copy out there in a public forum, and it’s not dangerous. We will do our best to move anything that is search-and-retrieval of data and offload that functionality to the public cloud,” he says. “But until the security is ready in the public cloud or a federal community cloud to house secure data, we will always look to have copies of our sensitive or confidential data here on site.”
Smith, however, reiterates that the USPTO will always keep the authoritative data sources within the agency’s private cloud and offload read-only functionality for information dissemination to the public cloud where appropriate.
The agency also handles payments, so it does have access to personally identifiable information. Smith will wait to see what NIST and FedRAMP come up with in terms of architecture and security guidance.
“Personally identifiable information is likely not something you want to put in the public cloud. We will reassess when the security models are out there, ready, and proven,” Smith says.
Another benefit of the private cloud is that the agency keeps control of interoperability issues, such as the patches and application upgrades. “If you own the infrastructure, you own the patch and when you can implement it,” Smith says. “But if you move applications to the [public] cloud, you may remove the ability to patch things based on your schedule, which may add some risk.