Feds raise questions about cloud security

Monday - 11/8/2010, 6:36am EST

WFED's Scott Carr

Click below to hear the report

Download mp3

By Scott Carr
Federal News Radio

The General Services Administration is moving all of government closer to the adoption of cloud computing services. But, the movement still has its naysayers.

Experts from outside and inside government are questioning whether agencies are really ready for it.

Last week, GSA issued the draft requirements for the Federal Risk and Authorization Management Program (FedRAMP). The aim is to provide a standard approach to assessing and authorizing cloud-computing services and products. The first phase of the program is expected to be operational in the first quarter of 2011.

But even before GSA can finalize the requirements, several experts at TechAmerica's 2010 IdentEvent last week questioned whether moving all agencies to the cloud would be possible in the short term. While all agreed that each agency has potentially different uses for the cloud that come with their own sets of concerns.

Among the questions that frustrated the panelists:

  • Will cloud require controls on authentication and authorization?
  • Will the use of the cloud change the kinds of controls that agencies use?
  • How will use of authentication as a control potentially impacted by the use of cloud?

David Stender, associate chief information officer for Cybersecurity at the IRS, said he was one of the naysayers.

Ironically though, he said, when considering the standard expressions of cloud, such as software-as-a-service, platform-as-a-service, storage-as-a-service and virtualization, the IRS could already be considered a cloud service provider.

"We have a large, hidden infrastructure that allows us to do that," Stender said. "So, from that perspective I would say if that is the definition of cloud, then we fully support that. I think where the naysaying comes in is primarily from the security side. The IRS is arguably the largest holder of [personal information] in the United States."

Stender doesn't rule out the value of a private cloud system.

How it's managed, he said, is where security issues come into play.

He said he has yet to see any cloud service provider show him how information can be kept verifiably secure through every step in the process. "Not a single cloud service provider has been able to do that yet," he said.

The Census Bureau, unlike the IRS, is one agency that has better use for cloud computing.

Brian McGrath, CIO and associate director for IT at the Bureau, said, though they created their own private cloud, and have a heavy investment in virtualization, Census ended up looking to both the public and the private cloud for solutions.

Doug Bourgeois, a former CIO at the Trademark Office and currently federal chief cloud executive at VMware, said it makes sense, particularly for agencies, to start with an internal private cloud.

"There's tremendous efficiency gains to be realized with Stage One of the cloud migration, primarily because of the physical to virtual kind of migration where you can get server consolidation and green IT benefits and energy consumption reduction in order of 40 to-60 percent, both from total cost savings and from an energy reduction perspective," he said.

The panel generally agreed that trying to move data into a secure cloud needs to be thought of as a journey, requiring successful planned steps over time, not "a destination of delayed perfection," as expressed by Sam Curry, RSA's chief technology officer for global marketing.

The importance of understanding organizations' tolerance for risk and embracing security and privacy as constant priorities were other key issues identified by the panel. Stender said more services could be provided if agencies had a better handle on what risks they were willing to accept.

GSA and the Chief Information Officers Council are seeking comments from agencies, vendors and the public on process templates, guides, common security requirements and other aspects of FedRAMP. Two information sessions will be held during the comment period which ends on Dec. 2. One will be for agencies, the other for vendors. Details are posted at FedRAMP.gov.

(Copyright 2010 by FederalNewsRadio.com. All Rights Reserved.)