To hear Daniel Burton of Salesforce.com talk about it; Cloud computing is the next big thing for the federal government–darn near the greatest thing since sliced cheese.
“The big policy issue is to get government on the cloud, because that changes everything”, said Burton at the Institute For Policy Innovation (IPI) 4th Annual Communications Summit this past week in Washington, DC.
Indeed, while that may be the case–the question on the minds of many within the federal government and some in the audience at the Communications Summit was whether or not such a change is actually a good thing.
Burton, who is Salesforce.com’s Senior Vice President and GM, Global Public Sector, says the debate over widespread federal government adoption of the technology that allows data to be stored off-site “on the cloud” has been stalled largely because of worries about data security. But, Burton says contracting with a company such as his with strong security and compliance standards should alleviate those concerns.
That however, is not what Bill Connor, President and CEO Entrust, a major online security provider says. Connor recently told members of Congress during a recent cyber security hearing that when it comes to cloud computing for the federal government, “a lot of people are running before they’ve thought it through”.
He says before putting a lot of valuable financial information and intellectual property into the cloud, government officials should consider that “security in the cloud is not as good as in a mainframe data center”, and he also pointed to potential problems with secure authentication into the cloud. Trusting that such a system would be entirely secure as a result, in his opinion is “naïve”.
In fact, trusting any kind of current security regime to be 100% effective would be folly, according to none other than the executive chairman of RSA, Art Coviello, who spoke this week at the 2012 RSA conference. RSA, of course, is the company that provides SecureID technology for the US Department of Defense and military contractors, and was itself the victim of a major security breach in the past year.
According to Coviello (as reported by week.com), the security industry is in “serious risk of failing” to protect its customers. He says organizations have to assume that their networks will be penetrated, and then do everything they can to minimize data theft or damage. Because the number and sophistication of attacks has increased dramatically, Coviello says new ways to protect organizations need to be developed.
Of note, is his observation that mobile, software as a service, and cloud adoption is actually making keeping networks much more difficult. That’s because, he says, all of these technologies open up new routes for attackers to infiltrate a network.
That cautionary note with regard to security risks was also sounded during the recent cyber security hearing in Congress, by Dr. Phyllis Schneck, McAfee’s Vice President And Chief Technical Officer, Global Public Sector. Protecting against risks is much more complex today than it was in the past, she says, when email was the primary source of online attacks. “Now you have the web vector, the firewall vector, the mobile vector…again, the enemy is faster.”
Of course, the Feds have actually given a lot of thought to these issues. For agencies and contractors considering a move to cloud computing, the The National Institutes of Science and Technology (NIST) has come out with written guidelines and videos on cloud security best practices.
Pointers include proper planning, and a thorough understanding of what’s involved. They also suggest making sure the cloud data services actually make sense for the particular organization using them, along with negotiating custom contracts that meet specific needs.
Other recommendations include maintaining physical security relating to web browsers and mobile devices, along with ongoing monitoring to asses privacy, vulnerability, and threats.