One of the government’s major initiatives is to promote the efficient use of information technology, including the federal use of cloud computing. So good, bad or indifferent, the government is now moving into the wild, world of cloud computing – despite the fact that it is a new way of doing business that still has many unaddressed problems with security and the general form that it is going to take.
At the Cloud Computing Summit in April 29 2009, it was announced that the government is going to use cloud for email, portals, remote hosting and other apps that will grow in complexity as they learn about security in the cloud. They are going to use a tiered approach to cloud computing.
All businesses, both large and small, are now investing resources in cloud computing. Here are seven problematic areas for which solutions need to be found:
- Vendor lock-in – Most service providers use proprietary software, so an app built for one cloud cannot be ported to another. Once people are locked into the infrastructure, what is to keep providers from upping the price?
- Lack of standards – National Institute of Standards and Technology (NIST) is getting involved and is still in development. This feeds the vendor lock-in problem since every provider uses a proprietary set of access protocols and programming interfaces for their cloud services. Think of the effect on security!
- Security and compliance – Limited security offerings for data at rest and in motion have not agreed on compliance methods for provider certification. (i.e., FISMA) or common criteria. Data must be protected while at rest, while in motion, while being processed and while awaiting or during disposal.
- Trust – Cloud providers offer limited visibility of their methods, which limits the opportunity to build trust. Complete transparency is needed, especially for government.
- Service Level Agreements – Enterprise class SLAs will be needed (99.99% availability). How is the data encrypted? What level of account access is present and how is access controlled?
- Personnel – Many of these companies span the globe – how can we trust sensitive data to those in other countries? There are legal concerns such as a limited ability to audit or prosecute.
- Integration – Much work is needed on integrating the cloud provider’s services with enterprise services and make them work together.
Opportunities abound for those who desire to guide cloud computing. Those concerned with keeping cloud computing an open system drafted an Open Cloud Manifesto, asking that a straightforward conversation needs to occur in order to avoid potential pitfalls. Keep alert as the standards develop and contribute, if possible.
Pingback: MSI Strategy & Tactics Talk Ep. 25: An Introduction to the Cloud - What to Choose and Why - MSI :: State of SecurityMSI :: State of Security