Listen to the first half of our interview with VeriSign’s Adam Geller and Nick Piazzola.
Fed Cloud Blog has been bringing you interviews with various companies that are helping federal agencies move into the cloud.
Today and tomorrow we’ll talk with two representatives of VeriSign, a company that specializes in protecting data.
Adam Geller is their vice president of Enterprise & Government Authentication and Nick Piazzola is their vice president of Government Programs.
The two sit down with FCB and discuss more about the cloud.
On the definition of cloud computing
Nick Piazzola: I think our definition of cloud computing fits in the generalized definition that NIST has put forth about a shared set of digital computing resources — but, for us, it’s more specific in that we provide applications for specific shared computing services.
Adam Geller: And I would just add, from a cloud computing perspective, I think that it’s sort of a combination of a lot of different initiatives — or projects — that have caught on in the past: great computing, utility computing, software-as-a-service. They sort of all bundle up, but the characteristic that I would apply to cloud computing are terms, like on demand that’s going to be scalable; virtualized, leverage-existing service infrastructure — and generally it’s going to take something, package it up and offer it as an Internet-facing surface.
On why cloud has seemingly taken off in the past year
NP: I would say that, from VeriSign’s perspective of what we’ve been providing, we’ve been doing cloud computing for many years.
Actually, all of the services that we provide for the federal government today are some form of network-based, shared application services.
So, from our perspective, we’ve been doing cloud computing in that definition since our inception.
I think it’s in vogue now today for a variety of reasons, including the fact the feds themselves now have that part of the President’s initiative for common services . . . [and] shared services and they’ve labeled that cloud computing.
AG: Certainly at VeriSign we’ve been doing it since our inception, but I think what’s changed about it is that VeriSign and other people who’ve done cloud or service-based offerings in the past, I think they’ve been a little bit more point-solution based. We’re a cloud authentication solution, which is good, but it’s narrow and it’s for a specific use case.
I think what’s fundamentally changed the attitude around cloud computing is that there were a couple of killer apps, like SalesForce and some other solutions out there that were full on applications, or, really, full solutions to be provided for somebody, not just a point component of it, [but] being fully provided as a service. I think that’s what’s sort of changed people’s perspective.
Not only can you [now] get a point service, like an alarm monitoring service or a managed security service or authentication, like what we’re doing, you can all of a sudden take a full on application from start to finish and offer it as a service. That’s being commonly accepted now.
I think that’s what’s gotten everybody to push and realize there are lots of things that can be provided for in the cloud, but, of course, this also opens up lots of interesting security questions, which is where we focus.
What the CIO should consider before moving to the cloud
NP: I think the obvious things are that the kinds of security concerns that you would have about a service in the cloud are at least the same as what they are if you would provide that service on your own when hosting your own application. So, you need all the kinds of things, like authentication, confidentiality for your data, protection of privacy.
In addition, you have to worry about the reliability and availability of the service, [especially] if it’s going to be mission-critical applications.
What you have to recognize as a federal agency is that it may be possible that that cloud service could do that better than if you were doing it yourself.
I think that’s the thing that the management needs to understand. If they pick the right application and the right service provider, they’ll actually get enhanced availability for security than if they did it themselves.
AG: I think this is a really interesting part — or an interesting fork in the road.
You’ve got the early adopters — people quickly adopting services, but, again, since we focus on security, what we’re hearing and what we’re seeing with people — the cloud providers and the people who want to use them — is that enterprises (and government also) — built up over a number of years internal compliance programs to meet regulations, to meet guidelines. . . . They built their own compliance programs internally, and they’ve had control over all of their touch points.
What we’re seeing with people who have moved to cloud services [is that] that’s sort of lagging a little bit.
So, as an example, you may have a great password management policy for your internal applications that you can document, you can get on it again and people can feel comfortable that you’re living up to a certain policy.
When you change over to a cloud service, all of a sudden you may not have as many options or the ability to synchronize the two. There’s sort of a very interesting market emerging for services that can bridge the enterprise or the agency infrastructure to the cloud so that you’re not replicating the two and having to maintain, let’s say password policies or account creation and teardown in two separate locations.
I think this is going to become a real interesting area as the auditors, I think, have to get caught up. I think it’s a new thing to audit in that level of detail. Certainly, not auditing cloud providers — people have done that in the past — but now this is getting very specific because there’s a lot of data moving over and I think it’s going to open up some eyes when the policies that people worked so hard to set internally aren’t necessarily easily applicable to the cloud.
That gap is going to have to close.
Tomorrow: advice on closing that gap, as well as how VeriSign is helping federal agencies.