Why federal CIOs, CISOs still have concerns about the cloud

Has there been a break in the cloud?

Symantec recently released its 2010 Break in the Clouds Report, which shows that many CIOs and CISOs in the federal government still have real concerns about security.

Ned Miller, director of public sector strategy for Symantec’s public sector market, breaks it down for us today.

NM: The purpose, or intent, of the report was really simply to evaluate where agencies were, or currently are, in their overall cloud strategy, and then evaluate the ones that are early adopters, specifically with any challenges or barriers they’ve had with implementation, and really to focus on their key concerns. That will allow us to position how we can help our government clients going forward.

FCB: And what were some of your key findings?

NM: There were a number of themes that were pretty consistent in terms of the evidence that we collected.

The first area that we were very focused on was just how many agencies had actually implemented cloud, or cloud-based applications, or any platform or infrastructure. We accounted for about 23 percent of the agencies that participated in the survey have actually implemented cloud, and about 35 percent are planning to implement.

A couple other key areas that I think were interesting and noteworthy [are] — the emphasis on private clouds versus public clouds, and where agencies have already adopted some cloud strategies. About 58 percent of agencies are already using a private cloud, or in-house cloud, versus approximately 64 percent of those who are planning . . . to use private or in-house cloud versus using an outsourced cloud model.

FCB: We always, inevitably, come back to the security question. [Your survey] says 89 percent say data protection privacy is their top issue. Can you break down those numbers a little bit for us?

NM: Based, again, on the survey, about 80 percent of the participants came back and responded with that they believe that encryption in the cloud is a key area that needs to be addressed, and approximately 70 percent of them have come back and required data segmentation for the actual data in the cloud itself.

FCB: In terms of where agencies are now in terms of implementing cloud, you’ve got a slide [in the report] that says ‘proceeding with caution’. How does that tie into the security question?

NM: Well, in terms of ‘proceeding with caution’, a number of CIOs and CISOs that I’ve spoken to personally are still moving forward based on the mandates coming from OMB with their implementation of cloud strategies; however, the concerns are still centered mostly around security.

It still comes back to the data itself, protection of that data, and they’re fairly conservative in terms of the implementation approach to date, and therefore they’re really relying on building private clouds and building inside their own infrastructure. So, those are kind of still the key concerns — it really has to do with the data itself and where it resides.

FCB: So, a lot of agencies say they feel safer in these private clouds, rather than public clouds, but according to your survey, almost half who have implemented cloud don’t know if they’ve experienced a breach or an attempted breach. Is this cause for concern? Should we be really worried about this?

NM: We should, and, again, this speaks to the desired end state, which is a clear set of standards to address how to adopt and deploy and implement a secure cloud, which leads to FedRamp. . . . [It] is really designed to unify cloud computing security standards across the U.S. Government. Obviously, the initiative is managed by the folks up at NIST and Peter Mell, and he has a big task in front of him. We believe that, overall, this attempt to standardize a security model around cloud computing will take some time to evolve, and the biggest challenge we see with it, quite honestly, is not necessarily the adoption of the standards, but how quickly the industry — both the people, the process and the technology — are moving, versus how quickly standards can be adopted.

So, the biggest challenge to the standard, I believe, will be that we’re moving much faster than what standards typically have been able to get out.

FCB: What other barriers — perceived or real — are agencies facing at this point as they’re looking at cloud adoption.

NM: My sense is, at this point, that it’s going to come down to, specifically, expertise on the government agency side in terms of developing a technology strategy to deploy these private clouds.

So, we’re crossing into somewhat uncharted territory where agencies are building, with their own resources and infrastructure, these private clouds without necessarily a lot of strict guidance to any security standards, because they don’t quite exist yet.

So, in their rush to move towards the cloud, and derive the benefits that cloud provides in terms of efficiencies, economies of scale, etc., security often is still one of those scenarios that’s not baked in automatically.

FCB: And, finally, in terms of the ‘what’s next’ aspect of this, I believe you did talk to some agencies that are already implementing or starting to implement cloud computing. What did they tell you? What did you find out from them?

NM: It’s interesting in that, outside of the survey, I personally have been in contact, as I mentioned, with a number of CIOs and CISOs, and on the federal side, there’s a little over a dozen or so agencies that have fairly mature programs. They’ve actually stood up applications, some of which are service-to-citizen applications, the majority of which are still internal.

The notion of cloud computing is really catching on. We’re starting to see a number of agencies really jump towards that. I think in terms of what’s next is — they really need a cloud security strategy, instead of guidance from the authoritative sources, to help them ensure that, as they move forward with the guidelines that have been laid out by the federal budget planning process, [which says that] by September, 2011, any major IT investment acquisition has to provide an alternative analysis of a cloud strategy.

So, in terms of being able to support the mandates coming from OMB, I think the thing that we need the most is clear guidance around standards, and some assurance around the minimum security standards and criteria for both the industry partners [and] the government itself, specifically around data encryption, what the certification and accreditation process is really going to be like, what it means for one agency to approve a certain cloud provider [and] if another one can truly adopt that particular vendor, and then the notion of data segmentation for cloud solutions — whether it’s public or private.

Transitioning to the Cloud — a Round Up

The Federal Cloud Blog has been telling you all about Apps.gov — the new Web site dedicated to getting the federal government into the cloud.

We told you here yesterday about Jason Miller’s story regarding the Web site reveal:

The Office of Management and Budget’s vision for federal information technology [began] with the launch of Apps.gov.

The cloud computing storefront is part of a decade long plan to reduce costs, lower the environmental impact and improve how Americans receive government services.

Read the whole story here.

And here’s video of federal CIO Vivek Kundra making the Apps.gov announcement, which aired on today’s In Depth with Francis Rose.

On today’s Daily Debrief, Chris Dorobek and Amy Morris talked with two of the biggest players on Apps.gov — Google and SalesForce.com.

Matt Glotzbach is Google’s Product Management Director — and Dan Burton is Senior Vice President for Global Public Policy at SalesForce.com.

They talked about helping the federal government move to the cloud — and you can read the full story here.

Talking Cloud with Peter Mell of NIST

One of the folks who knows more about developing the use of the cloud for the government’s purposes is Peter Mell. He’s a Senior Computer Scientist and cloud computing project lead at the National Institute of Standards and Technology and the co-author of NIST’s draft working definition of cloud computing which was just revised on August 19th.

Mell is pretty methodical about how he explains cloud computing. He wants everyone to fully understand the great capabilities it promises but also the specific challenges to government it poses. WFED spoke with Mell about what makes cloud computing what it is and how it can be useful to federal agencies.

WFED: Let’s start out with the basic question. What exactly is cloud computing?

PM: First we have to explain why we’re defining it. A lot of people say it can’t be defined or it doesn’t matter if you define it. Let’s just use it, let’s just talk about it. [NIST] feels it’s really important because without defining it you can’t get the benefits from it that you want. And so we tried to put our whole hands around the industry and say “what is truly cloud” in the industry today? Because you know that every vendor out there wants to be on the latest bandwagon and everyone is saying they are doing cloud. As a government, how can we truly understand what it is? And to do that we had to look at a lot of the benefits that you want to get. So we want significant economic benefits. We want to decrease the use of power. We want to reduce our carbon foot print. What is just as important is we want to be able to Agilely deploy our enterprise operations; to quickly provision and get those applications out there.

WFED: Seems so simple. Why hasn’t this been invented before?

PM: Cloud computing in a way isn’t anything new. It’s the convergence of many different technologies and initiatives that have been maturing over the years and they tried to converge together several times in the last decade but the timing just wasn’t quite right. And I think that we we’ve entered a maturation among enough of these technologies that they truly can converge together now and their convergence can revolutionize our usage of information technology – which gets me back to the definition. What is cloud computing? Computation capabilities provided as services and that’s correct but in the heart of it, where we’re really trying to get the benefit is we’re trying to optimally access and use our data centers. So cloud computing is fundamentally about data center technology.

WFED: NIST has put together 5 of the characteristics of cloud computing to help define it.

PM: Cloud computing is a model for enabling available convenient on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. That hopefully gives you a glimpse of it. [This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.]

To understand, it you have to get into the five characteristics. The first one is On-Demand Self-Service. This is all about the business user, not the CIO shop but the business user being able to decide “I want this” and got get it themselves unilaterally grabs it an the CIO shop maybe managing it or overseeing it to ensure security and compliance and so forth. But it enables the business user to get access to technology.

The second one is Ubiquitous Network Access. So that you can get it over the network through standard mechanisms, through heterogeneou thin, thick clients. It’s very available to you.

The third one is Location Independent Resource Pooling. This is the most technical characteristic. You may not immediately understand why [the government] cares, but it’s critical. The idea is that all of your hardware resources are pooled together in a collective. And as a collective, they are offering computational power to all the customers at the same time. And the software is actually abstracted away from the hard ware so that you don’t know or don’t care even exactly where your processes are running and where your data is stored within that data center.

The fourth is Rapid Elasticity. The ability to quickly expand your use and to decrease your use of the computational capability that’s being provided. So it’s not just scalability. Scalability is your ability to increase the architecture to allow for more demand. But the idea [with Rapid Elasticity] is maybe you have a lot of demand today. Maybe you need to go from ten servers to ten thousand servers today. You can do that within minutes and then once your demand is gone, you can scale back down to one hundred servers.

The fifth has been revised from Pay Per Use to Measured Service. That clouds enable a metering of services being used to automatically control and optimize the resource use. And typically that is often done through Pay Per Use where you have to pay for server time so you’re not going to hog all the servers in the system. I know that one agency built essentially a private internal cloud and they wanted to do the Holy Grail of cloud computing: to increase server utilization from ten percent to eighty percent. What this agency found is that since there was no measuring of the service or optimizing usage by the business users, [the agency] was just using everything that was available. So their server utilization went up to eighty percent but they didn’t actually free up any resources.

WFED: You mentioned security being a big concern for the government. What is NIST doing to make sure vendors understand the needs?

PM: NIST is publishing a series of documents on cloud computing that will discuss security; advantages as well as challenges because we do see those. At the same time the vendor community for the most part understands that for [the government] to use cloud computing we need it to be secure and so they are ramping up their security architectures to provide as robust solutions as possible.

Related Documents:

Effectively and Securely Using the Cloud Computing Paradigm