Last week, InformationWeek reported that federal officials testified before the House Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies that the government should have confidence in federal data being moved to the cloud.
Still, some lawmakers, such as committee chairman Rep. Dan Lungren (R-Calif.), question the security of placing federal data in the cloud. “You’ve got to have a promise that the security of the cloud is going to be measurably better than the security we have in the current system,” Lungren says.
David McClure, associate administrator for the General Services Administration’s Office of Citizen Services and Innovative Technologies, agreed with Lungren, telling the subcommittee that federal officials have been working on new security controls and standards to provide robust cloud security.
Still, McClure adds that it’s important for federal agencies to improve cybersecurity protection across the board and that the security challenges various agencies face aren’t limited to the cloud. According to McClure, “Our problems with security are not unique to cloud computing.”
It’s a subtle but critical point that McClure raises, especially as federal agencies continue to press further toward adopting cloud computing services as part of the Obama administration’s efforts to streamline government and reduce costs.
Department of Homeland Security CIO Richard Spires told the subcommittee last week that the federal government needs cloud computing to help cut costs and enable federal agencies to deliver information more efficiently. “Cloud computing is going to transform IT as things become more commoditized,” Spires says.
Point to point security
There’s a tremendous amount of work being conducted throughout the technology industry to protect cloud data across a number of end points, including data that’s momentarily inactive as well as data that’s on the move. There are also security efforts taking place to address the security of virtual machines that house and transport data as well as virtual networks that support both public and private clouds.
Education is also a critical component of cloud security endeavors, particularly in terms of enlightening key stakeholders (e.g. lawmakers, C-level executives) as to how “the cloud” operates in layman’s terms, differences between public and private clouds, how the cloud can support applications shared by multiple tenants, etc. A more thorough understanding of how the cloud operates and how data in the cloud can be secured could help organizational leaders better understand how, for example, “a large cloud provider is likely to provide a better and more secure IT service at a lower cost than a small to medium sized organization could provide itself,” as noted in a recent article in The Guardian by Mike Small, a member of the London ISACA security advisory group.