At the end of 2009, cloud computing isn't a bright, shiny toy on the horizon for the enterprise or government. IT professionals, by and large, know what cloud computing is, though they are still skeptical. They just aren't sure if they want to adopt the public cloud, especially for sensitive data or mission-critical applications.
More FISMA resources
Amazon.com Inc. has completed a Statement on Auditing Standards (SAS) No. 70 Type II compliance audit of its Amazon Web Services cloud computing service, but enterprise analysts aren't satisfied. "Obviously, SAS 70 isn't the entire picture around security," said Drue Reeves, vice president and research director for cloud computing at Burton Group Inc. in Midvale, Utah. "I see it more as about operations than about security. ... Anytime anyone's going to buy anything, they're going to want to know about it. It's a trust-but-verify model."
The federal government is in a similar transition state in terms of using third-party cloud providers. On the one hand, the Department of Defense operates what is likely one of the world's largest cloud infrastructures, as Rear Admiral Elizabeth A. Hight, vice director of the Defense Information Systems Agency, explained earlier this year at the MIT Sloan CIO Symposium. What can government agencies achieve using commercial providers of cloud computing, while still maintaining security and Federal Information Security Management Act (FISMA) compliance?
Shootout in the cloud
Last week, a panel of top executives from those same cloud computing providers gathered at the Newseum in Washington, D.C., to address those questions, engaging in a "cloud shootout" in front of a room of government officials.
Intel Corp.'s Prasad Rampalli brought an engineer's perspective to the debate. Rampalli, vice president of Intel's architecture group, observed that managing the virtualized infrastructure of that underpins as a nontrivial affair. "We used to have server sprawl," he said. "Now we have virtual machine sprawl." Rampalli raised other major obstacles for federal cloud computing or use in the enterprise. "When you start virtualizing these types of Type II applications that are critical to business function, much less ERP software that is mission-critical, immediately you run into a networking bottleneck. Performance can be addressed, but organizations will have to re-architect the data center."
Nevertheless, both Microsoft and Google Inc. are close to receiving accreditation for FISMA compliance. Google has completed a System Security Plan for Google Apps with the General Services Administration (GSA) as a sponsor. "It's up to the provider to find a way to minimize [insider] threats," said Eran Feigenbaum, director of security for Google Apps, observing that internally Google practices role-based security, logs access and notifies owner of data breaches.
FISMA compliance "has involved a lot of money and effort" and should happen sometime in 2010, Feigenbaum said. It remains to be seen whether the additional security guarantees that Google offered to the city of Los Angeles when it bet on cloud computing with Google Apps in November are extended to federal customers.
Microsoft is also seeking accreditation for FISMA compliance for its cloud computing services. As Teresa Carlson, vice president of Microsoft Federal, wrote earlier this year in a post on how to secure the cloud, Microsoft entered into a partnership with the GSA to gain an Authority to Operate Microsoft Business Productivity Online Suite for them through FISMA accreditation by the end of 2009.
That deadline may not be met, but according to Susie Adams, Microsoft's chief technology officer for the federal sector, and Yousef Khalidi, a Microsoft distinguished engineer who spoke on the panel, it's expected early in 2010, if the company passes the audit being performed by SecureInfo Corp. Microsoft hasn't yet lined up major federal customers for its Azure cloud computing platform, said Adams, but it is working with the National Institute of Standards and Technology (NIST) to ensure that Azure meets FISMA compliance when it happens.
OMB's new metrics for reporting
If the cloud providers do achieve FISMA compliance accreditation, it's possible that they'll be measuring actual security by new metrics. On Dec. 15, the Office of Management and Budget (OMB) proposed detailed new metrics for agencies for use in FISMA compliance reporting.
According to a statement on new FISMA compliance metrics posted on NIST's website, these metrics would focus on security, not reporting. "These metrics should encourage agencies to take concrete steps to improve their security posture by implementing monitoring tools, strengthening areas such as identity and configuration management and reporting on four new categories: remote access management, identity and access management, data level controls, real-time security awareness and management," wrote the authors of the statement.
It's up to the provider to find a way to minimize [insider] threats.
That's an important shift, if OMB's proposed metrics are adopted. As shared last month by a member in the audience at the federal chief information security officer panel at the Open Web Application Security Conference, a common frustration among IT professionals who work in or with the federal government is that FISMA compliance is more focused on checklists or regulatory affairs than increasing security of assets.
"FISMA did a good job, I believe, at accomplishing what it was meant to do: raise the level of security and awareness," responded Earl Crane, former chief information security architect and now director for cybersecurity strategy at the Department of Homeland Security (DHS). "FISMA 2 is moving through Congress, and it would be helpful if somewhere in there was a security architecture process."
Does FISMA compliance adequately address online security threats? "Security is only as good as the testing you perform," said Crane. "FISMA doesn't give you granularity in the controls you should be using. One of the things we're doing at DHS is building a defense-in-depth architecture, since you don't want to rely on one single thing."
Federal CIOs are cautiously bullish on the cloud
GSA CIO Casey Coleman and NASA CIO Linda Cureton were both in attendance at the cloud computing shootout. Both are well-established bloggers and proponents of the use of collaborative technologies in government. After the event, each CIO posted reactions on FedScoop's blog.
"Cloud computing has come of age," wrote Coleman, pointing to an example from her agency. "The General Services Administration experienced many of these benefits by moving the federal portal, USA.gov, to the cloud. GSA wanted to reduce costs and add scalability and flexibility to USA.gov in order to meet emerging citizen needs. Using a traditional IT procurement, it would likely have required six months to upgrade USA.gov to keep up with growing traffic, at a cost of approximately $2.47 million per year. In a cloud environment, GSA is able to perform upgrades in one day at an annual cost of $806,000. The transition significantly lowers GSA's costs and improves the scalability of USA.gov, saving taxpayers $1.7 million annually."
Cureton's take on cloud computing recommended that government organizations cut through the hype and begin to "investigate high-value areas where cloud services are appropriate." Specifically, she wrote, CIOs should "look at cloud services for opportunities to reduce fixed-cost services or explore it as an alternative to investing in the high-entry costs for development efforts."
Let us know what you think about the story; email firstname.lastname@example.org.