Government Cloud: Yes? No? Maybe?


There is significant discussion within government bodies as to what are the best ways to start realising the potential cost savings (and other benefits) offered by cloud service providers, including:

  1. The recent launch by the US federal government of (a cloud based storefront that features configurable applications to be used for non-sensitive data).
  2. The Japanese government’s plan to create the "Kasumigaseki Cloud, a nation-wide cloud computing infrastructure for use by government departments.
  3. The UK government’s plans to create the “G-Cloud”, a government-wide cloud computing network.
  4. 4. The Thai government’s plans for a private cloud for use by Thai government agencies, including common business applications delivered as a service.

In October of last year Google won a $7.25 million contract with the City of Los Angeles to power Google Apps for 34,000 municipal employees. These workers will be using Gmail, Google Docs and other apps, which is forecasted to save millions of dollars.

Saleforce says that the US Census, State Department and the US Army are running on Salesforce because they could: deploy systems extremely rapidly; cost-effectively develop customised applications and access work from anywhere.

There are a few things one can discern in all this commotion: (1) there is a lot planning going on by commercial vendors (2) there is talk about so-called ‘private’ clouds, and (3) there is an emerging pattern of acceptance that points to wide-scale adoption of cloud computing by government agencies.

Not surprisingly public sector CIOs will be wary of the security implications of cloud computing and the ability to achieve compliance to national and international laws and regulations. This is the paramount obstacle.

Real-time (e.g. click-to-buy) computing is an attractive target for cyber criminals and adversaries who coordinate anonymously and across national boundaries. The cyber threats from organised (and shadowy) criminals or nation-states waging information warfare are a fact of life. Cloud computing adds the potent ingredients of complexity and unknown vulnerabilities:

  • In May 2007, DDoS attacks turned political, with hundreds of online Russian sympathizers blocking Estonian government Websites.
  • The Domain Name System (DNS), as IOActive researcher Dan Kaminisky explained in 2008, could be vulnerable to various forms of attack, including DNS cache poisoning. Disclosures such as these have hastened the move to newer standards such as DNSSEC, which authenticates data in the DNS system.
  • A researcher, Marsh Ray of PhoneFactor, discovered a hole within SSL/TLS, one that allows for man-in-the-middle attacks while authenticating the two parties. This wasn't a vendor-specific problem but a protocol-level flaw.

So expect government agencies to keep vital interests, transaction processing systems and information stores close to their chests and placed securely on infrastructure that if shared, is done so only with trusted entities. It would be the height of embarrassment if a sensitive application is found to be hosted side-by-side to one of an adversary’s.

The alternative is a compartmentalised and cordoned off IT environment that is oft referred to as a ‘private’ cloud. The Department of Defense arguably has in its hands the world’s largest private cloud and is a model for the commercial vendors.

Microsoft and Google Inc. are already off to the races with their own private clouds. They are in the final stages of accreditation for FISMA (Federal Information Security Management Act) compliance.

Google has completed a System Security Plan for Google Apps with the General Services Administration (GSA) acting as a sponsor. Microsoft is also working towards an authority to operate Microsoft Business Productivity Online Suite and Microsoft Azure with FISMA accreditation.

E-mail aside, it will be hard to imagine that a government agency will move any of it’s core applications into a multi-tenant cloud utility without getting comfortable with crucial topics:

  • How do you make a cloud provider (IT systems, personnel, hardware etc.) compliant to geographically relevant regulations and mandates such as FISMA?
  • Will there be lingering regulatory concerns after deployment of a cloud application? How do I continuously monitor and measure compliance and security posture?
  • What is the make-up and what are the capabilities of a private cloud? Is it worth the cost?
  • What proof-points are there to indicate cloud computing technology is mature?
  • What is the migration story for candidate applications into Cloud? Moving a mainstream transaction system is too soon for all or most government agencies.
  • Is there enough data to show that compromise in a public cloud provider is of minimal risk? Is the magnitude of the threat any different than existing approaches?
  • Is there such a thing as a high-end cloud computing threat?

The National Institute of Standards and Technology (NIST) will play a pivotal role in promoting the standards and best practices for secure cloud computing. In addition the European Union's security agency released a comprehensive report designed to provide recommendations to public and private sector organisations about cloud security. The result is an independent analysis that outlines some of the information security benefits and key security risks of cloud computing.

When enterprise and Internet trends collide, the Internet trend will win. The Cloud will prevail in the public sector, but it will take time.

"Recommended For You"

Cloud security, cyberwar top agenda at RSA Conference Government agencies get go ahead to use IaaS