Trend Cloud Security Blog – Cloud Computing Experts
Is the Federal Government’s Shiny New Cloud Secure?
Posted by Dave Asprey in Cloud-based Security, Cyber crime, Privacy, Compliance and Identity, Secure Data Centers, Securing the Cloud, Threats from the Cloud, Virtualization Dec 9th, 2010 | 2 responsesOn December 5, 2010 the Washington Post printed this article: “Federal government moves forward with ‘cloud-first’ plan for new technology.”
Trend Micro asked our VP of Cloud Security, Dave Asprey, to provide his thoughts and opinions about this government plan. Here is what Dave wrote:
It’s exciting to see that the GSA is leading the way to modernize the federal government’s IT by moving to “the cloud.” However, in the rush to save money, the GSA may be repeating some mistakes that company IT departments have already made. To go to the cloud, the GSA had to choose between paying for server infrastructure in a cloud, paying for software in a cloud, or building an in-house private cloud on their own servers. They made an interesting choice.
Cloud infrastructure services let companies — or governments – pay for access to servers only when they use them, and give customers full control over which applications and security packages they will install. Amazon EC2 is the most famous of these. Enterprises pay per hour of server time for this type of cloud. They benefit from full knowledge of and control over how the cloud is configured, and software vendors are driven by competition to provide the best software each customer will run in the cloud. This offers the most control and moderate convenience. Some cloud infrastructure providers like Terremark are even certified to hold classified government documents, but most are not.
Software cloud services, known as SaaS or “Software as a Service” hide servers completely from IT professionals, exposing only a web application, with IT experts having little knowledge of — and even less oversight over — the underlying software and security architecture. The most famous SaaS vendor is Salesforce.com, but Google’s Gmail offering is in the same category. Companies pay for these services on a per end user account basis. SaaS companies write their own applications and customers do not have the option to specify which security or management tools will be used. Customers have the least control but the most convenience.
For mission critical applications, many companies implement their own “private cloud” using virtualization from companies like Citrix or VMware running on servers purchased by the company. (Full disclosure: A few years ago I ran strategy for the Citrix virtualization unit but have no financial ties to them now.) This is the most expensive option the GSA could have chosen but it has the highest degree of control and least amount of convenience.
When the GSA chose to go to “the cloud” by choosing the service that was most convenient but had the least amount of control, they effectively put all their security eggs in one basket by relying exclusively on whatever security Google builds in to their Unisys offering. If the GSA isn’t happy, they can’t patch the software or change a component – they have to knock on Google’s door to ask for changes. I’m pretty sure Google has a long line of people knocking on its door ahead of the GSA. They’re called advertisers, and the billions they pay to Google most likely dwarf a small GSA project.
Keep in mind that hackers from China recently compromised Google security, and one of their administrators was caught accessing a user’s email data. We only know about these because Google did the right thing and came forward with the news. On the other hand, if the GSA had chosen Microsoft Exchange or open source software running in cloud infrastructure instead of Google, they would have had their choice of several very large security companies (like my employer Trend Micro) to secure their cloud. Old-fashioned American capitalist competition forces these companies to find and stop threats quickly and to stay at the cutting edge of IT security. Until cloud providers like Google step up to guarantee – and prove – that their security is on par with enterprise security, they will be a poor choice for our government agencies. We don’t need another WikiLeaks.
Dave Asprey
VP Cloud Security
Trend Micro
Trend Micro would like to know what you think about this. We enthusiastically invite your comments and we will read every one of them.
For very detailed information about Trend Micro and Security Built for Enterprise Virtualization and Cloud Environments, please visit our website: http://bit.ly/dEmlhv
2 Responses to “Is the Federal Government’s Shiny New Cloud Secure?”
Subscribe
Not even the nighty Google can guarantee 100% security.
As some might remimber, Google.com was down because of a DDoS in 2004: http://bit.ly/fd0rBZ
It would be nice though, if someone actually was able to guarantee internet safety.
Yet again.. is 110% internet safety equal to 100 control? And if the “wrong” ones have that control, will internet safety then be desirable?
John, that’s a good point…what I’m asking for is that public cloud providers become fully transparent about their security practices. Right now, security through obscurity is a portion of what happens, but we as cloud consumers don’t know what portion, or how.
Even 13 years ago at Exodus Communications (one of the early companies that formed the cloud), we got *grilled* by customers about every little security procedure. I remember my first day on the job, the VP Ops for Chemdex (and ex-VP Ops for Schwab if memory serves) spent five hours shredding our fully managed security offering, down to the type and level of encryption offered on the control network.
Today’s cloud providers have obfuscated their security and operations into a single per-hour price, which is convenient and simple. But it means experienced IT guys can’t know *how* secure it is. As the cloud providers mature, they will have to disclose their security practices if they want core enterprise apps.