Can Cloud Be More Secure than Legacy Systems?House Panel Told of Benefits, Risks of Cloud Computing
"The cloud is not such a special technology necessarily that it is exempt from a security perspective, but is just another implementation of IT, and is a natural evolution of where we come from," Federal Chief Information Officer Vivek Kundra (pictured, at left) said in testimony delivered to the House Committee on Oversight and Government Reform.
Kundra said greater bandwidth access, better processing power and cheaper storage makes cloud computing a very attractive computing alternative for the federal government. "You still have to take appropriate security safeguards ... and that agencies have to comply with current statutes and security policies," he said.
And a General Services Administration executive suggested that because of a dearth of IT security experts, a cloud computing platform could prove more secure than a legacy one. "It's very important in talking about security to not start from the mentality that doing it yourself means it will be done perfectly," said David McClure, GSA associate administrator of the Office of Citizen Services and Innovative Technologies. "There are too many examples where that's not the case, and in fact, having a collection of security experts try to do the job for a larger collection of people rather than having each of those people do it themselves makes a lot of sense. You get more ability to move forward quickly when you have experts doing it for people rather than everybody doing it themselves."
Though not disagreeing with Kundra and McClure, Gregory Wilshusen, director of information security at the Government Accounting Office, offered a less rosy picture of cloud computing security. "There are some very real risks associated with putting information out in the cloud, particularly if they're public clouds to the extent that agencies will now have to rely on the security of the service providers," Wilshusen said. What's key - whether for legacy systems on the cloud - is proper controls be applied to secure data, he said.
In his testimony, and an accompanying report from the GAO he coauthored, Wilshusen cited government initiatives from the Office of Management and Budget, GSA and the National Institute of Standards and Technologies aimed at securing cloud computing, but said their work is far from complete. "Until specific guidance and processes are developed to guide the agencies in planning for and establishing information security for cloud computing, they may not have effective information security controls in place for cloud computing programs," Wilshusen said.
None of the witnesses, including a panel representing IT vendors EMC, Google, Microsoft and Salesforce.com, said that classified and other sensitive government data should be placed on public clouds, which is not only accessible via the Internet but in which data from one organization could reside in the same server as information from another organization.