Feds: We need priority access to cloud resources

Federal agencies must be assured priority and uninterrupted access to public cloud resources before fully embracing the technology for national security and emergency response IT functions, a recent report finds.

The government's "Cloud First" policy mandates that as many applications and workloads be moved to the cloud as possible, but a report from the President's National Security Telecommunications Advisory Committee finds that cloud technologies related to service uptime, interoperability and security are largely not yet mature enough to handle some of the government's most sensitive workloads.

LESSONS LEARNED: The 7 most common challenges to cloud computing

SCIENCE CLOUD: Higgs boson researchers consider move to cloud computing

Will the federal government eventually move those national security and emergency preparedness (NS/EP) functions to the cloud? "If and when cloud computing can demonstrate a regime of policy, legal authority, security and oversight that is comparably rigorous, complete and trustworthy relative to those currently in place for NS/EP activities via legacy means, then the response is 'yes,'" the report states. But first, the cloud market needs to mature a little bit more.

No doubt there are benefits to embracing the cloud, the report states. Outsourcing IT functions to commercial cloud providers can reduce IT capital expenditures and the ability to scale up workloads creates more agility. But for NS/EP IT functions, cost savings are secondary. The priority is improved mission performance and being assured those resources are available during a national emergency. Downtime is unacceptable. "Fundamental requirements of NS/EP include a high degree of assured availability under any condition of stress; high measures of system and content integrity; confidentiality as required by specific missions; and mechanisms for priority access to resources in the performance of NS/EP functions," the report states.

The report's findings resonate as outages from major cloud providers have impacted customers in recent weeks. Amazon Web Services, for example, experienced a power outage during an electrical storm, knocking out service to some customers in late June. Salesforce.com, the major software-as-a-service (SaaS) provider, has had two outages in as many weeks.

The report lists some qualities of service level agreements (SLAs) that should be addressed for NS/EP functions to be moved to the public cloud. These include continuous monitoring of the cloud infrastructure by the provider, third-party audits, data encryption and various certifications and accreditations, including continuously evolving accreditation requirements from the Federal Risk and Authorization Management Program (FedRAMP).

Jamie Dos Santos, president of Terremark Federal Cloud and a member of the NSTAC, runs an infrastructure-as-a-service (IaaS) offering aimed specifically at public agencies and she says the government is in a unique position to push public cloud providers to meet the security standards needed to host NS/EP functions. She says it's a constant work in progress.

"Government agencies need to work with cloud service providers to design and implement business continuity plans that will ensure the availability of mission-critical data during national security and emergency situations," she says. "Ensuring that the cloud service provider has achieved and exceeded regulatory compliance for the security and reliability of the infrastructure powering their cloud environments is critical."

One way to ensure availability is to spread the workloads across multiple cloud providers, but that's difficult at this point, the report notes. Even if the federal government does encourage providers to meet certain security criteria, there is no guarantee those will be adopted across the entire industry. The lack of standards in the industry prevents the portability of workloads across various cloud providers, the report states.

So will the public cloud ever get to the point of being able to host critical government information? The report says federal government processes related to NS/EP will be ready to move to the cloud "if and when cloud computing can demonstrate a regime of policy, legal authority, security, and oversight that is comparably rigorous, complete, and trustworthy relative to those currently in place for NS/EP activities."

Dos Santos says many federal agencies are already moving swiftly to cloud infrastructures, such as the General Services Administration's email services and many of the Veterans Affairs IT functions. But there is a large portion of sensitive information that is not yet in the cloud, and the cloud market needs continuing maturation before it is.

Network World staff writer Brandon Butler covers cloud computing and social collaboration. He can be reached at BButler@nww.com and found on Twitter at @BButlerNWW.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Brandon Butler

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place