Beyond Availability: Melissa Hathaway on the Cloud

5 Tough Questions CIOs, CISOs Must Ask About Benefits, Risks

By Melissa E. Hathaway, June 10, 2010.
Beyond Availability: Melissa Hathaway on the Cloud


See Also: OPM Breach Aftermath: How Your Agency Can Improve on Breach Prevention Programs

ederal chief information officers and chief information security officers will convene Monday, June 14, at an annual information technology conference where they are sure to discuss the Office of Management and Budget's mandate to look toward cloud computing to cut IT costs, increase efficiencies and enable greater government-wide collaboration and data exchange.

So what is cloud computing? Here's how the National Institute of Standards and Technology defines it: "Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources [e.g., networks, servers, storage, applications, and services] that can be rapidly provisioned and released with minimal management effort or service provider interaction."

The key tenet of the cloud is availability. But where are the other cornerstones of information security: integrity and confidentiality?

A recent survey suggested that some CIOs and CISOs may be reluctant to move their data and services to the cloud. However, the Government Services Administration is expected to reissue its blanket purchase agreement for cloud services in the near future, perhaps at the upcoming conference. Notwithstanding their reluctance to move to the cloud, government CIOs and CISOs may have no choice going forward. Of course, that's not all bad, because cloud computing and virtualization technologies offer many benefits. But with those benefits come potential information security and assurance pitfalls.

In examining the potential benefits and vulnerabilities of moving their services to the cloud, government CIOs and CISOs should ask and demand answers to some difficult questions.

Aggregation, Resilience and Operational Capability

Does your provider ensure the confidentiality, integrity and availability with mature processes, proof of past performance, understanding of and mechanisms for disaster recovery options, and encrypted backups?

Demand answers so that you are fully aware of how your data is protected, where it is stored, whether it is co-mingled with other data, if the provider has isolation mechanisms for data, processing, memory, and logs. Presume that your data is replicated and know how quickly it can be restored in the event of an emergency. Understand the provider's ability to surge on demand of need, so that if faced with a distributed denial of service attack or some other event that may affect essential services, you know you will be able to keep your mission critical applications up and running.


Most clouds are envisioned to be a multi-tenant environment, which means shared processing and shared storage. Demand to know how the service provider will implement data segregation. Understand whose responsibility it is to notify another party of a breach in security. Demand transparency of the environment that you are "renting" and now responsible for maintaining the integrity and confidentiality of the data and service stored therein. After all, you are accountable to your cabinet secretary and to Congress for the services rendered by your agency.

Law Enforcement-Investigation of Inappropriate or Illegal Activity

Many cloud computing environments provide an application programming interface to allow for automation of many functions, including adaptive virtual machine provisioning with no human interaction needed. While this capability can reduce costs and provides for desirable demand-scalable systems, an insecure implementation could allow an attacker to rapidly provision large quantities of resources that can be leveraged for malicious use. Due to the speed this can be done, it is in effect giving the attacker the ability to rapidly provision attack platforms, botnets, etc., and then just as quickly remove them and destroy the evidence. If this attack is not detected during the event, the only sign may be when the owner of the environment gets the bill for the large resource utilization or a visit from law enforcement.

Demand to know how your service provider collects and maintains log of activity. Understand if appropriate technologies are fielded to collect, analyze and notify of anomalous activity. Presuming all of the data is stored in the United States, you should know when and if this data was accessed by any other entity. If this data is stored outside of the United States, know when it is accessed and under what authorities it is accessed. If data is shared or backed-up across multiple data centers, ensure that you know where it is stored and how readily it can be restored.

Security, Privacy and Compliance

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Another Breach Notification Bill Introduced

Privacy advocates in the Senate have introduced a national data breach notification bill that would...

Latest Tweets and Mentions

ARTICLE Another Breach Notification Bill Introduced

Privacy advocates in the Senate have introduced a national data breach notification bill that would...

The ISMG Network