Cloud Security: Government Survey Insight
SafeNet's Russell Dietz on How Government Can Reap Cloud Benefits"The concern that these agencies have is 'How can I show that I have control over these information assets?'" says Russell Dietz, corporate VP and CTO of SafeNet, one of the survey sponsors.
Part of the challenge, Dietz says, is that government agencies face unique security mandates and challenges for working in the cloud. "Really, when you look at FISMA," he says, "it doesn't touch on some of the issues around multi-tenancy," which is one of respondents' top concerns about moving into the cloud.
In a focused discussion about the cloud computing aspects of the 2011 Government Information Security Today survey, Dietz talks about:
- Unique concerns and challenges for government agencies in the cloud;
- Myths and realities of cloud computing;
- How government can gain cloud benefits and savings - and still be secure.
Dietz joined SafeNet in February 2009 as Corporate Vice President and Chief Technology Officer (CTO). In this role, he leads the strategic positioning and migration of new technologies into SafeNet's highly successful solutions portfolio.
Dietz brings more than 27 years of industry experience. He has held the CTO position for multiple high-tech companies, including Hifn, Inc., where he led company efforts in defining the next generation of security, service, and network processing solutions, and Apptitude, where he drove the vision, strategy, and architecture of the application and flow classification solutions, MeterFlow and MeterWorks.
He was the founder and Vice President of Engineering for Technically Elite, and previously held various management and technical spots at Magnavox Electronic Systems and Digital Equipment Corporation, and was a technical author for Digital News and Review technical journal.
Dietz is an active member of the Network Processing Forum (former chairperson), Internet Engineering Task Force (IETF), Institute of Electrical and Electronics Engineers (IEEE), Optical Internetworking Forum (OIF), and the Cloud Computing Interoperability Forum (CCIF). He has been awarded more than 20 patents in network and traffic behavior and analysis in the United States, European Union, Japan and China.
Cloud Security Concerns
TOM FIELD: Russ, we're going to focus specifically on one element of the survey, which is cloud computing. And what jumps out at me is that the survey finds that government agencies in the U.S. are interested in the benefits of cloud computing, but they're concerned about the security issues. What do you see to be their hesitation?RUSSELL DIETZ: Well, it's interesting. In that same survey that you guys conducted, it was really eye-opening as to the differences in what information security and security issues mean. There are a lot of things going on when it comes to security, and when we secure information or when we provide secure access to applications, a lot of the security that we measure in standards has to do with actually availability and access controls. And if you look at the respondents in your survey, it's really important to note that when they responded to what was concerning them most, it was control over their sensitive data. I mean, more than 33 percent of the respondents were not very confident that their data was going to be protected and isolated in the cloud. It's also the cloud technologies. They hear about private clouds and community clouds. And, again, more than 70 percent of the respondents were either not confident or really didn't understand how they could get sensitive data controlled in a private cloud. And the last big thing was the reservation that the respondents provided. Two big areas that stand out for me were enforcing security policies, and we'll talk a little bit about policies as we kind of go through things here in our discussion. But the other was loss prevention and mixing data with other users. I mean, almost 50 percent of the respondents touched on those elements.
So when you look at all of that, it's because the concern that these agencies have is how is it that they can show that they have control over the information assets that they're governed and measured by in each of those specific agencies based on the requirements that are put on top of them by the different government organizations that they report into?
Government Mandates
FIELD: Now Russ, what's interesting to me is that there are some unique mandates from government agencies, and you know these as well as anybody. What do you find to be some of these unique mandates, and how do they confuse the issue of securing the cloud?DIETZ: A really good example of this is FISMA, the Federal Information Security Act of 2002. Really, when you look at FISMA, it doesn't really touch on some of the issues around multi-tenancy. And multi-tenancy is multiple agencies sharing the same resources, which, again, causes a visibility and a control issue that your respondents of the survey said was their number one concerns about moving into cloud infrastructure. So here we have a mandate that talks about how to manage access to applications in a secure way, how to make sure the information is available, but it really doesn't deal with the governance issues related to how to control and provide visibility to those information assets.
Unique Challenges
FIELD: Well, we've talked about unique mandates. The other thing that strikes me as unique are the challenges. What do you see as being some of these unique challenges for government agencies that really are seeking to get the most out of the cloud?DIETZ: So, some of the challenges have to do primarily with a balance of the funding that's being provided to actually do information technology within these agencies and really how they can apply those challenges of securing information assets in the cloud. So if you look at the 2012 IT budget from the federal government, you'll see that there's dramatic reduction in civilian agencies' IT spend, but there's also a mandate called Cloud First to basically get those agencies to utilize cloud services. But on top of that, we see different elements beyond things like FISMA that we just talked about and something GSA is pushing, which is FedRAMP. And it's supposed to be a measurement criteria to help these civilian agencies better understand how to leverage cloud computing services and how to deal with FISMA and other kinds of cyber security initiatives to manage their information. Unfortunately, FedRAMP just hasn't really given that structure that's needed. So here we have shrinking IT budgets, a drive from Cloud First as an initiative from the Federal CIO, but really no clear measurements of how it is to effectively use cloud services yet to make it easy for agencies to just pick and choose how they can basically get the services they need in a secured way.
Cloud Myths, Realities
FIELD: Russ, you and I have spoken prior to this conversation, and I believe you understand cloud computing and government as well as anybody does. When you look at, take a step back, what do you see as being some of the true myths and realities of cloud computing in government today?DIETZ: Well, the first real myth that you see out there is that all agencies can take advantage of cloud computing without changing how it is that they're actually doing information technology. And that's a huge myth. Agencies have been dealing with creating silos around their information for decades now, and we're coming at them and showing them that they can use cloud as a consolidated resource, but it just doesn't link in with that use model that they're really dealing with and have been dealing with for a very long time, of understanding and controlling their information.
The reality is that some of the new technologies that are emerging out there to help with multi-tenancy, one of the biggest areas that we're seeing as a focus point now in the Cloud Security Alliance, that's out there is a good measurement as we move into 2011 and beyond, is using encryption as a tool to help isolate, control, and provide that visibility that's needed for these agencies to use that information in the cloud infrastructure. So I think it's time for us to understand that when we're dealing with cloud in government, you have to have control and visibility. Regulations and governance require that. The agencies are used to siloing their information, and we have to use, again, as GSA and other organizations are pointing out, encryption as a way to provide that control and isolation. So that is a reality that is available to those agencies that really wasn't even as much as six months ago.
Tips for the Cloud
FIELD: Russ, to wrap up our conversation, I'm going to ask for some advice from you. And the first point I want to ask is how can agencies go about selecting the right cloud service providers?DIETZ: Great question, and I'm going to hang it off of something that I said earlier. It was a little weak, but at least is providing the right visibility, which is FISMA certification. And then not only that, look at organizations that are standing up on what we call community clouds, especially government-oriented community clouds. Microsoft and Google and many of the other software service providers are doing just that. This allows you to take some of the tools, even, like I mentioned, encryption, and bring that into that cloud service, kind of add it as a feature to make it more oriented towards the agency's needs. So, really, looking for FISMA, looking for what we call community clouds focused at governments will help with those provider selections.
FIELD: A final question for you: How can agencies really achieve the benefits and the savings that they desire from cloud computing?
DIETZ: Yeah, this is the big challenge, right, the holy grail of cloud, and it's exactly where the Federal CIO is trying to go with the cloud initiative in government. And the way to really get there is to understand these control issues that we talked about and make sure that we can apply those systematically in cloud offerings. Pushing agencies into the cloud, which is exactly what's happening right now with the budget constraints that are being pressured on the organizations, is really a recipe for disaster. And the right way to solve this problem is to apply some of the new technologies and techniques that are out there, use some of these standards like FISMA and FedRAMP as a guidepost, but then on top of it, really work with integrators that are starting to understand how cloud services come together. And then the whole last aspect of savings comes from being able to shrink your IT footprint, and really the only way to do that is this concept of multi-tenancy. And that means really focusing on using encryption and isolation techniques as a way to provide governance and control so that you can use shared resources and then shrink the overall cost of providing IT within each of the agencies and organizations.