Improving mobile device security is one of the top information security priorities for the coming year, according to our new Healthcare Information Security Today survey. And that's not surprising, given the recent surge of interest in tablets, smart phones and other mobile devices.
Federal CIO Steven VanRoekel, speaking at a cloud computing conference, says the White House is in the final stages of approving the Federal Risk and Authorization Management Program, which agencies will use to vet cloud providers.
The draft publication defines high-priority requirements for standards, official guidance and technology developments that need to be met in order for agencies to accelerate their migration of existing IT systems to the cloud computing model.
Heavily regulated industries like banking and healthcare have been reluctant to make the virtualized leap to the cloud, fearing a loss of control could open them to unforeseen risk. Are their concerns unfounded?
"We shouldn't make the false choice between security and innovation," Federal CIO Steven VanRoekel says. "In fact, innovation can make us more secure as long as we build security into everything we do."
"Matching an implementation to the cloud definition can assist in evaluating the security properties of the cloud," says computer scientist Peter Mell, author of The NIST Definition of Cloud Computing.
Many institutions - in and out of government - would hire more IT security professionals if they could be found. According to our analysis of BLS data, there's virtually no unemployment among IT security pros, creating a dearth of IT security specialists.
The Department of Homeland Security is undertaking nine private and three public cloud computing initiatives, establishing private cloud services to manage sensitive but unclassified information while using the public cloud for non-sensitive data.
Ineffective or noncompliant security practices of service providers, the inability of customers to examine controls, the prospect of data leakage and the loss of data if a cloud service is terminated present challenges.
"With a company-issued device, you can issue a policy that says users have no rights of privacy over information on the device," says Javelin's Tom Wills. But with employee-owned devices? A whole new set of issues.