Moving to the Cloud: Gov's Chief ConcernIBM CTO/U.S. Fed Business Dave McQueeney Interviewed
"When they start thinking about moving data from their internal systems to an external system, the first question they are going to ask the external provider is, 'What kind of procedures will you follow for physically securing the servers, for assuring the authenticity of the log-in, for security of the data during transit to and from your site?' McQueeney says in an interview with GovInfoSecurity.com (transcript below).
"And," he says, "the government will be very, very interested in: Does that provider offer them a set of security controls that are as robust as or perhaps even more robust than what they would do internally?"
In the interview, McQueeney also addresses the type of applications governments are likely to move to the cloud. Cloud computing, he says, is a good patch of virtual turf for low-hanging fruit, relatively easy to achieve computing such as software development and testing.
Yet are there apps that should never be on the cloud? McQueeney hesitates, but says:
"It's probably a little risky to say something would or would not ever move somewhere, but if we talk about some of the most sensitive, classified data in the U.S. government, that would not be high on the list of things that would be easy to move into a cloud environment. I would hesitate to speculate never but, you know, I think there are some that would tend to remain inside the enterprise."
McQueeney, in the interview, also discusses the:
- Security advantages the cloud offers;
- Advantages for governments to use private, multi-tenancy clouds;
- Two recent IBM initiatives to bring cloud offerings to government, one for federal agencies and the other for local, county and municipal governments.
McQueeney's wide-ranging experience includes solid state physics, high-speed interconnect design, distributed software development tools and to government-specific industry solutions. He spent half of his career as a researcher and research executive, and half in IBM's customer-facing units including global sales and distribution, acting as the global government solutions general manager and leader of the Federal Systems Integration services unit.
Prior to joining IBM's federal team, McQueeney led the IBM global services intellectual property and global competencies team. He has held a number of significant positions in IBM research, including director of the IBM Zurich research laboratory, vice president of communication technology, and vice president of technical strategy and worldwide operations.
He began at IBM in the research division in 1988. McQueeney earned a master and doctorage in solid-state physics from Cornell University and an bachelor. in physics from Dartmouth College.
ERIC CHABROW: IBM has just announced two cloud-computing initiatives. One aimed at local governments and the other at federal agencies. Briefly explain each of these initiatives.
DAVE McQUEENEY: Of the two initiatives, lets start with our federal initiative first. It's called the Federal Community Cloud, and the federal government like most of our clients is always looking for ways to make the provisioning of information technology to support their mission as economical and as straight forward as it can possible be. The evolution of technologies, such as virtualization, automatic provisioning and grid computing, have all come together to form a very attractive type of delivery of compute resources that goes under the heading of cloud computing. The federal government has been interested in how it can use the cloud-computing model, both within the government and from providers outside of the government, to make their IT operations both more efficient and more responsive. And along with providing this service to the government, any providers have to meet a fairly strict set of federal security, privacy and information technology deployment guidelines. So what we're announcing for our federal clients is the Federal Community Cloud, posted out of a couple of our very large production data centers where we've complied with all of the relevant federal security specifications and we're ready to offer that to our federal clients.
The second announcement we're making is around an offering for municipalities, states, counties and local governments. The size and scale of the problems from the federal government to local governments are very different. Most of my customers in federal have extremely large, almost one-of-a-kind, on-the-planet data scale and transaction rates and very complex policies. Local and municipal systems tend to be smaller in footprint and there tends to be some similarity between the roles played by IT in one town or another town or different counties and cities.
We've seen an opportunity to use the cloud computing model where we can host pieces of mission process that are useful to many municipal governments, host them in one place and actually give not only a great benefit to local governments of not having to support the IT equipment and software and operations locally, but to get it from a provider who does this on a very large scale very efficiently. But also we've seen a lot of ability by hosting different applications in a common cloud environment to make it much easier to give for a local government to give their citizens one view of all their interactions with the government and tie together different services that the government might provide to that citizen. There is both cost and efficiency benefit, but there is also productivity benefit in terms of better service to the citizens.
CHABROW: It seems in both of these initiatives you're dealing with private, multi-tenant clouds is that correct?
McQUEENEY: That is exactly right. In the case of the Federal Community Cloud, the federal security requirements state that the computing equipment that serves federal customers must be physically segregated from the equipment providing service to commercial customers. Physically, you will find it in a separate, locked cage with separate physical security, separate network connections to the outside world. That is as required by the federal information security requirements. That is obviously a very reasonable requirement given the level of sensitivity of some of the data and the requirements on municipal governments are not exactly the same, but the same principles apply; those things are hosted in a very high integrity, high security environment as well.
CHABROW: Let's talk a little bit about the advantages of multi-tenant cloud computing in its private environment, but first why multi-tenant and why not just specific private clouds for each of the federal agencies or each municipality?
McQUEENEY: Good question and its not an either or. Most of my federal clients have used and experimented with private cloud implementations. They have either purchased software that they could layer on top of systems they have, or in some cases they've bought complete turn key pre-packaged, pre-integrated systems. That is typically the first step clients will make, whether they are government or private. They'll look at the economy of scale within their enterprise, and then as they evolve and they see the efficiency and the benefit of this model, they'll start asking the question, are there parts of workflow - my mission, as the government might call it, or the business process as a commercial customer might call it - but it would be more efficient to be handled by a provider outside of my enterprise.
A lot of times you'll find that it is the result of an analysis of different work loads that go on in the enterprise. Suppose you have a government agency with a very strong seasonal variation in work loads, perhaps an agency that is responsible for tracking storms or an agency that is providing social benefits that have a very strong seasonal character. There will be fluctuations in the load that will be presented by citizens that will very, very rapidly up and down, and it might be very nice to have a fixed and stable base of computing inside your enterprise and then a surge capacity that you can access and you can tailor to the same kind of operational environment with an external provider, and then you only have to pay for the use of that external provisioning of the application for the very short parts of the season that you need it. So it gives an agency a way to have a stable base of computing and then have a very easy way to surge their capacity up and down, and end up saving them a lot of money rather than having an internal, captive environment be at the maximum size all year long.
Cloud's Perceived Security Challenges
CHABROW: What are the biggest perceived security challenges your government clients tell you that concerns them, and are there concerns ground and if not so why not, if they are what can be done about them?
McQUEENEY: Governments as a rule are quite concerned and appropriately so about security around their data, the integrity around their data. They'll use words even broader than security like information assurance to kind of capture all of the thoughts around the security and integrity and the reliability of the data. Given the criticality of tax records and defense information and all the sorts of things that the government does, it's absolutely appropriate to have a very strong focus there. The governments around the world, and certainly our government here in federal, go to great lengths to build systems that are robust and reliable and secure to manage them to all of the best practices that they know of.
When they start thinking about moving data from their internal systems to an external system, the first question they are going to ask the external provider is, "what kind of procedures will you follow for physically securing the servers, for assuring the authenticity of the log-in, for security of the data during transit to and from your site." And the government will be very, very interested in, does that provider offer them a set of security controls that are as robust as or perhaps even more robust than what they would do internally, so that when they then move some of their data or some of their application or their mission process flow outside of the government and then link it back in to work back inside, have they maintained the high level of security they would maintain internally.
That's why in the federal government they applied the standards known as FISMA, the Federal Information Security Management Act. They apply to their systems to their external providers, and more interestingly recently the government has undertaken an initiative called FedRAMP and a lot of the technical guidance has come from the scientists at the National Institute of Standards and Technology that seeks to get all of the government agencies and federal to agree on a common set of standards, so that once a provider is certified against the FedRAMP process, it's something that many or most of the federal agencies will accept. That means that vendors won't have to certify their systems differently for different federal agencies.
CHABROW: Can the cloud be more secure?
McQUEENEY: It should be possible. In fact, I'm sure it is possible in a cloud environment to actually provide a better degree of security than a natively hosted application that might have existed previously. I don't know if you guys saw the press release we did a couple months ago with the U.S. Air Force on a project we called MOCA, Mission Oriented Cloud Architecture. That project was asking the question, "What if we wanted to run an actual military mission on top of a cloud runtime?" Now in this case, we presume that would be a private cloud implementation inside the Department of Defense. So the Air Force really wanted to know the answer to questions like, was that cloud environment robust? Was it reliable? Was it sufficiently secure?
And one of the things that they became concerned about was what if someone tries to mount an attack on the cloud computing infrastructure as a way of disrupting the mission. One of the things that we did for Air Force was look at the deployment of a new product we have called Infosphere Streams. It's basically high-speed, real-time analytic systems that can just gigabit the network feeds, you know, at full line speed. We looked at the patterns of traffic flow in the fabric of communications that wired the cloud together, and we said can we detect threats, for example, of a Botnet attack?. Can we see a Botnet attack coming into the system and assembling itself by looking at the low level of traffic patterns on the network, and can in fact interrupt that attack before it ever has a chance to launch? Investments like that are not likely to be affordable for each individual system I build as a stand alone silo, but they are very affordable to put into a cloud computing environment that I build the very robust instance of and then virtualizes and then sell slices of that to my users.
Never Say Never
CHABROW: Do you see any kind of applications that will never go in a cloud?
McQUEENEY: There are certainly applications that are not the low hanging fruit, things that wouldn't be the first things you'd move to the cloud. It's probably a little risky to say something would or would not ever move somewhere, but if we talked about some of the most sensitive, classified data in the U.S. government, that would not be high on the list of things that would be easy to move into a cloud environment. I would hesitate to speculate never, but, you know, I think there are some that would always tend to remain inside of an enterprise.
CHABROW: Are there a certain commonality of the type of government applications that are being implemented now and how would that evolve?
McQUEENEY: We see a couple of use cases that reoccur across our commercial and our government customers for workloads that are a very good fit for cloud computing. One of them is software test and development. That tends to be an activity that has a fairly complex set of tools, a fairly complex environment that has to be provisioned to software developers, and the needs for software development and especially software test, tend to vary very rapidly. The workload goes up very intensely for, in the case of test, for a relatively short time and then ramps back down again. That's a very good case where the breathing of capacity that an external provider can give to a company or a government is a great advantage.