Compliance & Risks
Is the Federal Government’s Shiny New Cloud Secure?
GSA is moving the federal government's IT to the cloud, but to save money, it may repeat company IT departments' errors. Until cloud vendors ensure their security is on par with enterprise security, they'll be a poor choice for government agencies.
On December 5, 2010 the Washington Post printed this article: “Federal government moves forward with 'cloud-first' plan for new technology.”
Trend Micro asked our VP of Cloud Security, Dave Asprey, to provide his thoughts and opinions about this government plan. Here is what Dave wrote:
It's exciting to see that the GSA is leading the way to modernize the federal government's IT by moving to “the cloud.” However, in the rush to save money, the GSA may be repeating some mistakes that company IT departments have already made. To go to the cloud, the GSA had to choose between paying for server infrastructure in a cloud, paying for software in a cloud, or building an in-house private cloud on their own servers. They made an interesting choice.
Cloud infrastructure services let companies -- or governments – pay for access to servers only when they use them, and give customers full control over which applications and security packages they will install. Amazon EC2 is the most famous of these. Enterprises pay per hour of server time for this type of cloud. They benefit from full knowledge of and control over how the cloud is configured, and software vendors are driven by competition to provide the best software each customer will run in the cloud. This offers the most control and moderate convenience. Some cloud infrastructure providers like Terremark are even certified to hold classified government documents, but most are not.
Software cloud services, known as SaaS or “Software as a Service” hide servers completely from IT professionals, exposing only a web application, with IT experts having little knowledge of -- and even less oversight over -- the underlying software and security architecture. The most famous SaaS vendor is Salesforce.com, but Google’s Gmail offering is in the same category. Companies pay for these services on a per end user account basis. SaaS companies write their own applications and customers do not have the option to specify which security or management tools will be used. Customers have the least control but the most convenience.
For mission critical applications, many companies implement their own “private cloud” using virtualization from companies like Citrix or VMware running on servers purchased by the company. (Full disclosure: A few years ago I ran strategy for the Citrix virtualization unit but have no financial ties to them now.) This is the most expensive option the GSA could have chosen but it has the highest degree of control and least amount of convenience.
When the GSA chose to go to “the cloud” by choosing the service that was most convenient but had the least amount of control, they effectively put all their security eggs in one basket by relying exclusively on whatever security Google builds in to their Unisys offering. If the GSA isn’t happy, they can’t patch the software or change a component – they have to knock on Google’s door to ask for changes. I’m pretty sure Google has a long line of people knocking on its door ahead of the GSA. They’re called advertisers, and the billions they pay to Google most likely dwarf a small GSA project.
Keep in mind that hackers from China recently compromised Google security, and one of their administrators was caught accessing a user's email data. We only know about these because Google did the right thing and came forward with the news. On the other hand, if the GSA had chosen Microsoft Exchange or open source software running in cloud infrastructure instead of Google, they would have had their choice of several very large security companies (like my employer Trend Micro) to secure their cloud. Old-fashioned American capitalist competition forces these companies to find and stop threats quickly and to stay at the cutting edge of IT security. Until cloud providers like Google step up to guarantee - and prove - that their security is on par with enterprise security, they will be a poor choice for our government agencies. We don’t need another WikiLeaks.
Dave Asprey
VP Cloud Security
Trend Micro
Trend Micro would like to know what you think about this. We enthusiastically invite your comments and we will read every one of them.
For very detailed information about Trend Micro and Security Built for Enterprise Virtualization and Cloud Environments, please visit our website: http://bit.ly/dEmlhv