A Silver Lining for the Government's Cloud
Cloud computing solutions might improve the overall security of government software.
Cloud computing received a strong push last week when the U.S. government’s Chief Information Officer Vivek Kundra announced apps.gov, a website that lets government agencies find and buy access to cloud-computing tools and services.
Experts have previously warned that cloud computing can introduce new security, privacy, and reliability risks, but some say that the technologies on offer could actually help improve the government’s information-security record.
Kundra noted in a blog post last week that cloud computing can help “lower the cost of government operations while driving innovation.” The federal government currently spends about $75 billion a year on information technology infrastructure and other resources. However, although many companies have quickly turned to cloud computing to save money, the move has been harder for government agencies to make.
“We will need to address various issues related to security, privacy, information management and procurement to expand our cloud computing services,” Kundra wrote.
On top of the maze of regulations that agencies have to navigate in order to adopt new software, many officials in government agencies are especially worried about security and reliability, says Deniece Peterson, principal analyst for INPUT, a consulting company based in Reston, VA, that specializes in government business. “Apps.gov gives them an easier way to acquire apps and educate themselves about cloud computing,” she says.
In a way, apps.gov is just the most visible part of a trend that has already come to government. Salesforce.com, for example, which dominates the list of applications available on the new site in several categories, already provides cloud-computing services to about half of all cabinet agencies in the federal government, according to Daniel Burton, senior vice president of global public policy for the company.
The key change with apps.gov, Burton says, is that the site streamlines the process of setting up a new cloud service. Instead of each agency having to work out a new agreement with Salesforce.com, the site provides standardized, approved agreements that agencies can adopt, so they can get access to the services more quickly.
Jeremiah Grossman, founder and chief technology officer of White Hat Security, in Santa Clara, CA, says that a security audit should be part of the approval process, and government agencies should pay attention to what types of data are being handled by each cloud service. Grossman notes that it’s a good idea to check any Web application against common attacks used on the Internet, such as cross-site scripting.
With that in mind, Grossman says, “From just general business and competition dynamics, I think cloud computing can advance Web security like nothing else before.” When one customer demands certain security features of a cloud service, those features are automatically delivered to other customers of the same service, he says.
“If a big customer demands certain security controls,” Grossman says, “you become the beneficiary of that work by the service provider and customer.” This means that the centralized approach of apps.gov will help all government agencies get better security from popular providers.
Google hopes its experience will attract government customers. “Our technology is really built to withstand the most sophisticated attacks,” says David Mihalchik, business development manager on Google’s federal team. “We are the honeypot for hackers in many respects. We are constantly being attacked, and we have a team of some of the top security experts in the world that make sure we are fending off those attacks on google.com and on our other properties.”
Google is in the process of getting its public cloud certified according to federal government standards for information security. It hopes to be approved to handle information deemed moderately sensitive. Once that rating has been attained, Google plans to build a dedicated government cloud that exceeds that standard to address individual government agency needs.
“These companies have huge incentives to provide good security,” says Ted Schadler, an analyst at Forrester Research specializing in cloud-based collaboration. He compares security problems in cloud computing to plane crashes – they’re high-profile events that generate a lot of attention and embarrassment for the companies involved.
But INPUT’s Peterson says that there’s still room for concern. “Security is a two-part thing – technology and people,” she says. In order for cloud-computing services to work effectively and securely, the agencies using them need to understand how to handle the technology responsibly.
Peterson still sees apps.gov as a careful step into cloud computing. The first go-round, she says, is focused on applications that won’t have access to large amounts of government data. If this initial phase goes well, she expects to see cloud-computing services penetrating more deeply into government agencies, handling more mission-critical tasks, and taking on heavier roles as essential infrastructure.
Forrester’s Schadler says that apps.gov fits into the Obama administration’s agenda of pushing the government forward in its IT sophistication. The visibility of apps.gov could encourage more businesses to set aside their hesitations and try cloud computing, he says. Schadler expects that constituents may pressure government agencies to adopt the new technologies when they see the cost savings.