Click here to close now.

Welcome!

CloudExpo® Blog Authors: Yeshim Deniz, Carmen Gonzalez, David Sprott, Elizabeth White, Liz McMillan

Related Topics: CloudExpo® Blog, Cloud Security, Government Cloud

CloudExpo® Blog: Blog Feed Post

The Cloud and Cybersecurity

The cloud-first policy and the incremental approach to cloud adoption will make IT reform real

As part of federal CIO Vivek Kundra’s 25-point plan to reform federal IT management announced last December, federal agencies must adopt a “cloud-first” policy that requires them to move three applications to the “cloud” over the next 12 to 18 months. Agencies must identify the three “must move” services within three months, move one of those services to the cloud within 12 months and the remaining two within 10 months.

This cloud-first policy and the incremental approach to cloud adoption will make IT reform real and should result in huge (30-50%) savings in federal IT budgets. One specific and measurable goal laid out in the plan calls for a reduction in government data centers from the current 2,094 number to fewer than 800 by 2015. Already 50 percent of government agencies are moving to private clouds but to realize the full potential of the cloud, the government needs to move from many small clouds to fewer large, shared clouds. Of course, federal acquisition policies and authorities must be modified before agencies can fully embrace this strategy. The Federal Risk and Authorization Management Program (FedRAMP) begins to address this issue.

FedRAMP allows joint authorizations and continuous security monitoring services for Government and Commercial cloud computing systems intended for multi-agency use. Joint authorization of cloud providers results in a common security risk model that can be leveraged across the Federal Government. The use of this common security risk model provides a consistent baseline for Cloud based technologies. This common baseline ensures that the benefits of cloud-based technologies are effectively integrated across the various cloud computing solutions currently proposed within the government. The risk model will also enable the government to “approve once, and use often” by ensuring multiple agencies gain the benefit and insight of the FedRAMP’s Authorization and access to service provider’s authorization packages.

There are still a lot of challenges that federal agencies need to work out with the cloud–data sovereignty, privacy and security, funding models, etc–but it is clear that the cloud model will allow government to operate more efficiently and effectively. Nonetheless, there persists the nagging perception that the cloud is inherently unsafe. Government agencies are uncomfortable handing over control of their data to other agencies, vendors or third parties. They are right to be concerned; reported cyber attacks against federal systems increased by 39 percent during the last fiscal year when compared to the year before, says an annual report on agency implementation of the Federal Information Security Management Act (FISMA). The report–posted online last month by the Office of Management and Budget (FY2010 FISMA Report)–finds that Federal agencies reported 41,776 cyber incidents during fiscal 2010. In 2009, agencies reported close to 30,000 incidents.

Despite the grim outlook, we believe the security of the federal enterprise, as well as its functionality, can be significantly enhanced by smartly implementing cloud computing. The following are some key principles that can facilitate this:

  • The importance of mission-focused engineering. Private clouds inside the federal enterprise can enhance mission support, but mission-focused engineering should be a first step in this pursuit.
  • The continual need for security, including data confidentiality, integrity and availability. All federal computing approaches must be engineered to be in total consonance with IA guidelines to assure federal information, information systems and information infrastructure. Cloud Computing, when engineered right, makes dramatic, positive changes to the mission assurance posture of the federal enterprise. Cloud computing enables stronger end point security and better data protection. It also enables the use of thin clients and the many security benefits they provide. Identity management and encryption remain of critical importance.
  • The need for always instantaneously available backup of data in the cloud. Ensured availability under all circumstances is a key benefit of smart cloud computing approaches.
  • The continual need for open source and open standards. Most cloud infrastructure today is based on open source (Linux, Solaris, MySQL, Glassfish, Hadoop) and this positive trend will help in net centric approaches. According to the IDC Group, open source software (OSS) is “the most significant, all-encompassing and long-term trend that the software industry has seen since the early 1980′s” Gartner projects that by 2012, 90 percent of the world’s companies will be using open source software. This all indicates open source and open standards should be a key principle for federal cloud computing and other net centric approaches.
  • The continual need to evaluate both low barrier to entry and low barrier to exit. As approaches to cloud computing are evaluated, too frequently the cost of exiting an approach is not considered, resulting in lock-in into a capability that may soon be inefficient. Cloud computing capabilities should be adopted that do not result in lock-in.
  • The need for open standards. Cloud computing contributions to enhanced functionality for the federal workforce and increase interoperability as the code, API’s and interfaces for cloud computing are secure but are widely published for all participants to interface with. Federal involvement in open source and open standards communities should continue and be accelerated, since increasingly cloud computing open standards are being discussed and designed by open standards bodies like W3C, OASIS, IETF and the Liberty Alliance. Document and other formats used by federal cloud computing activities will be open and available for all authorized users on all devices.
  • The need to understand the cost of “private clouds”. For at least the near term, the federal government will remain a provider of “private cloud” capabilities where security dictates ownership levels of control over compute power. This fact means the federal enterprise must continually engineer for change and technology insertion, which underscores the need for low barriers to exist in design criteria.

Regarding security, cloud computing holds the potential to dramatically change the continuous loosing game of continual workstation patching and IT device remediation by reducing the amount of applications on desktops and changing the nature of the desktop device from fat client to thin client. Devices can now have their entire memory and operating system flashed out to the device from private clouds and can have the power of the cloud presented to users as if the user is on an old fashioned desktop. This can be done in a way that never requires IT departments to visit the workstation to patch and configure it. And since all data is stored on private clouds it can be encrypted and access only provided to authorized users. No data can ever be lost when laptops are stolen and no data can ever be lost when desktops are attacked by unauthorized users. Security by well engineered use or cloud computing and thin clients or cloud computing and smart fat clients is dramatically enhanced.

This all leads to a key conclusion for the federal enterprise: as we move forward in cloud computing for support to the mission, the federal enterprise should continue to strengthen formal processes to ensure that lessons learned from both industry and the government’s own successful cloud computing initiatives are continually examined and broadly adopted across the enterprise

Crucial Point associates Dillon Behr, Alex Olesker, Bob Gourley and Chris Barnes contributed to this post.

This post sponsored by the Enterprise CIO Forum and HP.

Read the original blog entry...

More Stories By Bob Gourley

Bob Gourley, former CTO of the Defense Intelligence Agency (DIA), is Founder and CTO of Crucial Point LLC, a technology research and advisory firm providing fact based technology reviews in support of venture capital, private equity and emerging technology firms. He has extensive industry experience in intelligence and security and was awarded an intelligence community meritorious achievement award by AFCEA in 2008, and has also been recognized as an Infoworld Top 25 CTO and as one of the most fascinating communicators in Government IT by GovFresh.

@CloudExpo Stories
DevOps Summit at Cloud Expo New York is offering a limited time FREE "Expo Plus" registration option in New York. On site registration price of $1,95 will be set to 'free' for delegates who register during special offer. To take advantage of this opportunity, attendees can use the coupon code, and secure their registration to attend all keynotes, @DevOpsSummit sessions at Cloud Expo, expo floor, and SYS-CON.tv power panels. Special FREE registration givess access to all Containers and Microservi...
DevOps Summit, taking place Nov 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 17th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to wait for long developmen...
"We have developers who are really passionate about getting their code out to customers, no matter what, in the shortest possible time. Operations are very focused on procedures and policies," explained Stan Klimoff, CTO of Qubell, in this SYS-CON.tv interview at DevOps Summit, held Nov 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
“We help people build clusters, in the classical sense of the cluster. We help people put a full stack on top of every single one of those machines. We do the full bare metal install," explained Greg Bruno, Vice President of Engineering and co-founder of StackIQ, in this SYS-CON.tv interview at 15th Cloud Expo, held Nov 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
SYS-CON Events announced today that the "First Containers & Microservices Conference" will take place June 9-11, 2015, at the Javits Center in New York City. The “Second Containers & Microservices Conference” will take place November 3-5, 2015, at Santa Clara Convention Center, Santa Clara, CA. Containers and microservices have become topics of intense interest throughout the cloud developer and enterprise IT communities.
ThingsExpo New York is offering a limited time FREE "Expo Plus" registration option in New York. On site registration price of $1,95 will be set to 'free' for delegates who register during special offer. To take advantage of this opportunity, attendees can use the coupon code, and secure their registration to attend all keynotes, ThingsExpo sessions, expo floor, and SYS-CON.tv power panels. Special FREE registration givess access to all DevOps, Containers and Microservices sessions as well. Regi...
With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo in Silicon Valley. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be! Internet of @ThingsExpo, taking place Nov 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 17th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading in...
"Verizon offers public cloud, virtual private cloud as well as private cloud on-premises - many different alternatives. Verizon's deep knowledge in applications and the fact that we are responsible for applications that make call outs to other systems. Those systems and those resources may not be in Verizon Cloud, we understand at the end of the day it's going to be federated," explained Anne Plese, Senior Consultant, Cloud Product Marketing at Verizon Enterprise, in this SYS-CON.tv interview at...
Health care systems across the globe are under enormous strain, as facilities reach capacity and costs continue to rise. M2M and the Internet of Things have the potential to transform the industry through connected health solutions that can make care more efficient while reducing costs. In fact, Vodafone's annual M2M Barometer Report forecasts M2M applications rising to 57 percent in health care and life sciences by 2016. Lively is one of Vodafone's health care partners, whose solutions enable o...
SYS-CON Events announced today that the "First Containers & Microservices Conference" will take place June 9-11, 2015, at the Javits Center in New York City. The “Second Containers & Microservices Conference” will take place November 3-5, 2015, at Santa Clara Convention Center, Santa Clara, CA. Containers and microservices have become topics of intense interest throughout the cloud developer and enterprise IT communities.
Akana, a leading provider of API Management, API Security and Cloud Integration solutions, announced that it is introducing DevOps automation to the API lifecycle. New capabilities in Akana's API Management platform significantly reduce the time required to update API definitions and versions. DevOps teams will be able to work faster in designing and developing APIs, as well as managing them at runtime and publishing them to a portal.
SYS-CON Events announced today that SUSE, a pioneer in open source software, will exhibit at SYS-CON's DevOps Summit 2015 New York, which will take place June 9-11, 2015, at the Javits Center in New York City, NY. SUSE provides reliable, interoperable Linux, cloud infrastructure and storage solutions that give enterprises greater control and flexibility. More than 20 years of engineering excellence, exceptional service and an unrivaled partner ecosystem power the products and support that help ...
“DevOps is really about the business. The business is under pressure today, competitively in the marketplace to respond to the expectations of the customer. The business is driving IT and the problem is that IT isn't responding fast enough," explained Mark Levy, Senior Product Marketing Manager at Serena Software, in this SYS-CON.tv interview at DevOps Summit, held Nov 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
"ElasticBox is an enterprise company that makes it very easy for developers and IT ops to collaborate to develop, build and deploy applications on any cloud - private, public or hybrid," stated Monish Sharma, VP of Customer Success at ElasticBox, in this SYS-CON.tv interview at DevOps Summit, held Nov 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
Growth hacking is common for startups to make unheard-of progress in building their business. Career Hacks can help Geek Girls and those who support them (yes, that's you too, Dad!) to excel in this typically male-dominated world. Get ready to learn the facts: Is there a bias against women in the tech / developer communities? Why are women 50% of the workforce, but hold only 24% of the STEM or IT positions? Some beginnings of what to do about it!
IndependenceIT has been selected by nGenx to power Windows-based DaaS and application delivery on Google Compute Engine to support the delivery of GoldMine Cloud software. For independent software vendors (ISVs) like GoldMine, this expands the theater of operations to increase revenue opportunities while reducing software management and maintenance liabilities. IndependenceIT was selected by application and desktop pioneer, nGenx, to deliver its “Bring Your Own Cloud” strategy to GoldMine and o...
SYS-CON Events announced today DevOps.com will exhibit at SYS-CON's DevOps Summit 2015 New York, which will take place June 9-11, 2015, at the Javits Center in New York City, NY. Launched in 2014, DevOps.com has quickly established itself as an indispensable resource for DevOps education and community building. DevOps.com make it their mission to cover all aspects of DevOps – philosophy, tools, business impact, best practices and more.
Imagine a world where targeting, attribution, and analytics are just as intrinsic to the physical world as they currently are to display advertising. Advances in technologies and changes in consumer behavior have opened the door to a whole new category of personalized marketing experience based on direct interactions with products. The products themselves now have a voice. What will they say? Who will control it? And what does it take for brands to win in this new world? In his session at @Thi...
"Vormetric is a data security company. We secure information at rest and our customers are some of the largest organizations in the world. The threats that are coming around today are either from state-sponsored activities and organized crime, and the intent is to steal information," explained Derek Tumulak, Vice President of Product Management at Vormetric, in this SYS-CON.tv interview at Cloud Expo, held Nov 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
17th Cloud Expo, taking place Nov 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy. Meanwhile, 94% of enterprises a...