I recently participated in a Cloud Innovation Council CIO roundtable discussion focused on cloud computing in the insurance industry. As expected, the CIOs said that they were concerned about cloud computing security in areas like identity management, data security, and network security.
There was another issue, however, that came as a bit of a surprise to me. These IT executives said that cloud computing was so new that they really didn’t have a standard methodology to assess and audit cloud computing providers’ security. Yes, they had a general idea of what they wanted to know but were uncomfortable with informal evaluations and longed for some best practice guidelines.
This situation falls into the “I don’t know what I don’t know” category. Industry hype around cloud computing is off the charts, but when insurance industry CIOs really need some guidance, cloud computing noise makes it difficult to find help. For these and others in the same boat, I suggest they look into two different efforts focused on cloud computing security requirements and assessment processes.
The first is the great work being done by the Cloud Security Alliance (CSA). Now normally I am a bit skeptical of IT industry consortia, but the CSA really has looked thoroughly at cloud security and written several detailed documents around best practices. CSA has even looked beyond basic security and now offers several guidelines on cloud GRC as well.
In addition to the CSA, it is also worth looking into the cloud security work being done at the National Institute of Standards and Technology (NIST). While this has a federal government focus, NIST recently published its Federal Risk and Authorization Management Program (FedRAMP). According to the CIO.gov website, FedRAMP “has been established to provide a standard approach to Assessing and Authorizing (A&A) cloud computing services and products.” There are links to assessment guideline documents here.
With all of the money being spent on cloud computing marketing, you’d think there would be more focus on CSA and FedRAMP but this is not the case. As always, the IT industry loves to solve future, not current, problems. I hope that this blog calls attention to CSA and FedRAMP and provides some assistance to IT and security professionals in the process.
Tags: Cloud Computing, Cloud Security Alliance, CSA, Federal Government, FedRAMP, National Institute of Standards and Technology, NIST Posted in Uncategorized | No Comments »
Yesterday, I hosted a panel at the Cloud Computing summit focused on cloud security for the federal government. The panel was made up of some smart folks: Alex Hart from VMware, Bob Wambach from , and one of the primary authors of the Cloud Security Alliance guidelines, Chris Hoff from Cisco.
While these folks offered great contributions, most questions were focused on the fourth member of the panel, Peter Mell from NIST, the chair of the Federal Cloud Computing Advisory Council. Why? Let’s just say that Mell may be the single individual most focused on cloud security in the world. He has been tasked with defining cloud computing standards for the entire federal government–a big responsibility since President Obama and Federal CIO Vivek Kundra continue to trumpet the benefits of cloud computing and push federal agencies to adopt pilot projects.
Mell’s work will soon come to fruition when the feds introduce the Federal Risk and Authorization Management Pilot program (FedRAMP). FedRAMP has two primary goals:
Since FedRAMP is still a work in progress, the audience made up of federal IT people had a lot of questions about all of the fine points. Thus Mell was in the hot seat for most of the time.
Peter Mell deserves a lot of credit. Federal agencies have often acted independently with regard to IT, so Mell and his team are herding cats.
If FedRAMP works, cloud service providers can deliver to a single set of standards. This will encourage innovation and bolster competition. On the agency side, FedRAMP could pave the way for a wave of cloud computing consumption over the next few years. What happens if FedRAMP fails? The federal government becomes difficult to service, so most cloud service providers treat it as a market niche. If that happens, the federal government could lose its cloud computing leadership and momentum very, very quickly.
Tags: Cisco Systems, EMC, FedRAMP, NIST, Peter Mell, President Obama, Vivek Kundra, VMware Posted in Uncategorized | 3 Comments »
I’m in Washington co-chairing a Cloud Computing summit along with my colleague Mark Bowker. Thus far, we’ve covered cloud computing drivers, virtualization, cloud computing governance/compliance, and new skill sets needed for the cloud.
The audience is made up of federal IT workers, for the most part. These folks are under the gun since the Obama administration is pushing cloud projects and setting aside budget dollars to persuade federal agencies to get on board with proof-of-concept efforts. Federal CIO Vivek Kundra has added fuel to the fire, acting as the poster child for federal cloud computing as a way to save taxpayer money and improve IT service.
The federal audience is certainly hungry for knowledge, but very leery about the cloud in general. The feedback today indicates that:
Federal IT people really want more basic information and education about the cloud; vendors should note this and ramp up their knowledge transfer capabilities. Furthermore, it is important to talk in federal terms like FISMA and NIST rather than a more generic presentation. Think security and governance from the get-go.
Finally, the feds are really afraid of vendor lock-in, so standards are important here. When and if the federal government agrees upon cloud standards, vendors must go along to get along. If the feds fail to agree upon standards, all bets are off and the federal cloud becomes a big free-for-all. The private sector, public sector, and technology industry should all work together to make sure that this won’t happen.
Tags: Cloud Computing, FISMA, NIST, Vivek Kundra Posted in Uncategorized | No Comments »
There is little doubt that President Obama and the 111th congress are prioritizing cybersecurity initiatives.
The President outlined his plan last May and appointed Howard Schmidt as his Cybersecurity Coordinator late last year. As for the 111 congress, it passed the Federal Data Breach Bill (H.R. 2221) earlier this year and just last week the House passed the Cybersecurity Enhancement Act (H.R. 4061) by an overwhelming vote of 422 to 5.
Just what is the Cybersecurity Enhancement Act? The bill is really focused on cybersecurity research, development, and training. Agencies participating in the National High-Performance Computing Program must provide the congress with a cybersecurity research plan, update an R&D implementation plan annually, and create new plans every three years. Additionally, the bill funds NSF cybersecurity scholarships in exchange for post graduation government service. The bill also seeks to build cybersecurity collaboration between academic, government, and International institutions and pushes the development of technology standards for cybersecurity.
On balance, this is a good bill that certainly heads in the right direction. That said, I have a few suggestions for fine-tuning this bill as it moves along:
One other note about the legislation: The stipulation that calls for a new R&D plan every 3 years is misguided. Security threats change on a weekly basis so three years is far too long a timeframe.
With all of my suggestions aside, I applaud the 111th congress for truly collaborating on this important legislation. I strongly urge the Senate and President to fast track this bill.
Tags: Congress, Cybersecurity, Cybersecurity coordinator, Federal Government, H.R. 2221, H.R. 4061, House of Representatives, Howard Schmidt, NIST, President Obama, Senate Posted in Uncategorized | No Comments »
This morning, Symantec jumped into the 2010 acquisitions pool with its purchase of Gideon Technologies, a security and risk management software vendor. Gideon is not a broad market play — this acquisition is really focused on the Federal market alone.
Gideon is one of few vendors with tools that support the Secure Content Automation Protocol (SCAP) a set of standards for describing and rating the severity of system vulnerabilities. Through the National Institute of Standards and Technologies (NIST), the Federal government uses SCAP as a foundational component of other security standards like the Federal Desktop Core Configuration (FDCC), the Federal Information Security Management Act (FISMA) and DOD 8500.2/8510.
Yes, this deal is somewhat esoteric as its real application is for the U.S. Federal market alone. That said, ESG is bullish on Symantec’s acquisition for several reasons:
To me, Symantec is demonstrating that it truly gets the Federal Government industry. This is important since doing business in the Federal space is different than the private sector. There is a different culture, language, set of standards, thought leaders and relationship protocols. Firms that simply get on the GSA schedule and edit their marketing material learn this lesson the hard way.
With its purchase of Gideon Technologies, Symantec is demonstrating a specific Federal strategy which is exactly what the Federal IT community wants. As it integrates Gideon, Altiris, and other products and services over time, Symantec should see a strong ROI on its acquisition and commitment to the Federal market.
Tags: Altiris, FDCC, Federal Government, Gideon Technologies, NIST, SCAP, Symantec Posted in Uncategorized | No Comments »
Yesterday, Cisco, EMC, and VMware unveiled the next iteration of their partnership. Together, the three will offer common support, professional services (through their joint venture, Alpine), and an integrated server, networking, and storage hardware offering called Vblocks. The companies will also work together on service and support.
During the announcement, all three participants highlighted the fact that Vblocks were really targeted at “private clouds.” In other words, a sort of turnkey cloud infrastructure to be consumed by a single organization.
Hmm. So some Fortune 500 company is going to buy a single hardware and hypervisor stack from these guys and replace all kinds of other servers, storage, networking, management tools, etc? Perhaps, but this seems like a stretch to me as this simply isn’t the way IT consumes products. That said, I believe that Cisco, EMC, and VMware could be very successful with Vblocks and its other new initiatives in the broad public sector space because:
* The Federal government is ga-ga over cloud computing. Since early this year, we’ve seen the feds allocate money for cloud initiatives, propose that GSA offer cloud services, and task NIST with developing cloud standards. Federal CIO Vivek Kundra can’t speak often enough about cloud computing’s potential. Sensing an emerging trend, many federal integrators like Lockheed-Martin, SAIC, and Unisys are building their own clouds believing that Federal agencies will soon buy capacity and services. Cisco, EMC, and VMware should be all over every cloud effort inside the beltway.
* Governments are modernizing IT. Federal, state, and local governments are actively consolidating data centers, replacing legacy systems, and adopting virtualization technology as a foundation. Case-in-point, the Commonwealth of MA released its, “IT Strategy for the Commonwealth 2009-2011″ plan in 2008. The plan calls for the Commonwealth to create, “a robust, agile enterprise IT architecture, shared services and applications, and common, effective management practices.” As part of this, MA will consolidate down to 2 data centers, one of these will be a brand new facility in Holyoke. Seems to me that a massive and somewhat green-field opportunity is a perfect target for Vblocks.
* Governments are already onboard. Kundra already selected Google Apps for Washington DC at his previous job and just last week the City of Los Angeles decided to abandon its own email system in favor of Gmail. These aren’t pure play government cloud computing efforts but they do represent a growing trend. It is likely that more and more service providers will develop specific SAAS applications for the public sector and they will need servers, networks, storage, and virtualization when they do.
The common theme here is that net-new infrastructure presents the biggest short term opportunity for Cisco, EMC, and VMware and that a lot of this activity is occurring in the public sector. This trend will only accelerate as more stimulus dollars flow to IT projects and/or some type of healthcare reform legislation gets passed.
Cisco, EMC, and VMware are leading enterprise companies but so are competitors like HP and IBM. What’s more, technology migration is always ugly. Yes, these three must enter these knife fights together but a public-sector push may be more fruitful while the private sector sorts out this whole nebulous cloud thing over time.
Tags: Cisco Systems, Cloud Computing, EMC, Federal Government, Google, GSA, HP, IBM, Los Angeles, NIST, Vivek Kundra, VMware Posted in Uncategorized | No Comments »
Your email: