Since the CIO.gov site is down for maintenance I wanted to help spread the word on this new document, the Federal Cloud Computing Strategy.
I hate to say this, but I have not read it myself yet!
But I have read everything else Federal CIO Vivek Kundra has had a hand in publishing and I know this will be important for us all to read and digest and thought you might want an early look.
Please stay in touch, I’ll publish comments later (and please, after you have given it a look, let me know what you think).
Download it here: Federal Cloud Computing Strategy
Related posts:
Thanks, Bob. Eager to read this. And I agree, that “maintenance” page is a bit odd.
It really is great to see this coming down from the Fed level. It helps to make the case for state agencies that want to move to cloud infrastructures but have a state system that is putting up road blocks keeping them locked into legacy apps. I also like it for another reason… Appendix 2 has a Successful Case Studies link to:
http://www.info.apps.gov/sites/default/files/StateOfCloudComputingReport-FINALv3_508.pdf in which NM had a story.
Like James, I found Appendix 2 to be the most valuable resource in the paper. It’s well done – the one flaw is there really is not much discussion around the merits of the very different models – private, community, public and hybrid. And on the security front, the NIST’s paper from last week is much more aggressive in pointing out drawbacks. The benefits of platform strength are cited without the converse, that the more data is standardized and collected in one place, the most attractive it is to attackers. There is a reason Windows is more vulnerable to attacks.
Adriel, you make a great point and one I have given a lot of thought to. I think one thing we are not doing well is encrypting the confidential stuff all the time. Home shop servers are just as vulnerable, maybe more so, as cloud systems and no one thinks about encryption until the files are going to move out of the network. The cloud systems are your network even though you don’t run server and if one wants to make it as secure as possible it is going to take some responsibility on the data owner’s behalf. However, I will point out that some cloud providers like ours has at rest encryption already in place for us. If I wanted to go off the deep end and add even a simple file encryption on top of that there is just no way the data is going to be compromised. The important thing to remember is that there is a balance, to little security and you have unexpected disclosure to much and the data will not be used do to inefficiency. It really depends on what damages will incur and that is something only the data owner can weigh.
The ongoing subtext in the NIST security paper is that cloud is at the heart of the matter a risk management exercise. Much government data is much less important than the kind of info banks and payment services deal with on a routine basis – just the trust in gov’t not to screw up is greater. Interesting times, as they always are 😉