Government on the Ground or to the Cloud A Security Perspective
Author: Fakhriya Said Al-Zadjali
www.cert.gov.om
The Cloud, one of the current technology trends and buzz words which vendors and solution providers are trying to push through various events and workshops to organizations. Promising faster setting up and running applications, improved manageability, and scalability. Furthermore, claiming cutting the cost of owning hardware and software assets by switching to asservice based model, whether its Infrastructure-as-a-Service (IaaS), Platform as a service (PaaS), or Software as a service (SaaS).
However, on all these show casing events it is noticed clearly that none of the vendors are able to or willing to address the participants security concerns. Especially, for government organizations who are required by legislation and law to conform to the rules and policies concerning holding sensitive data outside the country. One such example relevant to Oman is ITA.4.1 Website policy for hosting government digital content within the sultanate.
The cloud entails several security risks. Being based mainly on a virtualized and shared infrastructure introduce many security concerns. According to a Forrester Research these risks could be grouped into three general areas: Security and Privacy, Compliance, and Legal or Contractual Issues[1].
Government organizations are more reluctant on using the cloud because they need more understanding on the risks associated from using it. A Ponemon survey finds that while the White House continues to push cloud computing, federal IT managers still worry about security and costs[2].
Furthermore, the absence of guidance, policies, and standards to regulate the cloud use is another important factor that plays a role in its take up and adoption. While, the cloud use in this region for government is still under investigation, some other parts of the world are developing or already developed cloud strategies targeting government. One of the ambitious initiatives is the G-Cloud framework which is driven by the UK Cabinet Office for government to set up its own cloud computing system . It has been under development for more than two years, with the aim of providing IT services on a ‘pay as you go’ basis through a Cloud Store. It has a target for 50% of its IT spend to go on cloud services by 2015[3].
The G-Cloud encapsulates the Cabinet Office strategy to cut government cost and achieve large, cross government economies of scale, while, regulating the cloud use with policies and standards to minimize security risks. Albeit this effort, not surprisingly, security concerns and lack of understanding still come into play as main reasons for skepticism about using the G-Cloud services by a great percentage (59%) of UK government IT staff as reveled by a recent survey [4].
Similarly, the USA government is working on a Federal Cloud Security Program (FedRAMP) aiming to accelerate the adoption of cloud computing and cut security costs[5].
In summary, it is evident from the previous examples from UK and USA cloud strategies for government that for cloud to add value it should be taken as a nationwide initiative. Government organizations should not be left alone to take the decision nor pushed into a new technology that still needs to establish its proper ground and trust through awareness, policies, and standards. On the other hand vendors and solution providers have to be transparent and responsible in regard to cloud risks when trying to sell cloud based services to customers.
References:
- “Cloud Security Front and Center”. Forrester Research. 2009-11-18. Retrieved 2012-06-10
- “Cloud Security, Costs Concern Federal IT Pros” . Informtionweek. 2012-0131. Retrieved 2012-06-11
- “GPS launches next G-Cloud procurement”. The Guardian. 2012-05-24. Retrieved 2012-06-11
- “UK government may miss cloud computing targets”. BBC news. 2012-05-17. Retrieved 2012-06-11
- “GSA Details Federal Cloud Security Program”. Informtionweek. 2012-02-08. Retrieved 2012-06-11