In the world of computing, clouds have always served a metaphorical – almost mystical role. They have been used traditionally to represent the Internet in a networked environment in diagramming and mapping operations.
Today, there is a new development – “cloud computing.” What is the cloud? The cloud model represents nothing less than a fundamental change to the economics of computing and the location of computing resources. With the growth in Internet usage, the proliferation of mobile devices, and the need for energy and processing efficiency, the stage has been set for a different computing model.
There has been a suggestion to define the concept using the name “cloud” as an acronym, standing for computing that is: “Common, Location-independent, Online, Utility that is available on-Demand.” The term “cloud computing” has at its core a common element – in that with the cloud model, computing services are delivered over the Internet, on demand, from a remote location, rather than residing on one’s desktop, laptop, mobile device, or even your own organization’s servers. For an organization, this would mean that for a set or variable, usage-based fee – or even possibly for free, it would contract with a provider to deliver applications, computing power and storage via the Web. The cloud can take on various forms, including: SaaS (Software as a Service), PaaS (Platform as a Service), and IaaS (Infrastructure as a Service).
The basic idea behind cloud computing is that anything that could be done in computing – whether on an individual PC or in a corporate data center – from storing data to communicating via email to collaborating on documents or crunching numbers on large data sets – can be shifted to the cloud. Certainly, one of the hallmarks of cloud computing is that it enables users to interact with systems, data, and each other in a manner that minimizes the need to be concerned about the underlying technology. According to the Cloud Computing Manifesto: “The key characteristics of the cloud are the ability to scale and provision computing power dynamically in a cost efficient way and the ability of the consumer (end user, organization or IT staff) to make the most of that power without having to manage the underlying complexity of the technology.”
The Growth of the Cloud
Global IT spending hit .4 trillion in 2008, although the aggregate total is expected to decline for the first time since 2001 in the current year – and perhaps for 2010 as well. Indeed, across the private sector, IT spending is under fire. In fact, due to the interrelated impacts of the recession and the credit crisis, capital budgeting and credit availability for large IT projects has declined significantly. Thus, the only areas of IT that are growing in the wake of the economic crisis are outsourced IT and IT services. Additionally, as new entrants, many of them tied to cloud services, enter the marketplace, the prices for outsourced IT are likely to decline over the next few years as competition intensifies between larger, entrenched competitors and these upstart firms.
Roughly ten percent of the approximately billion spent on business applications worldwide in 2008 was spent on cloud computing applications. Many analysts, including Gartner, project growth rates for cloud computing in excess of 20% or more for years to come. The growth rate over the next few years could be as high as 30%, with analysts estimating that the global market for cloud computing services could reach billion by 2012. Gartner sees the cloud computing marketplace as an even larger market, and it predicts that the market for cloud services already surpasses billion today, and that it will grow to over 0 billion annually by 2013.
Why cloud – and why now? According to the results of the 2009 Cloud Computing Survey, surveying over 500 IT decision-makers, the shift to cloud computing can be seen as organizations are increasingly relying on new technologies to cut their IT procurement costs, but not their IT organization’s functionality. Cloud computing is also by no means an “all or nothing” proposition. Indeed, it has been seen in practice that cloud involvement often starts when organizations initially use cloud resources for part of their non-mission-critical applications or as resources for test projects.
Cloud Computing and Government IT
Many analysts believe that the present economic situation – and its resulting financial strain placed on governments – will only serve to accelerate the adoption of cloud computing in the public sector. This is due to cloud computing’s ROI. Indeed, the benefits are so large that IT organizations have been willing—eager, even—to tolerate the challenges that accompany the technology. Indeed, a July 2009 Computerworld report found that the larger the organization, the greater the likelihood that it would be engaged in using cloud computing.
The economy and the resulting tightness of all governmental budgets – on every level – may indeed speed and heighten the rise of cloud computing. In this budgetary context, the forecast impact of cloud computing on just the U.S. federal government’s IT spending is certainly eye-opening. The public sector market analyst firm, INPUT recently projected that over the next five years, overall federal IT spending will grow at a compound annual rate of 3.5%, reaching billion by 2014. INPUT forecasts that federal cloud computing-related spending will grow almost eight times as fast, with a growth rate of approximately 30% annually over the same time frame. According to INPUT’s projections, federal spending on cloud computing services will triple over the next five years, growing from 7 million in 2008 to 2 million annually by 2013. This would mean that by 2014, over billion of the federal IT budget would be devoted to cloud computing. Projections from Market Research Media are even more optimistic, saying that cloud computing represents “a fundamental re-examination of investments in technology infrastructure.” Their market analysis projects a 40% CAGR (compound annual growth rate) for cloud computing spending in the federal sector and predicts that cloud spending will top billion annually by 2015.
While there are many significant positives to be gained by the increasing use of cloud computing, the shift raises a whole host of security concerns as well. This article explores the security issues facing public sector IT leaders as they consider shifting increasing data and computing applications to cloud providers.
SECURITY CONCERNS FOR PUBLIC SECTOR IT
Security is indeed a significant issue facing IT executives as they consider shifting data and processing to cloud providers. One of the principal concerns about cloud computing is the reliability question, and this is certainly a case where when a tree falls (i.e. an outage occurs), everyone hears the sound. Unfortunately, worries over cloud reliability and availability – or specifically, the lack thereof when such instances arise – are not just theoretical. There have been well-publicized outages of many of the most popular public cloud services, including Gmail and GoogleApps, Apple’s MobileMe service, and Amazon’s S3 cloud service. When service disruptions do occur, these events tend to paint all cloud services with a broad brush. As one observer characterized the September 2009 Gmail outage: “E-mail is a mission-critical application for business users — period. If customers perceive that Gmail isn’t reliable, they won’t adopt it. Every Gmail outage makes companies think twice before adopting the free e-mail solution.” Indeed, the security of cloud computing is an issue that will inevitably “blow-up” each time data breaches occur in cloud offerings and hit the media. And, as once commentator astutely pointed-out, when cloud service outages or inaccessibility occur, “most of the risk and blame if something goes wrong will fall directly on the shoulders of IT — and not on the cloud computing service providers.”
When a cloud provider sees a data breach or service failure occur, this calls into question the efficacy of storing files and information online, causing huge security concerns for all affected users and not just the target cloud provider, but indeed, the whole cloud computing universe, which could be painted with a broad brush in such security matters. Yet, as one computer security analyst recently observed, “Perfect security on the cloud is an illusory goal…and the vulnerabilities of the cloud will have to be weighed against (its) benefits.” Indeed, many security experts believe that the notion of putting more data and more applications on the Internet via the cloud model could present vast new opportunities for criminal activity through identity theft and misappropriating intellectual property, hacking, and other forms of malicious activities.
The degree to which any organization engages in cloud computing – whether outside or inside its own “four-wall” environment – will certainly depend on its need for security. Yet, some will see the risks of moving data outside their own four walls too great to ever consider a cloud-based option. For private sector IT executives, there is a reluctance to shift core, mission-critical data storage or applications to public cloud environments, even if the cost savings and efficiency arguments are there, over concerns about the reliability and security of cloud offerings. Take for instance the case of the Princeton, New Jersey-based Educational Testing Service (ETS), which administers the SAT and other standardized tests. While ETS uses SaaS platforms for non-core functions, the firm’s CIO, Daniel Wakeman, recently expressed his reluctance to shift data storage and processing for the tests themselves to a cloud environment. This is in spite of the fact that due to the highly cyclical nature of test administrations, scoring, and reporting around specific testing schedules throughout the year, ETS has an average server utilization rate of just around eight percent, making the firm a prime candidate for acquiring computing resources on-demand. Wakeman simply stated that due to security issues which have yet to be worked-out in what he and other perceive to be an “immature market,” ETS will monitor developments in the cloud marketplace and “not (be) putting anything up there that we really care about.”
The security debate is perhaps even more intense when it comes to public sector IT. Take for instance the stance of Chiu Sai-ming, who serves as the Chief Assessor at Hong Kong’s Inland Revenue Department. While Mr. Sai-ming believes it vital to take advantage of new technologies, he believes that the very notion of housing taxpayer data outside of his ministry is “out of the question.” Many in public sector IT will echo the concerns expressed by Ray Roxas-Chua, who serves as the Chairman of the Commission on Information and Communications Technology (CICT) for the Government of the Philippines. Cabinet Minister Roxas-Chua recently stated that: “The ‘inherent risks’ of cloud computing need to be addressed before government embraces it is a viable way of managing information.”
Certainly, how to make cloud computing secure is one of the biggest issues for making it viable for the federal government – or for any government agency. As with prior shifts in information technology with the advent of the Internet and the Web, the introduction of e-mail, and the explosion of social media, their growth and adoption rates have been slowed by initial fears – some justified and some very unjustified – over security concerns and the loss of control over data and operations. Certainly, privacy and security questions will need to be addressed as public data and applications move into a cloud environment. As Adrienne Thomas, who is the Acting Archivist of the United States, plainly stated recently “It’s a very big issue for government in terms of someone else to have control of our stuff.” Yet, as Arun Gupta observed, in order to succeed today, “You have to have the confidence to say, ‘I don’t need to control everything.’ That’s very much a Web 2.0 mentality.” Linda Cureton, NASA’S CIO, urged IT decision-makers in government that it is imperative when considering a cloud-shift: “Don’t confuse control and ownership with security and viability.”
The widely-held perception that cloud computing and SaaS applications are less secure and less reliable than applications housed on an organization’s own network appears to be nothing less than a “myth.” Indeed, cloud offerings may be significantly more reliable that an organization’s internal offerings. The difference is that when a company’s email server crashes or a power outage disrupts operations at its data center, these internal failings do not make media headlines, as is the case anytime there is an outage or data breach with a Google, an Apple, or an Amazon cloud offering. Indeed, large-scale cloud providers are often-times more secure than a government agency’s or private sector company’s internal IT operations simply because they have the “talent, resources and focus” that their customers – and their smaller counterparts – do not have. Still, IT executives stridently believe that their own, hosted systems are far more secure than cloud-based resources, and public sector IT managers stridently believe that their internal operations are more secure than a private sector vendor could provide.
One public sector expert recently characterized the need to retain control and protection of sensitive, private data – in an age of information sharing – the “Catch-22” for government IT in regards to cloud computing. However, Ron Ross, NIST’s Director of Security, observed that it is important to consider the sensitivity of the data in question and develop and employ “a range of security controls (that) will be appropriate for differing levels of data sensitivity.” Data security questions then are dependent on the nature and sensitivity of the data involved. Major Larry Dillard, a program manager in the Army’s Office of the Chief Marketing Officer, recently commented on overcoming the security concerns of his superior by stating: “All data is not created equal…(and) all the challenges we’ve faced have been self-imposed. We’re not putting nuclear launch codes on Salesforce.com, we’re putting the street addresses of 17-year-olds.”
One of the complicating factors in the shift to a cloud computing environment will be federal requirements for agencies to certify the security of their IT contractors’ systems – with no cloud-specific security standards in place. From the perspective of NIST’s Peter Mell: “Compliance is going to be tricky in the cloud space for several reasons, but one reason is that clouds are likely to use new security technologies that aren’t well understood or widely adopted, and that will make it difficult to prove the required level of security to auditors and to authorizing officials.” Some have questioned whether the federal government would be precluded – from a regulatory standpoint – from using cloud-based services for such reasons. In fact, it has been commented that: “For many agency applications, stringent compliance requirements in areas such as privacy, financial controls, and health information will preclude use of public clouds, regardless of the actual security controls of the provider.” Analysts have already voiced concern that cloud providers methods of logging activities and document reads/access are presently insufficient for meeting the needs of government agencies to assure their compliance through audit controls.
Analysts have stated that one of the benefits for small companies is that they may, in fact, be able to raise the level of their computing security by moving more data and applications to the cloud. This is simply because cloud providers will have more resources to spend on security for their operations than most individual firms. Plus, their investments in security can be spread over their entire present – and prospective – clients (perhaps hundreds or thousands of firms), producing far greater results in improving computer security than individual firm’s investments in such efforts. The same principle will hold true for government clients as well, especially those at the state and local levels. Yet, analysts have said that this may also be true even at the federal level, as large cloud providers – whose business depends on secure operations – may provide better security than internal federal operations.
What are the other benefits of cloud computing in the security area? One of the best ways to improve security is to have a single-point of access, controlled by the organization, and mandating users follow their procedures and policies for access privileges. However, while such access controls return power to the client, they may well serve to defeat some of the robust advantages for remote access fundamental to the cloud computing model. A recent study from researchers at the University of Michigan showed that by shifting virus protection from individual PCs to the cloud that connected them by raising the level of protection to the network, significantly improving the ability of antivirus software to detect viruses and malware.
Cloud computing is also a relatively quick and easy solution to the significant problem of laptop theft, which poses a very real, intransigent security and financial headache for IT managers. This is because should a user lose his or her laptop, there would be no security threat, simply because the data would reside in the cloud, rather than on the machine itself. In fact, some have said this would actually mean that cloud storage would increase security for the federal government by reducing the security risk inherent with the hundreds of thousands of laptops in employee possession both inside and outside of federal facilities.
Cloud providers have been characterized as addressing such security concerns by going “over the top” with their physical and data security measures. For instance, SaaS-provider Salesforce.com’s data center employs “five levels of biometric hand geometry scanners and even ‘man trap’ cages designed to spring on those without the proper clearances.” This is evidence that cloud providers are very much aware of and attune to both their clients’ concerns in the security area and the legal and regulatory risks that are being taken on by both the client and their firm by accepting a sizable portion of the client’s IT operations.
There are signs that there is some backlash against cloud providers to improve their security safeguards and practices. For instance, in response to a data breach that occurred with Google Docs, The Electronic Privacy Information Center (EPIC) asked the Federal Trade Commission (FTC) to investigate Google’s privacy and security measures for Gmail and Google Apps. Likewise, the Constitution Project, concerned that a user’s personal information has weaker privacy protections in the cloud than when contained on a single device, has called for the cloud computing industry to set privacy standards and for the Congress to examine the privacy issues as well.
And for the concerns about security and privacy, centralizing operations in a cloud environment may not just make computing more secure, but make compliance easier – and cheaper – as well. From the viewpoint of Federal CIO Vivek Kundra, “When you look at security, it’s easier to secure when you concentrate things than when you distribute them across the government.”
Yet, as Bernard Golden recently observed, those who view cloud computing as too risky may be “overly optimistic” in their view on how well there own security and risk management efforts work – both in reality and in comparison to the cloud model. He remarked that: “This attitude reflects a common human condition: underestimating the risks associated with current conditions while overestimating the risks of something new. However, criticizing cloud computing as incapable of supporting risk management while overlooking current risk management shortcomings doesn’t really help, and can make the person criticizing look reactive rather than reflective.”
As ever-greater amounts of governmental and private sector firms’ work is shifted to cloud computing, could this shift in the locus of computation indeed be creating a national security risk? Ruven Cohen noted that: “Cyber-threats against the country and the government are growing exponentially, and the desire to connect agencies and make government open, transparent and interoperable makes it easier for hackers to carry out their attacks — (thus) will openness and interoperability make us as a nation less secure?” He went on to note that government will have significant interest in protecting cloud resources for the private sector and individuals as well, noting the huge economic impact and disruption that can occur if a major cloud resource, such as Gmail, were to go down for an extended period of time or be lost forever. Such risks are not without precedent, as the government of Estonia was hit by a well-coordinated denial-of-service attack – suspected to be Russian in origin – during a period of tension between the two nations in 2007, and just this summer, several agencies in the U.S. government and sites in South Korea were cyberattacked by what was widely believed to be a scheme conducted by the North Korean government. Such a risk has led Nicholas Carr, author of The Big Switch, to label this as the threat of a “Cold War 2.0” – and it is certainly an area where federal policymakers need to be concerned.
Security is undoubtedly a hard metric to quantify. And, all too often, the IT community has a somewhat damaging tendency to treating all risks – whatever the real nature of them – as the very worst case scenario and not judging the true impact – and likelihood – of their occurrence.
Analogies have been drawn between the advent of cloud computing today with the introduction of wireless technologies a decade ago. As Ron Ross, NIST’s Director of Security recently observed, “When wireless came along, we didn’t really know a lot about how to protect it, but we developed that understanding as we went forward, and now we do a pretty good job of protecting wireless.” However, Wyatt Kash recently warned that the shift to cloud computing could be slowed by what he termed as “a darker cloud of Internet security vulnerabilities.” John Garing, who serves as the CIO and Director of Strategic Planning for the Defense Information Systems Agency (DISA), characterized the cloud computing security dilemma as the classic case of the “irresistible force versus immovable object,” where “the irresistible force is the incredible thirst for collaboration and information-sharing that Web 2.0 tools and many young people have brought on board and the immovable object is security.”
It is likely that governments at all levels will be a significant part of the cloud computing market, as the inherent advantages of cloud models, combined with economic pressures, will drive more and more IT procurement to cloud-based resources. As the cloud model advances, it will be incumbent on government IT leaders – and well as vendor executives – to be mindful of the unique security challenges facing the public sector use of cloud computing resources. Certainly, there are a whole host of legal, privacy and workforce issues that will need to be dealt with as well. Thus, the governmental IT marketplace will be an important focus for much activity – and discussion – for the next decade.
David C. Wyld (email@example.com) is the Robert Maurin Professor of Management at Southeastern Louisiana University in Hammond, Louisiana. He is a management consultant, researcher/writer, and executive educator. His blog, Wyld About Business, can be viewed at http://wyld-business.blogspot.com/. He also serves as the Director of the Reverse Auction Research Center (http://reverseauctionresearch.blogspot.com/), a hub of research and news in the expanding world of competitive bidding. Dr. Wyld also maintains compilations of works he has helped his students to turn into editorially-reviewed publications at the following sites:
Management Concepts (http://toptenmanagement.blogspot.com/)
Travel and International Foods (http://wyld-about-food.blogspot.com/).
Written by David Wyld
Professor of Management, Southeastern Louisiana University