Federal IT Security Incidents: Is Solution in The Cloud?
By Tony Kontzer With federal agencies facing mandates to get cloud solutions in place, an important question has arisen: Will agencies be more or less secure in the cloud than they've been with on-premise systems?
The brutal truth is that it would be tough for the Feds to be less secure, given an October report from the Government Accountability Office indicating that security incidents at federal agencies have increased by an eye-popping 650 percent in the past five years. That security incidents were on the rise during that time is no surprise, as IT security has been an area of growing concern for corporations, nonprofits and government entities alike during that period. But, 650 percent? That's not a security hole--it's a mushroom cloud.
As the ink was drying on the GAO's report, Department of Homeland Security CIO Richard Spires appeared in early October before the House Homeland Security subcommittee on cybersecurity, infrastructure protection and security technologies to discuss his agency's progress in the cloud. Subcommittee members made clear that they want assurances that any IT cost reductions resulting from a move to the cloud aren't accompanied by increased security risks.
"In spite of this projected IT savings, we cannot ignore our responsibilities as members of this cybersecurity subcommittee to ensure that government information will be secure in the cloud," said Chairman Dan Lungren (D-Calif.).
Spires argued that the move to the cloud is inevitable, and assured Lungren that DHS is taking every precaution to reduce any additional security exposure as it makes the transition, most notably by keeping sensitive data in private cloud environments while using less sensitive data in experimenting with public clouds.
"As we have more and more comfort over time that public cloud services can provide the security levels and continuous monitoring capabilities that we need, we would look then over time to start to relax that criteria, or shift it, so that more sensitive data would be able to be moved into the public cloud," Spires said.
In light of the shocking rise of security incidents at federal agencies, it seems important to point out that public cloud vendors are highly motivated to make security a top priority, lest they lose the faith of their customers. As nearly every CIO I've spoken with in recent months has pointed out: IT departments can't possibly devote the kind of time and money to security that public cloud providers do. And while there are certainly risks in the public cloud, it's highly unlikely there will be any reports about a 650 percent rise in security incidents among public cloud services.
If there is such a report, then all the cloud naysayers will get to have the last laugh. Until that unlikely occurrence, the answer for the Feds seems clear: Your security measures appear to be increasingly vulnerable, so why not embrace the new computing paradigm? From where I sit, there's nowhere to go but up. Into the cloud, that is.