Is Federal Accreditation Enough For Enterprise Cloud Computing?

The benefits of cloud computing over traditional enterprise IT systems and applications are well-publicized.

First, there is the promise of lower total cost of ownership since users basically only pay for what they use and are not burdened with paying for idle time. Then, there is also the benefit of immediate provisioning across an enterprise since there is little or nothing that needs to be deployed to the desktops. There are even arguments that enterprises will be more secure because security will be consistent across the enterprise. More consistent perhaps, but will it be more secure?

Almost as if there are two opposite forces tugging at cloud computing; the attractiveness of cost savings is offset by the arguments that cloud computing presents some serious security concerns. At the heart of the security concerns is the need for enterprises to meet regulatory compliance requirements and to be able to assess risk. The lack of transparency and control over cloud computing resources make IT security managers nervous. Today, IT managers understand how to meet SOX, GLBA and HIPAA compliance requirements.

They are able to conduct audits on their infrastructure, platforms, personnel, applications and data. They can describe the threats to their organization, conduct risk assessments and implement mitigation strategies. Cloud computing presents a paradigm that does not fit well into the traditional GRC models and thus are the subject of concern.

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Avoidable Mistakes that Compromise Cooling Performance in
Data Centers and Network Rooms

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Concerns come from a lack of confidence. The argument that cloud computing systems could be more secure than traditional IT systems assume that those customers who would use Google Apps or Amazon Web Services have more confidence that Google and Amazon would do a better job of securing their systems than those customers would. They have more confidence in Google and Amazon to “do the right things” to secure their systems and networks. Confidence, however is more than just “doing the right things”, it is also PROVING that you are doing the right things. It was recently reported that Google is trying to get FISMA accreditation of its services to prove that their systems meet government standards presumably at the request of the General Services Administration (GSA). Given that the GSA is responsible for the Federal government’s “SmartBUY” program, this is probably a good move by Google. GSA approval would presumably allow any Federal agency to purchase Google’s cloud services without further certification or accreditation

What does FISMA (i.e. NIST SP 800-37 and SP 800-53) compliance mean to Google and other (non-Federal) customers? To expedite the proliferation of cloud services, the GSA is saying that their accreditation of cloud services is good enough for all Federal agencies. The GSA implies that they understand the types and levels of risk for all agencies and can assess cloud services to determine an acceptable level of risk. FISMA compliance should give the Federal customers some sense that the Google Apps meet the same acceptance criteria as any other system in the government. Extending this way of thinking beyond the Federal government, would you trust the GSA to understand your enterprise’s risks?

Wesley Higaki

About Wesley Higaki

As the director of the Software Assurance, Wes Higaki coordinated the efforts by Symantec Corporation to certify its products to provide customers additional assurance through independent third-party evaluations. He oversaw all of Symantec's Common Criteria and FIPS-140 certifications. He also manages ICSA and Checkmark testing. Higaki has led a working group through the National Cyber Security Partnership to develop plans to improve the Common Criteria by working with industry and Government. He has been instrumental in assembling the Common Criteria Users’ Forums – an effort to bring Government, customers (commercial and Government), vendors and evaluation labs together to improve the Common Criteria. Higaki has over 25 years of technical and managerial experience in the software industry. He has been with Symantec since the December 2000 acquisition of Axent Technologies where he was an engineering director. Prior to Axent, Wes worked for over 20 years in R&D at Hewlett-Packard Company including 7 years at Hewlett-Packard Laboratories. Higaki received a Bachelor of Science degree in mathematics from the University of California, Davis and a Master of Science degree in computer science from the University of Santa Clara.

, ,

2 Responses to Is Federal Accreditation Enough For Enterprise Cloud Computing?

  1. Hawk
    hawk August 14, 2009 at 7:34 am #

    That’s a rhetorical question, I reckon, given the state of faith in our bureaucracy. Schmidt has himself in a unique position though and this makes Google look well positioned to become the next AT&T or IBM from the fifties. I realize their market caps are in the same range, but this will give them ‘money printing’ access.


  1. Why business owners are turning to cloud computing | Success in 1 Step - Secrets and Practical Success Tips - August 17, 2009

    […] Is Federal Accreditation Enough For Enterprise Cloud Computing … […]

Leave a Reply