The benefits of cloud computing over traditional enterprise IT systems and applications are well-publicized.
First, there is the promise of lower total cost of ownership since users basically only pay for what they use and are not burdened with paying for idle time. Then, there is also the benefit of immediate provisioning across an enterprise since there is little or nothing that needs to be deployed to the desktops. There are even arguments that enterprises will be more secure because security will be consistent across the enterprise. More consistent perhaps, but will it be more secure?
Almost as if there are two opposite forces tugging at cloud computing; the attractiveness of cost savings is offset by the arguments that cloud computing presents some serious security concerns. At the heart of the security concerns is the need for enterprises to meet regulatory compliance requirements and to be able to assess risk. The lack of transparency and control over cloud computing resources make IT security managers nervous. Today, IT managers understand how to meet SOX, GLBA and HIPAA compliance requirements.
They are able to conduct audits on their infrastructure, platforms, personnel, applications and data. They can describe the threats to their organization, conduct risk assessments and implement mitigation strategies. Cloud computing presents a paradigm that does not fit well into the traditional GRC models and thus are the subject of concern.
- – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – -
Avoidable Mistakes that Compromise Cooling Performance in
Data Centers and Network Rooms
- – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – -
Concerns come from a lack of confidence. The argument that cloud computing systems could be more secure than traditional IT systems assume that those customers who would use Google Apps or Amazon Web Services have more confidence that Google and Amazon would do a better job of securing their systems than those customers would. They have more confidence in Google and Amazon to “do the right things” to secure their systems and networks. Confidence, however is more than just “doing the right things”, it is also PROVING that you are doing the right things. It was recently reported that Google is trying to get FISMA accreditation of its services to prove that their systems meet government standards presumably at the request of the General Services Administration (GSA). Given that the GSA is responsible for the Federal government’s “SmartBUY” program, this is probably a good move by Google. GSA approval would presumably allow any Federal agency to purchase Google’s cloud services without further certification or accreditation
What does FISMA (i.e. NIST SP 800-37 and SP 800-53) compliance mean to Google and other (non-Federal) customers? To expedite the proliferation of cloud services, the GSA is saying that their accreditation of cloud services is good enough for all Federal agencies. The GSA implies that they understand the types and levels of risk for all agencies and can assess cloud services to determine an acceptable level of risk. FISMA compliance should give the Federal customers some sense that the Google Apps meet the same acceptance criteria as any other system in the government. Extending this way of thinking beyond the Federal government, would you trust the GSA to understand your enterprise’s risks?
That’s a rhetorical question, I reckon, given the state of faith in our bureaucracy. Schmidt has himself in a unique position though and this makes Google look well positioned to become the next AT&T or IBM from the fifties. I realize their market caps are in the same range, but this will give them ‘money printing’ access.