Cloud computing Archives

While the Obama administration hurries to save billions of dollars by moving federal computing online, a new study shows that few information technology managers at leading-edge companies believe Internet "cloud" storage is as secure as in-house data centers.

One third of private-sector IT practitioners questioned by the Ponemon Institute believe so-called infrastructure-as-a-service providers protect e-mail, documents and other business data as well as on-site data centers. The administration aims to wind down many of the government's more than 2,000 computer warehouses to save $5 billion, largely by outsourcing the computer processing to Web services providers, like Amazon.

Interestingly, in the business survey, a larger percentage, 50 percent, of the folks paid to worry about security and privacy safeguards -- compliance officers -- believe the cloud offers equivalent protections.

The independent survey of 1,018 professionals, including about 600 IT managers and 400 compliance supervisors, was sponsored by data security firm Vormetric. All respondents were familiar with the principles of cloud computing.

"The findings reveal the gulf between those working in IT and those in compliance about service provider controls, top security measures and roles and responsibilities," the report states. "The study's goal is to learn how organizations resolve (or fail to resolve) the tradeoff between cloud efficiencies and IT security."

A new roadmap from the National Institute of Standards and Technology, highly-anticipated within Washington contracting circles, defines IAAS as an online product that provides the customer with a complete computer processing environment. The cloud standards, which were released on Tuesday, explain that the consumer does not have the power to control the underlying networks, but can manage operating systems, storage and software programs.

In a move to discourage government regulation, a major cloud software association will partner with privacy groups and social media sites to establish protections for smartphone apps.

The 500-member Software and Information Industry Association announced on Thursday that it has joined a nonprofit working group to formulate industry standards for developing apps in a way that safeguards personal data. Cloud computing, a means of accessing information technology resources over the Internet, and mobile computing operate similarly. And, often, cloud software is more geared toward mobile devices than workstations.

"We can focus the software industry's attention on doing the right thing to protect personal information and to ensure continued growth and innovation in the mobile marketplace," SIIA Vice President Mark MacCarthy said of the group organized by The Future of Privacy Forum, in a statement. "We are joining this effort out of the conviction that the industry does not need government regulation to move us in the direction of providing a trusted environment for our users."

Some agencies are turning to cloud computing providers to fulfill a requirement that they install smart card readers on all federal facilities by October.

The Obama administration recently clamped down on enforcement of the 2004 Homeland Security Presidential Directive 12 that requires federal employees and contractors possess IDs embedded with digital fingerprints and photos to access government buildings and networks.

Many agencies only ask that staff show the badges, rather than taking the time and money to activate the electronic features of the cards. February regulations imposed an Oct. 1 deadline for mounting digital readers -- with a financial penalty for failing to comply.

ADT Security Services and Brivo Systems, a web-based software provider, announced this week that they have jointly outfitted five buildings in Detroit and Chicago with an access control system that officials can monitor through the Internet, or the "cloud." About 8,000 employees from roughly 50 federal agencies work in the facilities, according to the two companies.

Agencies are under pressure to outsource hardware and software services to the cloud, as the administration has set a goal of phasing out about 40 percent of the federal government's 2,100 cost-consuming in-house data centers by 2015.

ADT and Brivo began the initiative in downtown Detroit with the McNamara Federal Building, which houses offices for the Internal Revenue Service and the Social Security Administration, among other agencies.

The Detroit facility and four other buildings in the Chicago area, which are operated by the General Services Administration, now have card readers at 55 access points.

"This platform allows the GSA to take full advantage of an infinitely scalable cloud solution in the future," John Szczygiel, Brivo's executive vice president said in a statement.

WikiLeaks is ushering in an era of "globalization of citizen oversight" in which whistleblowers, leakers and publishers are so scattered across the globe that governments are in a conundrum finding the right legal tools to address these leaks, said new media expert Clay Shirky, at a panel on WikiLeaks organized by the advocacy group Personal Democracy Forum on Jan. 25 at New York University.

Leakers can sidestep legal processes in their home countries by wading into murky legal waters of leaking to international organizations. "If you want to leak, do not do it to a member of press that is same nationality as you," said Shirky.

The so-called "Palestine Papers," leaked documents revealing the role of British intelligence in a crackdown of the Islamist movement Hamas, shared between Qatar-based al-Jazeera TV and the UK-based Guardian on Jan. 25, illustrates a shifting landscape in which partnerships between whistleblowers and international journalism outlets will make it more difficult for governments to clamp down on leakers without causing a diplomatic backlash.

As governments struggle to find laws to prevent sensitive data from is being transmitted, one way federal agencies have tried circumvent legal processes has been by putting pressure on corporations supporting WikiLeaks.

When Amazon knocked WikiLeaks off its hosting services in December, it tried to deflect speculation that it had been pushed into doing so. We're not reacting to a government inquiry, Amazon claimed, We're just ejecting a party that violated our terms of service publishing injurious material not theirs to publish.

"Disingenuous," said PayPal founder Peter Thiel, at a panel entitled "WikiLeaks: Why It Matters. Why It Doesn't." that was organized by the Silicon Valley forum, the Churchill Club, on Jan. 20 in Santa Clara, Calif. Wasn't the real reason why Amazon ejected WikiLeaks "the power of the state in the background?" Thiel pressed. Paypal confessed that it pulled the plug on supporting WikiLeaks after the State Department officially informed it that WikiLeaks was illegal.

Senator Joseph Lieberman, who publicly praised Amazon for dropping WikiLeaks, was "one of the few intellectually honest actors" in this game, Shirky said at the Churchill Club panel.

Twitter will be taking action in "the next couple of days" after the Department of Justice issued an order for information from WikiLeaks supporters, Birgitta Jonsdottir, an Icelandic Member of Parliament formerly involved in WikiLeaks and who was named in the subpoena, said over Skype yesterday to the NYU Panel. She did not attend the event in person because she had been advised not to travel into the U.S.

Sen. Patrick Leahy, chairman of the Judiciary Committee, on Tuesday unveiled an ambitious agenda for changing the country's privacy laws to keep pace with the digital age.

The committee will continue where it left off last session in revising the 1986 Electronic Communications Privacy Act to balance law enforcement's need to probe online messages with citizens' right to privacy. In addition, members will examine full-body screening at airports and the tracking of Americans' online activities by marketers and other third-party data aggregators. The various measures are expected to complement a comprehensive cybersecurity bill that several agencies are collaborating on this Congress.

"The last decade has encroached on Americans' privacy as has no other decade in our history," said Leahy, D-Vt., in remarks presented at the Newseum in Washington DC. "The imperative of security, the proliferation of databases and the spawning of interactive social media have combined to flatten Americans' earlier expectations about having the choice to be left alone."

And the committee will revisit the 1994 Communications Assistance to Law Enforcement Act (CALEA), which requires telecommunications carriers and equipment manufacturers to design their products in a way that allows law enforcement agencies to conduct necessary electronic monitoring. "When I wrote that law in the early '90s, no one could have contemplated the technological leaps and bounds that have burst onto the scene in the two decades since then," Leahy said. "Updating this law will require careful consideration of Americans' privacy rights, as well as the legitimate needs of the law enforcement community to gather valuable, court-ordered surveillance information to keep the nation safe.

The committee also must extend certain parts of the USA PATRIOT Act that are set to expire next month, he said. The three provisions grant the government the ability to use roving wiretaps to trace the communications of suspects; obtain special court orders forcing businesses to turn over evidence; and conduct surveillance on a "lone wolf," somebody not knowingly associated with terrorists.

FedRAMP, the new program intended to accelerate security approvals of so-called cloud applications, may take a while to get off the ground, according to several federal chief information officers.

The General Services Administration on Nov. 2 issued a single list of cybersecurity requirements that contractors and all agencies eventually will be able to use for deploying cloud computing services. FedRAMP is aimed at doing away with redundant efforts at every agency to assess cloud products -- typically hosting services, software and data storage that companies provide to computer users via the Net.

Later in the week, at a meeting with a federal board that advises the National Institute of Standards and Technology, GSA CIO Casey Coleman and Justice Department CIO Vance Hitch hesitated to address the schedule for finalizing the program's procedures.

After a few seconds of silence, Coleman said: "Seeing as how everything is ultimately political in nature, it will depend upon the timing that works for the administration with other competing priorities. And political only in the sense of the timing has to work for the administration."

Hitch noted that the proposed specifications must be vetted by a large group of stakeholders, including privacy advocates, vendors and agencies, and then tweaked before the program starts.

He said White House Cyber Czar Howard Schmidt told him that the Obama administration is shooting for January.

"I can't predict exactly when this is going to go forward," Hitch said. "I'm leery of dates given to the sensitivity of it."

As agencies move to cloud computing - accessing basic computing services and applications over the Internet - some unforeseen consequences will occur. The Office of Management and Budget and the CIO Council want to head them off before they become serious.

Case in point: Private information could be compromised when a cloud computing provider changes its terms and policies without notifying clients (like an agency), a common provision included in provider's agreements with customers, Federal News Radio reported on Tuesday. If that happens the public's personally identifiable information could be exposed.

The warning is included in a document the council released on Aug. 19 outlining risks agencies should consider when pursuing cloud services - and make provisions to mitigate them. Other risks include (CCP stands for cloud computing provider):

1. The data could become an asset in bankruptcy, particularly if the Terms of Service or contract do not include retention limits.

2. Depending on the location of the CCP's servers or data centers, the CCP might allow or be required to permit certain local or foreign law enforcement authorities to search its data pursuant to a court order, subpoena, or informal request that would not meet the standards of the Privacy Act of 1974.

3. The individual providing the information has no notice that explains that his or her information is being stored on a server not owned or controlled by the U.S. Government. Thus, when the individual person attempts to access his or her data, he or she is unable to do so and is left without proper redress.

4. The data stored by the CCP is breached and the CCP does not inform the government or any of the individuals affected by the incident.

5. The CCP improperly implements Federal security requirements (i.e., finds them cost-prohibitive or cumbersome) and thus inadvertently allows the data it is storing in the cloud to be viewed by unauthorized viewers.

6. The CCP fails to keep access records that allow agencies to conduct audits to determine who has accessed the data.

7. The Federal government cannot access the data to perform necessary audits. The data has been moved to a different country and a different server and the government suffers a loss in reputation and trust.

8. The Federal government fails to keep an up-to-date copy of its data. The CCP accidentally loses all of the government's data and does not have a back up.

It's a good bet that more risks and consequences will be exposed in due time.