Taking security to cloud

In the 1990’s, the Clinton administration ordered that there be an airgap between all government cloud computing and the actual Internet. Their security concerns were that there would be hacking attempts and various cyber security issues in a very concentrated fashion if the main systems were anywhere close to the Internet.

This policy changed over time and many of the people that were involved in the next two administrations have watched as bureau after bureau ended up reporting that someone has breached their systems.

At the same time, cloud computing hosted in the most secure data centres with end-to-end security in place is actually known to be a more secure computing experience for companies and for government agencies. Below are some ways that governments have been processing security considerations with regards to a move into cloud computing.

United States, Los Angeles: The City of Los Angeles decided that there would be significant budgetary savings and security enhancement when they switched all of their employees from local productivity apps to a cloud-based configuration. They worked with their vendor to develop a business case for making the switch and worked through the police department concerns before making the change. There was a lot of public backlash, claims and counterclaims regarding the overall success of the budgetary savings. The one area that no one has complained about since the implementation, however, is the security of the connection. There should be some credit given to the people who created the data centre security that has kept Los Angeles safe and without any data breaches.

The Microsoft initiative: Although Microsoft has taken a lot of heat over the years for its ‘me too’ approach to several types of application, when it comes to working with governments and specifications, they have spent the time and money to create frameworks on several occasions that governments can use to build their own sets of requirements.

What that means for countries that have not started too far down the path of making a decision on which criteria to base their security and cloud computing on is that someone has already done a lot of the research that they will end up doing. Moreover, Microsoft is willing to share that information with those governments in the hopes that it will sway their decision-making towards choosing their platforms and products when they do start their implementations. For larger countries that have already created their own requirements, Microsoft does its best to ensure that their products meet those requirements as any vendor would.

US federal government: With many people already using cloud computing, the US government has experienced break-ins on a very large scale over the past 10 years. Some of the hacking that has occurred is due to its vendors having vulnerabilities that don’t get reported until there is a problem. The emphasis of some departments, like the Pentagon, have been to demand a high level of adherence to requirements and then patch the leak as you go along without hanging the vendor whose implementation caused a problem. It is notable for many people that when the database of all current and former military people, and their medical and psychological records was stolen from a government contractor, it was not a hack, but a car theft in Texas that netted the thieves the dataset.

Just the same, as it was about the third set of tapes lifted from a car in the past decade, it was considered to be pretty bad form for the problem to have happened. The biggest news in government cloud computing is, however, that the US government has become so demanding regarding security that some of its vendors are splitting their companies into two so that they have a separate government business that works exclusively with government clients.

Overall, from the security consideration standpoint of a government, implementing cloud computing will distribute information and opportunity more equitably among its people. Mitigating that by developing and implementing security considerations that actually work remains one of the most difficult tasks that government IT people face.