Federal Cloud Computing Security Requirements
Posted by Aaron Massey on 04 Nov 2010.
This could be rather big news for cloud computing and federal agencies:
The Obama administration on Tuesday proposed a common set of security requirements for cloud computing that all federal agencies and contractors could share. The move is intended to expedite the transition to universal Web-based services by eliminating the need for agencies to assess and authorize every information technology product. During the next decade, the White House wants agencies to shift their IT operations to the cloud — the collective term for software, servers and file storage that users access online on a subscription basis — instead of managing and owning individual, in-house infrastructures.
The Obama administration has some personal experience with the pain of authorizing IT products for official government use. If you remember their campaign, they were widely regarded as being tech-savvy and taking a fast-paced approach to using the latest and greatest to get the job done. Then they got to the White House, and they were told they had to trade their MacBooks for desktop PCs running Windows XP. (Not to mention Obama’s well-publicized Blackberry addiction.) Suffice it to say that there was some difficulty accepting that they had to use particular equipment for security reasons.
The proposal includes two basic changes. First, it changes the current authorization process so that a product only has to be authorized once for government use. Previously, each agency had to authorize products separately. There’s something to be said for avoiding this kind of single point of failure, but it’s possible that other agencies were already using the same infrastructure to make the authorization process easier. In short, a single authorization process is a different set of security tradeoffs, not an unambiguously better approach to security.
Second, the proposal includes provisions to make “all of the security requirements, processes, and templates” publicly available. This is an almost entirely good sentiment. Security depends very heavily, but not exclusively, on avoiding the use of obscurity as a security measure and encouraging heavy scrutinization of security practices. Of course, good sentiments can quickly become “the best intentions” with no real follow-through.