The Field Report
There are 18,000 banking institutions in the U.S., and somebody has to blog about their breaches, concerns and security successes.
Government Information Security Blogs
Cloud's Security Challenge Isn't Just Technical
April 2, 2009 - Eric Chabrow
Comments (1) Read All Posts (254)
"Everybody is very interested in ensuring security," Peter Mell, project lead for the National Institute of Standards and Technology's cloud research team, said in an interview for a forthcoming story I'm researching on federal government cloud computing. "What I see most discussed is security compliance issues. Can I document it, implement it, test it and show that it meets the federal government requirements for the security assistance?"
 |
"Compliance is going to be a little bit tricky in the cloud  |
"Compliance is going to be tricky in the cloud space for several reasons, but one reason is that clouds are likely to use new security technologies that aren't well understood or widely adopted, and that will make it difficult to prove the required level of security to auditors and to authorizing officials," Mell said.
Mell leads a team of four other NIST computer scientists working on cloud computing security guidance. The first of the team's work will be found in an update of NIST Special Publication 800-37: A Security Life Cycle Approach. A draft of the publication should be available in June or July, with the final version published in August, Mell said. Click here to read more about the regulatory challenges agencies face in using cloud computing.
What information security obstacles do you see in implementing cloud computing? Please respond below.
Also, as I continue reporting on cloud computing security, you can help. Let me know of any government cloud computing projects, either those launched or planned. Contact me at echabrow@GovInfoSecurity.com.
 |
 |
 |
 |
|
 |
Once again I am having a head scratching moment reading yet another take on the direction of clouds. I may be inferring this point in the article, but: There is no compelling reason why federal clouds should need to connect unencrypted to the Internet -- unless the specific cloud is intended to serve as G2C, G2B, etc (in a non-gov't only mission). Furthermore, many pundits (and writers) appear to assume that a government cloud will somehow be somewhere other than in government controlled spaces (i.e., it will be a non-organic facility).
I don't buy that. Why? Because it doesn't have to be that way, and frankly all the issues raised as impediments for such implementations go away if you don't do it that way.
Clouds are an evolution in computing strategy. Clouds are made possible by several technologies (notably virtualization) and trends (pervasive bandwidth). Clouds are far more about demand vs resource flexibility, economies derived from centralization and leveraging Internet technologies and recent-computing approaches (web, services, mashups, ...) than they are about eking the last 2 or 5 dollars in cost savings by going to a low cost provider upon whom you then levy cost-structure breaking regulatory and compliance requirements...
Maybe it's just me, but it seems plain as day that the immediate and near term benefits of government adoption of an organic-cloud strategy will result in remarkable savings in IT staff, power, and both capex and opex dollars. That, and better security due to various factors that are left as an exercise for the reader.
I don't buy that. Why? Because it doesn't have to be that way, and frankly all the issues raised as impediments for such implementations go away if you don't do it that way.
Clouds are an evolution in computing strategy. Clouds are made possible by several technologies (notably virtualization) and trends (pervasive bandwidth). Clouds are far more about demand vs resource flexibility, economies derived from centralization and leveraging Internet technologies and recent-computing approaches (web, services, mashups, ...) than they are about eking the last 2 or 5 dollars in cost savings by going to a low cost provider upon whom you then levy cost-structure breaking regulatory and compliance requirements...
Maybe it's just me, but it seems plain as day that the immediate and near term benefits of government adoption of an organic-cloud strategy will result in remarkable savings in IT staff, power, and both capex and opex dollars. That, and better security due to various factors that are left as an exercise for the reader.
Posted by vicwinkler on April 3, 2009 @ 3:02 PM
Latest Tweets & Mentions
Posts By Category
- ACH
- Agencies
- Anti-Money Laundering
- Application Security
- ARRA/HITECH
- ATM
- Audits Investigations Reports
- Authentication
- Bank Secrecy Act
- Banking Today
- Biometrics
- Budgeting & Funding
- Business Continuity & Disaster Recovery
- Check
- CIO Council
- Cloud Computing
- Collaboration & Interagency
- Committees and Testimonies
- Compliance
- Confidence In Banking
- Congress
- Cybersecurity
- Data Loss
- Debit, Credit, Prepaid Cards
- Defense Department
- Electronic Health Records
- Emerging Technology
- Encryption
- Endpoint Security
- Federal Trade Commission
- FISCAM
- FISMA
- Fraud
- GAO
- Governance & Standards
- Governance, Risk & Compliance
- Government Accountability Office
- Gramm-Leach-Bliley Act
- GRC
- Health Information Exchanges
- HIPAA
- Homeland Security Department
- HR
- ID & Access Management
- ID Access & Management
- Identity Theft
- Identity Theft Red Flags Rule
- Incident Response
- Information Security Compliance
- Information Sharing
- Insider
- Insider Threat
- Inspectors General
- Intelligence
- Law Enforcement
- Laws, Regulations & Directives
- Leadership & Management
- Legislation
- Medical Identity Theft
- Messaging
- Mobile & Wireless
- Mobile Banking
- National Security Agency
- Network & Perimeter
- Network/Perimeter
- NIST
- Office of Management & Budget
- Office of Management and Budget
- Pandemic Preparation
- Payments
- PCI DSS
- Phishing
- Physical Security
- Privacy
- Remote Capture
- Risk Assessment
- Risk Management
- Sarbanes-Oxley Act
- Security Leadership
- SIM & SEM
- SIM/SEM
- Skimming
- Social Media
- Staff & Recruitment
- Storage
- Technology
- Training & Education
- Unified Threat Management
- US-CERT
- Vendor Management
- Virtualization
- Web Security
- White House
Authors & Blogs
The Agency Insider
From the FDIC to the NCUA, banking institutions take guidance from myriad government agencies and regulations. Here's where we make sense of it all.
Secure Marketspace
A look into how the security and privacy concerns of consumers and citizens impact institutions and government agencies.
Information Technology Risk Management
Not all risks are created equal. Understand, manage and transfer risks, as necessary. Ignore none.
-
The Public Eye
Keeping tabs on federal government efforts to protect citizens' privacy
-
Industry Insights
Insights and opinions from the thought-leaders who represent the industry’s services and solutions providers.
Career Insights
Insights from advisors, consultants and practitioners who know what it takes to be a successful security professional
The Security Scrutinizer
Keeping an eye on efforts to protect the privacy and security of personal healthcare information
The Fraud Blog
Tracking fraud incidents and trends wherever -- and however -- they occur.
Recent Comments
"While it is only a slight benefit, I always use my debit card as a credit and NEVER dilvulge my PIN. I also recommend..."
Read Post | Jump to Comments"The security gap in the context of malware attacks penetrating computers is quite real. The old ways of blocking..."
Read Post | Jump to Comments"What many people don't realize is that computers were never engineered to keep out hackers - they were only engineered..."
Read Post | Jump to Comments
