The Intelligence and National Security Alliance (INSA) has released a new white paper on the significance of cloud computing for the national security space. Developed by the INSA Cyber Council’s Cloud computing Task Force, the paper “provides critical analysis of current cloud computing adoption best practices, and discusses potential cost-savings, likely impact on government organizational culture, potential deployment models and necessary security measures.”
The INSA’s Cloud Computing Task Force set out to explore the impact of cloud computing on the intelligence community by soliciting input from more than 50 cloud thought leaders and policy makers from the public and private spheres. The resulting study laid the groundwork for the Task Force’s white paper, “Cloud Computing: Risks, Benefits, and Mission Enhancement for the Intelligence Community.” The paper was released earlier today in connection with a panel discussion at the National Press Club in Washington.
Prominent members of INSA’s Cloud Computing Task Force include Kevin L. Jackson, NJVC vice president and general manager, cloud services; Bob Gourley, task force chairman, Crucial Point, LLC founder and chief technology officer; Maureen McGovern, KSB Solutions president; and John Totah, task force team leader and Oracle National Security Group technical director.
“The government-industry collaboration demonstrated by this study serves as an important model for us all,” says Task Force Chairman Gourley.
Key takeaways from the report:
• Cloud computing is not simply the consolidation and virtualization of software and systems, but a complete change in an organization’s business model.
• Migration to a cloud model should be primarily focused on improving mission accomplishment.
• The type of cloud deployment depends on the security protection needed for the data involved.
• The benefits of cloud computing are related to long term cost avoidance and support to the mission, rather than immediate cost reduction.
Ellen McCarthy, president of INSA, further emphasizes cloud’s role as an enabling technology: “Use of cloud computing within the IC is enhancing agencies’ mission success through improved collaboration and IT efficiency. This is an exciting development for the IC and very promising, but organizations need to understand the full ramifications of accepting this new business model and the impact it will have on information sharing. Cost savings may ultimately be realized, but should not be the primary driver of adopting this business model – it’s about mission enhancement.”
The report also provides an overview of the various categories of cloud, such as deployment models (public, private, and hybrid), and service models (IaaS, PaaS and SaaS). It’s a worthwhile read for anyone who’s still trying to familiarize themselves with the space. In addition to referencing the oft-used NIST definition, the authors have presented another basic but useful distinction, which is the use of “cloud computing” as an adjective and as a noun:
Cloud Computing as an adjective: A method of computing that provides IT capacity in elastic ways to expand to meet user needs and contract when demand decreases.
Cloud Computing as a noun: An infrastructure of on-demand capabilities using virtualized resources. This involves pools of storage, network, processing, and other computational resources that can be efficiently allocated when requested and quickly provisioned in a highly automated fashion.
Naturally, security and trust issues appear as central themes of the report. The intelligence community shares this pain point with other data-sensitive domains. On this subject, the authors are clear that cloud is not a panacea. In fact, as a delivery model it is not inherently more or less secure and thus it falls on all parties to perform their due diligence:
It is a fallacy to assume that cloud computing is less secure than a private data center that has access to the Internet. A key issue raised is that a very large percentage of breaches do not come from attacks on the cloud’s architecture, but rather from insecure clients or third parties. “If you can’t protect the client, you can’t protect the cloud.”
Download a copy of the white paper here: INSA_Cloud_Computing_2012_FINAL.pdf