Security in the cloud is twice as hard, but five times as important, a senior figure at the National Institute of Standards and Technology in the United States has told FutureGov. But while security will always be a top concern for government, policymakers should not allow security to “paralyse” their cloud strategies, he said.
Government cloud computing is more complex and challenging from a security perspective than it is for the private sector, noted Tim Grance, Program Manager, Cyber & Network Security Program, Information Technology Laboratory, NIST, United States Department of Commerce.
“A different level of security is needed for government. And a lot more transparency is needed from cloud providers. Governments need to know where their data is located, how it is being handled and be sure that policy requirements are being followed,” said Grance.
He added: “You need to prepare a solid business case for what it is you want to achieve in the cloud, and your apps need to be rigorously prepared. Yes, you need to be able to answer the security questions posed by the cloud, but don’t be paralysed by them.”
Introducing standards for the cloud is one way of easing security worries, Grance noted. “Standards give more predictability to the environment, enabling greater interoperability, data and application portability, and, ultimately, trust in the cloud. We need to define minimal standards, but avoid over specification which could inhibit innovation.”
Standards for identity and access management, data encryption and records and information management were particularly key for government cloud users, Grance added.
He noted that the right definition of cloud computing is also key, as is developing ‘use cases’ that will chart a safe path for governments to follow as they shift to the cloud.
Grance defined cloud computing as: “A model for enabling convenient, on-demand network access to a shared pool of configurable computing resources, such as networks, servers, storage, and services, that can be rapidly provisioned and released with minimal management effort or service provider interaction.”