The U.S. government's increasing use of cloud computing services could lead to new data security risks, with agencies compelled to put their trust in vendors' security efforts, several lawmakers and a government IT expert said Thursday.
Cloud computing will likely give the U.S. government several benefits, including significantly lower IT costs, but agencies are moving their data to the cloud before the White House Office of Management and Budget (OMB) and supporting agencies have developed a governmentwide security strategy, said Gregory Wilshusen, director of information security issues at the U.S. Government Accountability Office (GAO).
"The use of cloud computing can also create numerous information security risks," Wilshusen told the U.S. House of Representatives Oversight and Government Reform Committee. "These risks generally relate to dependence on the security assurances and practices of a service provider and the sharing of computing resources."
IT executives at 22 of 24 major U.S. agencies surveyed by the GAO raised concerns about cloud computing security, even as officials in President Obama's administration push cloud computing, Wilshusen said. A GAO report released Thursday listed several security concerns: vendors using ineffective security practices, agencies not able to examine the security controls of vendors, cybercriminals targeting data-rich clouds, and agencies losing access to their data if the relationship with a vendor ends.
Several members of the committee also voiced some doubts about the security of cloud computing services.
"I will be particularly interested in details as to how companies believe that they can implement guaranteed security in a cloud environment," said U.S. Rep. Darrell Issa, a California Republican. "As all of you know, we do not guarantee security. We have breaches every week, every month, sometimes every day in government."
Cloud computing could save the U.S. government money and give agencies faster access to new technology, but it also opens up agencies to "unknown security risks" and raises questions about the level of control customers will have over their data, added Representative Diane Watson, a California Democrat. Cloud computing vendors must detail how they will meet federal data security standards, she said.
U.S. government agencies are working together to address security issues, said David McClure, associate administrator in the Office of Citizen Services and Innovative Technologies, U.S. General Services Administration (GSA). Several agencies have joined a new effort called the Federal Risk and Authorization Management Pilot program (FedRAMP), which seeks to develop security and certification standards, he said.
Despite the concerns, cloud computing will improve security, said Mike Bradshaw, director of Google Federal. Cloud computing vendors store data on multiple servers in multiple locations, making it difficult for cybercriminals to target one location, he said. The redundancy also means agencies are protected against disasters, he said.
"The cloud enhances security by enabling data to be stored centrally with continuous and automated network analysis and protection," he added. "When vulnerabilities are detected they can be managed more rapidly and uniformly. Cloud security is able to respond to attacks more rapidly by reducing the time it takes to install patches on thousands of individual desktops or hundreds of uniquely configured on-premise servers."
The benefits of cloud computing are "enormous," added Daniel Burton, senior vice president for global public policy at Salesforce.com. An April study by the Brookings Institution found that U.S. agencies can save 25 to 50 percent of their IT costs by moving to cloud computing, he noted.
In addition, cloud computing services allow the fast deployment of new technology and lower the risk of IT project failures, Burton said.
Vivek Kundra, CIO in Obama's administration, agreed, saying there's a long list of "spectacular failures" in federal IT projects. Cloud computing services can also help the U.S. government reduce the number of data centers it uses. The government's number of data centers rose from about 430 to 1,100 in the past 10 years, he said.
But moving to cloud computing is "not just about cost," Kundra said. "It's also about making sure that we're providing better service, that CIOs are focused not on investing in yet another data center, but actually providing better services."
Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantusG. Grant's e-mail address is firstname.lastname@example.org.