In the U.S. Capitol Wednesday, a forum for congressional staffers on cloud computing brought together representatives of rival firms, including Google, Microsoft, IBM, Dell, Salesforce, SAP, and Savvis.
The vendors avoided one-upmanship and obvious sales pitches, and generally stayed true to the forum’s purpose, which was to provide an overview of cloud computing. It was organized by the TechAmerica Foundation, the research arm of the IT industry group.
But one of the speakers, Nick Combs, the CTO of EMC’s federal division was tough on some cloud-activities in government as well as the security offered by some vendors. He offered frank observations and recommendations.
Prior to joining EMC, Combs worked in federal IT for 25 years, mostly in senior IT positions in intelligence areas, including CIO of the National Media Exploitation Center under the Office of Director of National Intelligence.
Combs said that he’s seeing a lot of “cloud-washing” in government, where old technology is being labeled as “cloud ready” or as "cloud services," so agencies “can say that they are compliant with cloud policies.”
The panel was asked about government use of software-as-a-service and security. Under Federal Information Security Management Act (FISMA) rules, new releases have to be recertified, a potentially long process. The panel was asked if there is a way to address that.
Combs, who ran certification and accreditation programs for the intelligence community for a number of years, said that the system is complicated but then there are risks.
Vendors “will come out every day” and say that they have encryption in their software or hardware, but it may be nothing more than some 40-bit encryption pulled off the Internet that was engineered into their product, said Combs.
“With a rainbow table I can break into it in about 15 seconds – there is a reason why there are standards,” said Combs.
Combs said a potential solution may be moving to security as a service to enable rapid implementation of software. A SaaS vendor could point their product to a security service. “Some people are looking at that today and I think that will be the way of the future,” he said.
The Cloud Security Alliance issued a white paper late last year on security as a service in an attempt to define this emerging category of cloud services. The range of security services that are being delivered this way include identity and access management, intrusion management, encryption and even disaster recovery.
Security concerns aside, others pointed out that security wasn't keeping government agencies from adopting external cloud services.