The Lockheed Martin Cyber Security Alliance released a report this month that highlighted the growth and challenges of cloud computing within the U.S. federal government, defense/military and intelligence agencies. Today just 14 percent of respondents surveyed said their agencies have at least one cloud computing application, and 85 percent of these are using multiple applications in the cloud. Current adoption is virtually the same at federal civilian (13 percent) and defense/military (14 percent) agencies.
Cloud computing is currently one of the fastest growing trends in all of IT, in both the public and private sectors, and federal CIO Vivek Kundra has been a visible public advocate for cloud computing. The government market for cloud computing is projected to more than triple between 2009 and 2014.
Despite these adoption findings and projections, resistance to cloud adoption will remain. There are 14 percent of respondents who are aware of cloud computing, but are not using or discussing it at their agencies. Another 23 percent are unaware of what their agency is doing with cloud computing.
For all the attention and growth cloud computing has achieved, there is still widespread lack of awareness and misunderstanding. The percentage of respondents who are not familiar with cloud computing (34 percent) is two-and-a-half times as high as the percentage whose agencies are using it (14 percent). Respondents at civilian agencies are more aware of cloud computing than their defense/military counterparts (37 percent to 30 percent), but neither population has a high level of awareness. Surprisingly, a fifth (21 percent) of professionals involved in cyber security at their agencies are unaware of cloud computing.
Cyber security professionals ranked cloud computing last among their cyber security challenges of note. This may indicate an overly narrow view of cyber security, because many of the more highly rated challenges also apply to cloud computing. It could also indicate lack of depth of understanding about cloud computing architectures and under appreciation of what is required to secure cloud computing systems and their users.
Some of the distrust in cloud computing invariably comes from respondents’ inexperience with it. Distrust may also result from uncertainty about how to secure applications and data in the cloud, including how security considerations change based on the specific cloud model (e.g. IaaS, PaaS, SaaS; public, private, community or hybrid cloud).
Data security is by far the top concern of note, and is the only one cited by a majority of respondents. The other leading issues are intrusion detection, securing data flows between data centers, clients, and applications, and security mandate compliance. While these are all legitimate issues, they are not unique to the cloud or inherently impossible to secure in the cloud.
Conversely, multi-tenancy, where different, non-related organizations may share infrastructure such as space on a server, is a cloud-specific security consideration, but it ranks near the bottom of respondents’ concerns. The specific security concerns of overall respondents are extremely consistent with those of respondents who distrust the cloud, and with those who are involved in cyber security.
Despite all the attention cloud computing receives as one of the leading IT trends, a third of government IT decision makers surveyed were not familiar with cloud computing, and a similar percentage do not trust it.
Awareness and trust are lacking even among professionals who are familiar with it and may be responsible for securing enterprise systems and information. While cloud adoption is expected to grow, respondents’ inexperience with cloud computing, security concerns (and in some cases, lack of concern) and uncertainty about governance could make it difficult for organizations to effectively implement cloud computing or realize full value from it.
Against this backdrop the Lockheed Martin Cyber Security Alliance made the following recommendations to government agencies:
- 1. Define what the cloud means to your organization
- 2. Create awareness of cloud initiatives throughout the organization
- 3. Take a broad view when assessing cloud’s impact
- 4. Engage professionals from organizations with specific cloud security expertise
As with any IT initiative, early engagement of security professionals will yield a more cost-effective risk management approach than retroactive ones. Experienced professionals can identify security and other implementation issues and recommend appropriate solutions.
(The Alliance consists of the following technology companies: APC by Schneider Electric, CA, Cisco, Dell, EMC Corporation and its RSA Security Division, HP, Intel, Juniper Networks, McAfee, Microsoft, NetApp, Symantec and VMware)