The Wall Street Journal had an interesting article on the United States General Services Administration has approved the acquisition of some cloud services for use by the Federal Government including many of the Google Apps such as Gmail, Google Docs, etc. Since these services are for sale as well as freely available this sounds more like an admission that they can be used. Will other governments follow suit? But should they be used? That is really the question.
There are two sides to any government, the classified and the unclassified. These are general terms that quantify how the government can use services. While all services require quite a bit of security, classified utilization requires even more, in many cases what most would consider to be “uber-security” requirements. The types of requirements that impact usability in some way. Can these tools provide adequate security?
Many government agencies make use of these tools today, before the GSA approved them. They are used by many individuals within all aspects of government life. The most common used tool would be Google’s search engine, the next would be Google mail and Google Docs. They may not have been sanctioned officially but many government workers already use these tools so they become extremely well known. They use these tools freely within their personal lives, and recently I have seen agencies use Google Groups and Documents for sharing of information between many parties within the industry. NIST’s use of Google Docs for sharing their latest Full Virtualization Security guide is one such case. There are others doing the same.
These are all part of the unclassified part of the government, and freely available cloud tools. Sort of a major improvement in the old Internet News mechanism for sharing information. There is a steady progression of sharing technologies that started with the very first connected machines using UUCP to today’s use of cloud document sharing services.
The GSA allowing the US Government to purchase such cloud services is a big win for Google and within the unclassified side of the government, I see this as a big win. However, I feel that the classified side of the government will not make use of these services due to the issues with Secure Multi-Tenancy and security requirements. This type of data needs a chain of custody that would be difficult to insure within Google’s cloud. Instead, I fully expect this side of the government to make use of Private Clouds where they control all aspects of the environment. Perhaps it is based on what Google is doing, or perhaps it is a private Google cloud within government control, if Google will allow their technology sold in this way.
Even if they do not, the security controls will require careful Data Loss Prevention (DLP) to ensure that classified documents do not end up on Google’s site search, or within Google’s servers. Within the cloud and virtualization such Data Loss Prevention is bastion based at the moment. DLP is evolving to finally work with virtualization as shown by RSA and VMware at the last three major shows I have attended (EMCworld, RSA Conference, VMworld 2009). I fully expect this to continue to improve and be productized for the cloud.
Which leads to the last question? Is the burden on the cloud provider such as Google to implement DLP on ingress to their clouds, or on the data owner? In this case the Government, but it could just as easily be corporate secrets? Who is ultimately responsible for the security of data within the Cloud?
I have heard that for the small business it is the Cloud Provider, but for the enterprise and government it would be on their shoulders. My opinion: It is all about the Data, regardless of organization size, the organization is responsible for their data security. If you make use of the cloud, you need to ensure your data is safe.
This implies that all cloud providers need DLP and other security controls that the organizations can dial in as needed. Whether the data is classified or not, cloud providers need to provide the necessary security, that organizations can choose to use or not. The availability of such security controls is limited within the public cloud but is being designed into private clouds. Public, private, it makes no difference, we still need to protect our data and protect its integrity and confidentiality even from the cloud provider.