Securing the Move to the Cloud

Dale Wickizer (Profile)
Thursday, June 9th 2011

The public sector, like other sectors in the United States, is trying to do more with less. Improving efficiency; reducing costs; and providing new, enhanced services continue to be important. Industries across the country are working to maximize the returns from their technology investments, and in many cases this involves replacement of legacy systems with new technologies that will provide benefits and flexibility into the future.

From a government perspective, the strategic adoption of new technologies such as cloud computing (“as-a-service” offerings) and virtualization has the potential to enable the transformation of the public sector at all levels, allowing it to reap the same benefits.

Oddly enough, while the uptake of cloud computing in the private and enterprise sectors is increasing, the U.S. public sector, with a few notable exceptions, doesn’t appear to be adopting a shared or cloud-based infrastructure as quickly. Surveys point to data security and privacy concerns as the reason.

Granted, the public sector should be concerned about security and privacy as some of their information is of a highly confidential or private nature, such as personally identifiable information about citizens or employees and national security information. However, a large amount of public sector data is intended for public consumption and could be put in the public cloud if certain measures are taken to safeguard the integrity of that data (that is, to guard against unauthorized changes or edits to the information). An example of this might be the IRS tax forms and guidelines. If digitally signed using SHA-512, there is no reason data like that needs to be housed in expensive government data centers.

For the information that needs to be securely protected, U.S. public sector agencies may be surprised to find that leveraging some private external cloud providers might actually be a step up in security compared to the approaches they are currently using. For example, some cloud providers have personnel trained in DoD counterterrorism and have facilities which have been accredited to both FISMA-M and FISMA-H.

For those agencies that want to deploy their own internal cloud environments, flexible "pod" architectures are now available that combine virtualization, networking, and storage technologies from industry leaders. These "pods" are orderable using a single bill of materials and are validated to support secure multi-tenancy (SMT), which is essentially a pool of virtual application silos running on a shared infrastructure for a mixed workload of up to 1,500 users per pod. This approach reduces the amount of engineering design effort by the agencies and helps streamline the procurement process.

The SMT architecture protects data security and privacy, on or off premises, in five key ways:

Secure Separation

When deploying an SMT environment it is vital to make sure that one tenant does not have access to another tenant’s resources. Each tenant has its own IP space with the ability to authenticate to separate directory services. Each virtual silo can also be assigned its own administrative roles and access control lists. Each layer in the stack, the hypervisor, server, network, and storage, has undergone Common Criteria certification as well as accreditation in challenging DoD environments.

Service Assurance

The environment is designed in such a way that each tenant has isolated compute, network, and storage performance regardless of the demands on the system. Service assurance provides visibility into these virtual silos to verify that agencies are receiving the services for which they have paid.