While it is true that no company can afford to overlook security considerations on the road to innovation, the potential cost of a public sector breach has made government agencies comparatively more discerning when it comes to cloud computing. As former Deputy Homeland Security Advisor Richard Falkenrath recently noted in a guest column for NextGov, the distributed nature of cloud-based networks has worried some legislators to the point of considering a federal ban on the use of foreign server farms. However, something as simple as encrypting data at rest could put security fears to bed in a much more efficient and affordable manner.
Reason for worry
The efficiency which represents cloud computing's primary value proposition is created by locating server farms in locations where energy and labor costs are the cheapest. And with data traveling between network poles in the blink of an eye, it hardly matters whether an American organization has its data center in Manila, Milan or Missoula, Montana. But according to Falkenrath, now a global security advisor with The Chertoff Group, government agencies still feel uneasy about storing sensitive workloads overseas.
"There is something fundamentally problematic for them with the notion that federal government data – IRS records, for example – might be stored on server in, say, India," Falkenrath wrote. "The specter of non-U.S. citizens having physical over and access to U.S. data understandably gives the government pause. The same is true of almost every other country in the world."
This problem has become even more pressing in the age of consumerized IT and expanded employee mobility. With cloud-hosted data now supporting a majority of native mobile and web applications, smartphones, tablets and cloud computing have been inextricably tied to one another. And as the latest survey from the Cloud Security Alliance revealed, data compromised on lost, stolen or decommissioned devices continues to be the top mobile threat cited by industry professionals.
Locks and keys
As a result of these anxieties, more agencies are starting to seriously consider constricting their cloud perimeters to the continental U.S. The problem here is two-fold, according to Falkenrath. By spurning foreign efficiencies, operating expenses could easily double for a number of departments. And establishing geographic control could instill a dangerously false sense of security if officials assume domestic data center operators can do no wrong.
The real solution to cloud security and cost control, from Falkenrath's perspective, is encrypting data at rest. If cloud customers (data owners) encrypt their information prior to migration and retain sole ownership of the keys, the vast majority of public cloud pain points melt away.
The technology has already proven its worth in facilitating the secure transmission of financial data for web-based transactions, and more cloud vendors are starting to offer it as an optional component of their service level agreements. If government agencies pick up on this trend, Falkenrath's insists that they will be able to dispense with the expensive data localization mandates and safely harness the full potential of the cloud computing paradigm.
Cloud Security News from SimplySecurity.com by Trend Micro