If you’ve read my blog for a while, you know I have I have been a big proponent of cloud computing for some time. Cloud computing enables faster, greener, and more cost effective service to our stakeholders. However, that doesn’t mean there aren’t issues around cloud computing that still need to be resolved.
As the original chair of the Cloud Computing Executive Steering Committee (ESC), a working group under the federal CIO Council, one of the first hurdles to cloud computing we began to address was security. We formed a security working group under the ESC in October of 2009 which is now supported by Katie Lewin and the Federal Cloud Program Management Office team in GSA’s Office of Citizen Services and Innovative Technologies. This group has worked collaboratively with the Federal CIO, NIST, the CIO Council (and working groups such as ISIMC, which is the CIO Council’s committee on information security and identity management), and agency SAISOs to build a common cloud security assessment and accreditation framework. With this work the administration is taking a big step forward in addressing how the Federal government is going to address security concerns for cloud computing systems.
While cloud computing is not new technology, it does present unique security challenges based on the outsourced, multi-tenant nature of the services being provided. This week, This week, Vivek Kundra, the Federal CIO, in conjunction with the CIO Council and other involved partners, announced the release of Proposed Security Assessment and Authorization for U.S. Government Cloud Computing documentation. This document provides the framework and information about a proposed operating model for the Federal Risk and Authorization Management Program (FedRAMP).
FedRAMP is an extremely exciting development for cloud computing. Our aim is that FedRAMP provide the framework for a standard and secure approach to Assessing and Authorizing (A&A) cloud computing services and products. It would allow joint authorizations and continuous security monitoring services for Government and Commercial cloud computing systems intended for multi-agency use.
The implications of this are huge. Implementation time for FedRAMP certified vendors would be dramatically cut – instead of its taking months to get a security authorization, it could take weeks. Additionally, the cost in granting an Authority to Operate from an agency perspective could be minimal – potentially only the time it takes to review the FedRAMP authorization.
The FedRAMP documents are a great first start to finding a workable solution to securely using cloud solutions for the Federal Government. The Federal Cloud PMO and collective governmentwide partners are still looking to make the FedRAMP approach as good as possible for government and industry. As such, they are requesting feedback from the community. The documents can be accessed at http://www.FedRAMP.gov, and comments are being accepted through Thursday, December 2, 2010. Additionally, GSA will be hosting a FedRAMP Q&A Briefings Industry Day this Friday, November 19.
Meredith, start with our cloud info site, located at http://info.apps.gov/
I am a government employee, but also a doctoral student, current working on my dissertation on Cloud Computing in the Federal Government. I have a few specific areas in which I am seeking information in regards to cloud computing. Who might I be able to talk to, who might be able to stir me in the right direction?
Thanks,
Meredith
This is very forward thinking on behalf of this department. I see many uses for this technology
Seeing initiatives like this happening in our own government amazes me. Thank you for being forward thinking and pushing America out of the technological dark ages. To much tax payer money is being wasted on a huge duplication of effort.
Cloud as it exist in the private sector may not be the best solution, but it is one step closer to the final solution. Ms Coleman, please do not get discourage by the naysayers. You are doing the right thing and I applaud you and your team.
Thank you for all of your efforts.
Cloud computing is Internet-based computing, whereby shared resources, software, and information are provided to computers and other devices on demand, like the electricity grid.
Cloud computing is a natural evolution of the widespread adoption of virtualization, Service-oriented architecture and utility computing. Details are abstracted from consumers, who no longer have need for expertise in, or control over, the technology infrastructure “in the cloud” that supports them.Cloud computing describes a new supplement, consumption, and delivery model for IT services based on the Internet, and it typically involves over-the-Internet provision of dynamically scalable and often virtualized resources. It is a byproduct and consequence of the ease-of-access to remote computing sites provided by the Internet. This frequently takes the form of web-based tools or applications that users can access and use through a web browser as if it were a program installed locally on their own computer. NIST provides a somewhat more objective and specific definition here. The term “cloud” is used as a metaphor for the Internet, based on the cloud drawing used in the past to represent the telephone network, and later to depict the Internet in computer network diagrams as an abstraction of the underlying infrastructure it represents. Typical cloud computing providers deliver common business applications online that are accessed from another Web service or software like a Web browser, while the software and data are stored on servers.
Most cloud computing infrastructures consist of services delivered through common centers and built on servers. Clouds often appear as single points of access for consumers’ computing needs. Commercial offerings are generally expected to meet quality of service (QoS) requirements of customers, and typically include service level agreements (SLAs). The major cloud service providers include Amazon, Salesforce and Google. Some of the larger IT firms that are actively involved in cloud computing are Fujitsu, Microsoft, Hewlett Packard, IBM, VMware, NetApp and Dell. http://www.toprice.ie
When Google Inc. launches its cloud computing services for federal government agencies next year, one of its biggest challenges will be to overcome concerns related to data privacy and security in cloud environments.
Google earlier this week said that it was planning on offering cloud services such as Google Apps to federal agencies starting in 2010. Google said it is speaking with several federal agencies about its offerings, which the company has assured will be fully compliant with the requirements of the Federal Information Security Management Act. A FISMA certification is required for a service provider, such as Google, to sell to federal agencies.
Google announced its plans to deliver a government cloud at a cloud computing event in California. At the event, a company executive noted that the government services would be hosted on Google’s data centers, but on systems that are compliant with government regulations. The government cloud service will also be operated by individuals with the appropriate security clearances, and all data that is part of a government cloud service would remain in the U.S, the executive said.