• Home
• GOVERNMENT CXO
• E-GOVERNMENT
• CITIZEN ENGAGEMENT
• TAX AND REVENUE MANAGEMENT
• GOVERNMENT PROCUREMENT
• GREEN GOVERNMENT
• GOVERNMENT DATA MANAGEMENT
• GOVERNMENT SECURITY
• GOVERNMENT CLOUD
• GOVERNMENT ANALYTICS
• GOVERNMENT GIS
• CONNECTED GOVERNMENT
• DIGITAL INCLUSION
• EDUCATION IT
• HEALTHCARE IT

Central Government, Government, Government Security

Ex-US GCIO warns on cloud security

By Robin Hicks | 3 August 2010

In an interview with FutureGov, a former United States cabinet-level government CIO said that policymakers in Asia are right to be cautious about cloud computing, and should think carefully about the risks they are taking before they take the plunge.

Photos

View photos

Related Articles

• Overcome cloud security step by step

Related Categories

• CENTRAL GOVERNMENT
• GOVERNMENT
• GOVERNMENT SECURITY

From this Section

• NEWS

Hord Tipton, who for a five-year stint managed an IT portfolio worth US$1.2 billion for the Ministry of the Interior in US, said that government agencies should not be seduced by the speed at which private sector enterprises are entering the cloud.

“For the private sector, losing data is highly inconvenient,” he said. “For government, it could mean losing a person’s identity, or worse where critical infrastructure is concerned. People could get killed if data is lost.”

Remotely managing information in the cloud, even a private cloud, calls for a different approach to risk management, said the man who spent 27 years as a government CIO.

“Protecting data is the big issue. You need to think very carefully how security will be affected by a move from inhouse to outsourcing. There are many variables at play in the cloud, and you need to know how these variables could change,” he said.

“Having trust in your vendor is critical. A supplier’s tolerance to risk is often an unknown. If his approach to risk is not aligned with yours, you have a problem. And you need a highly skilled team in place that is capable of managing a number of issues, not least security, in an enterprise type way.”

“Governments will never put information in the cloud until some very serious questions are answered.”

According to Tipton, a good example of government entering the cloud is the US Department of Defense, which has put communications applications and widgets in the cloud. “What has impressed me is that they didn’t do this overnight,” he said; the DoD’s cloud platform took two years to plan and involved exhaustive testing.

Tipton noted that very few agencies are moving sensitive data to the cloud. Those that are considering it need to carefully classify their data according to the risk level if it was lost. “How quickly you move data should depend on the standards you develop and the success marks you have in place.”

Tipton, who is now Executive Director of the International Information Systems Security Certification Consortium, known as (ISC)2, added that while progress was being made on data security in the cloud, caution was healthy at this stage. “Cloud will happen in government. But it will happen cautiously.”

Government cloud computing in the US is being driven by the General Services Administration (GSA), which has highlighted a number of government cloud pioneers. Tipton pointed out that the “compelling economics” of cloud computing have removed the need for policies that push agencies into the cloud.

One is the Department of Energy.

One of its major labs has deployed over 5000 mailboxes on Google Federal Premiere Apps and the agency is now evaluating the use of Amazon Elastic Compute Cloud (EC2) to handle excess capacity for computers during peak demand. The agency estimates it will save US$1.5 million over the next five years in hardware, software and labour costs.

Another is the GSA itself.

It moved its primary information portal, USA.gov, to a cloud-based host. By moving to a cloud, GSA was able to reduce site upgrade time from nine months to one day; monthly downtime improved from two hours to 99.9 per cent availability; and GSA realised savings of $1.7 million.