Security washes out cloud savings

Projected savings from clouds likely to be reduced as security risks grow, analyst says

Projected savings for cloud computing may be too optimistic and federal agencies may be underestimating the costs of new security in clouds, cybersecurity analyst John Pescatore said today.

“When we look at the vast savings from cloud computing, some of that is real,” Pescatore, vice president and research fellow at Gartner Research, said in a cloud computing online webinar. “But some of the savings must be allocated to new security issues.”

Pescatore identified areas of discussion with regard to security and the cloud, including how to evaluate if a cloud is secure, how to avoid and remediate security vulnerabilities in the cloud, how to identify and protect against new risks from cloud hacking, and how to use the cloud to deliver security.

He noted that as technology has changed from mainframe computers to personal computers, and from personal computers to the Web, security approaches have changed, and that must happen with clouds.

Related stories:

Cloud security: feds on cusp of change

3 Simple truths about the cloud

While clouds are a relatively new technology and still immature, one aspect of cloud security has been well-developed, and that is cloud security for e-mail applications, such as Google’s Gmail, Pescatore said.

“Over time, we have built up trust in cloud-based e-mail filtering,” Pescatore said. A number of entities have found that cloud e-mail can perform better, filtering out more spam and viruses at a lower cost, than they could do themselves. The same process is likely to happen gradually with other cloud applications as they mature, he said.

Current security approaches, including certification and accreditation, encryption, and continuity of operations applications, are not easy to apply in clouds, Pescatore said, and new approaches may be needed.

Additional risks come from uncertainties about vendor viability and data portability, he said. If a government agency chooses a cloud vendor for its data, and the vendor goes out of business, the agency might be at risk of “being stuck” if its data cannot be easily reformatted to be transferred to another cloud, Pescatore said.

Transparency also may be reduced in a cloud, and there may be security risks not only for data in storage but for data that is being processed, he said.

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

The 2015 Federal 100

Meet 100 women and men who are doing great things in federal IT.


  • Shutterstock image (by venimo): e-learning concept image, digital content and online webinar icons.

    Can MOOCs make the grade for federal training?

    Massive open online courses can offer specialized IT instruction on a flexible schedule and on the cheap. That may not always mesh with government's preference for structure and certification, however.

  • Shutterstock image (by edel): graduation cap and diploma.

    Cybersecurity: 6 schools with the right stuff

    The federal government craves more cybersecurity professionals. These six schools are helping meet that demand.

  • Rick Holgate

    Holgate to depart ATF

    Former ACT president will take a job with Gartner, follow his spouse to Vienna, Austria.

  • Are VA techies slacking off on Yammer?

    A new IG report cites security and productivity concerns associated with employees' use of the popular online collaboration tool.

  • Shutterstock image: digital fingerprint, cyber crime.

    Exclusive: The OPM breach details you haven't seen

    An official timeline of the Office of Personnel Management breach obtained by FCW pinpoints the hackers’ calibrated extraction of data, and the government's step-by-step response.

  • Stephen Warren

    Deputy CIO Warren exits VA

    The onetime acting CIO at Veterans Affairs will be taking over CIO duties at the Office of the Comptroller of the Currency.

  • Shutterstock image: monitoring factors of healthcare.

    DOD awards massive health records contract

    Leidos, Accenture and Cerner pull off an unexpected win of the multi-billion-dollar Defense Healthcare Management System Modernization contract, beating out the presumptive health-records leader.

  • Sweating the OPM data breach -- Illustration by Dragutin Cvijanovic

    Sweating the stolen data

    Millions of background-check records were compromised, OPM now says. Here's the jaw-dropping range of personal data that was exposed.

  • FCW magazine

    Let's talk about Alliant 2

    The General Services Administration is going to great lengths to gather feedback on its IT services GWAC. Will it make for a better acquisition vehicle?

Reader comments

Tue, Jun 29, 2010 WJC DC Metro

I've done some analysis of costs to move things into a moderate security cloud envirionment and agree with the Thu 6/24 post on adding a server into an existing data center vs. moving being cheaper. In the federal space all the security we're looking for cost $$. Many firms are working on getting there but the few (one?) who is there is very pricey.

Fri, Jun 25, 2010 HEB Just Outside the Beltway

Cloud computing could be particularly costly for a federal agency. Just try to fit the square pegs of the NIST SP800 series or the DoDI 8500 / DISA STIG requirements into the round hole of cloud computing...and do it cheaply. It's being tried, but we'll see how long it takes to actually be low cost.

Thu, Jun 24, 2010

OK, What kind of Cloud are all of these savings tied too? Public SAAS? I really hate reading all of the articles saying save money with Cloud and they never explain what type of cloud or even attempt to quantify the savings. I've done a ton of math on IAAS and PAAS, and actually find if you have an existing data center with room, it's cheaper to buy another server than use a public cloud. SAAS may also seem cheaper, but there are many indirect costs there too. For example, I can offload my costs for Exchange by going to Google, but if I invested in the Microsoft ecosystem, I'm losing one of the cornerstones by shutting it off. How much is it going to cost to recreate the dependent functionality that will be lost? It's pretty easy to make a broad statement that Cloud will save you money since it really depends on so many factors that it's very difficult to prove or disprove the statement, but I think it is also irresponsible.

Thu, Jun 24, 2010

The nature of the Cloud, representing physical data storage, transfer, and processing outside of direct agency control opens a lot of possible issues. Security of this data needs to be of primary concern. For example, what assurances will agencies have that breaches haven't occurred? What kinds of data and processes should be excluded? Etc. There are many examples of security problems associated with uninformed or incomplete policy decisions. The Cloud adds a level of complexity in this area, which by default would seem to have to increase cost IF properly addressed.

Thu, Jun 24, 2010 Cathy

I won't say that I completely disagree with your post, but security issue is not that a great issue in cloud computing as sometimes people made it to be. We are using online transactions regularly & sometimes in large volume. But I do agree that because of this concern many of the people don't want to use cloud environment. Our company (http://w DOT regularly face this concern.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above