Industry giants say cloud security is a shared responsibility, with vendors providing the services and agencies responsible for creating secure apps and following standard practices.
Representatives from three tech titans -- Amazon Web Services, Microsoft and IBM -- faced off Wednesday morning on cloud in government.
While there may have been contention over priorities and practices, panelists at the FOSE event came together on security -- when it comes to securing agencies’ data, they agreed, the responsibility is not exclusive to vendors.
The cloud is a shared security model, according to Doug VanDyke, general manager for civilian government at Amazon. The vendors provide the services, and agencies are responsible for creating a secure application and ensuring they’re following standard security practices for their data.
For many agencies, it’s more of a concern to be moving email to cloud, rather than using cloud as platform-as-a-service, although getting security clearance as a vendor for agencies whose emails are high-level might not be attainable.
“National security will require serious investment,” said Michelle Rudnicki, vice president of cloud computing and growth initiatives at IBM.
The Defense Information Systems Agency’s email is at a level 5, and Susie Adams, chief technology officer for Microsoft’s Federal’s Civilian business, said it is debatable if any vendor will be able to be cleared for that level.
The bigger concern is trusted Internet connection and secure netflow, Adams said. It’s the state of the network infrastructure that will make it affordable and attractive for agencies to move to the cloud.
In fact, Adams said, there is little difference in level of security in the cloud and in physical data centers.
To give an idea of what security in data centers might entail, Adams points to how Microsoft secures its centers—it requires biometric access to get in and “lockbox” security that involves having a key to open a lock box, which initiates a one-hour timer, in addition to constant real time monitoring.
“Data insurance isn’t just about the data itself, its about the practice and concerns around it and how you have access to that data,” Adams said.
NEXT STORY: News and notes from day 2 at FOSE