by Marcia Savage
A recent audit into U.S. federal agencies’ adoption of cloud computing services highlighted challenges that likely would resonate with private enterprises looking to move applications to the cloud.
The report by the U.S. Government Accountability Office looked at the progress seven agencies have made in implementing the White House’s “Cloud First” policy. According to GAO, agencies need to do better planning – of the 20 plans for implementing cloud solutions the agencies submitted, seven didn’t include estimated costs. None of the plans for meeting the federal cloud computing strategy included details on how legacy systems would be retired or repurposed.
What’s telling, though, is the list of cloud challenges GAO compiled after talking to agencies. Topping the list is concern over the ability – or inability – of cloud providers to meet federal security requirements. For example, State Department officials reported that cloud providers can’t match the department’s ability to monitor its systems in real time. Also, Treasury officials noted that meeting a FISMA requirement for maintaining a physical inventory is tough since they don’t have insight into the cloud provider’s infrastructure and assets.
Other challenges cited in the GAO report include agencies not having the necessary expertise to implement cloud services; a Health and Human Services official reported that it’s difficult to teach staff a new set of procedures, such as monitoring performance in a cloud environment. Another challenge: Ensuring data portability and interoperability by avoiding vendor lock-in.
Sounds familiar, right? Security, cloud provider transparency, lack of expertise, vendor lock-in are all issues that organizations, both public and private, are wrestling with as they try to take advantage of cloud services. In its report, the GAO notes that recently issued federal guidance and initiatives, including guidance from NIST and FedRAMP, address some of these issues. Still, the issues are far from easy to solve. The journey to the cloud is a pretty bumpy one right now, as the GAO report found.
GRC: a hard dollar cost but soft dollar return, says RSA Archer
Chief information security officers (CISOs) are increasingly adding risk management to their ever expanding portfolio of responsibilities, according to a new report by infosec social networking site Wisegate. Infosecurity Europe 2012: defining risk ...