The day following the conference found me meeting with congressional staff members from the House Committee on Energy and Commerce, the Senate Committee on Homeland Security and Governmental Affairs, and the Senate Select Committee on Intelligence. All are involved in cloud computing, in one way or another: Energy and Commerce from the perspective of trying to understand the potential impact of cloud computing on the economy and ensuring government regulations support it, while ensuring that security and privacy are maintained; Homeland Security from the perspective of avoiding security vulnerabilities in governmental computing efforts; and the Intelligence Committee from the perspective of implementing cyber-security and protecting US governmental and commercial activities from espionage and attacks. If you noticed a common theme regarding security, go to the head of the class.
What struck me about each group's discussion of security was how their security concerns are balanced with a desire to support cloud computing in general. Obviously, the buzz about the potential benefits of cloud computing has reached even these very non-technical individuals, who spend their time focusing on policy and legislation. It would be quite easy for any of these committees to cite the paramount need for security and hinder progress on cloud initiatives, both within and without the government. Instead, they are very concerned about making sure cloud initiatives are accompanied by appropriate security measures.
Along with the general concerns about security and privacy, one topic that came up several times is FISMA, the Federal Information Security Management Act, a law that mandates that security assessment and implementation be part of every Federal information system. FISMA imposes a structured, consistent approach to system security, ensuring that every application is treated the same. One challenge for FISMA in a cloud computing world (and, indeed, in a virtualized infrastructure world) is that it is application-driven and envisions a non-shared hardware basis for applications. This is obviously too constrained for a cloud (or, indeed, a virtualized) infrastructure; my recommendation is that FISMA be examined with an eye toward modification to support the notion of applications residing on a shared infrastructure with a method to evaluate the infrastructure and grade it according to its security capability. This would allow cloud infrastructures to be examined once, with the resulting accreditation (that's the official FISMA term) applied to any subsequent application that also resides on that infrastructure. Sharing accreditation would speed up FISMA certifications, not to mention reducing their cost (which is not inconsiderable).
The FISMA predicament illustrates the general picture, which is that many security and privacy laws and regulations are out-of-date with respect to computing infrastructure assumptions. Written at a time before virtualization became common, the assumption that applications would reside on fixed, unshared hardware resources is obsolete, undone by the march of Moore's Law and the drive to infrastructure efficiency.
I am incredibly heartened by my trip. Seeing the Federal government taking a leading role in cloud computing is impressive. Seeing how many of the agencies and committees involved in the process intuitively understand the potential of the cloud is striking. I am really looking forward to the next year to watch how the government's initiatives march forward.
Bernard Golden is CEO of consulting firm HyperStratus, which specializes in virtualization, cloud computing and related issues. He is also the author of "Virtualization for Dummies," the best-selling book on virtualization to date.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.