Securing the Move to the Cloud
June 9, 2011
The public sector, like other sectors in the United States, is trying to do more with less. Improving efficiency; reducing costs; and providing new, enhanced services continue to be important. Industries across the country are working to maximize the returns from their technology investments, and in many cases this involves replacement of legacy systems with new technologies that will provide benefits and flexibility into the future.
From a government perspective, the strategic adoption of new technologies such as cloud computing (“as-a-service” offerings) and virtualization has the potential to enable the transformation of the public sector at all levels, allowing it to reap the same benefits.
Oddly enough, while the uptake of cloud computing in the private and enterprise sectors is increasing, the U.S. public sector, with a few notable exceptions, doesn’t appear to be adopting a shared or cloud-based infrastructure as quickly. Surveys point to data security and privacy concerns as the reason.
Granted, the public sector should be concerned about security and privacy as some of their information is of a highly confidential or private nature, such as personally identifiable information about citizens or employees and national security information. However, a large amount of public sector data is intended for public consumption and could be put in the public cloud if certain measures are taken to safeguard the integrity of that data (that is, to guard against unauthorized changes or edits to the information). An example of this might be the IRS tax forms and guidelines. If digitally signed using SHA-512, there is no reason data like that needs to be housed in expensive government data centers.
For the information that needs to be securely protected, U.S. public sector agencies may be surprised to find that leveraging some private external cloud providers might actually be a step up in security compared to the approaches they are currently using. For example, some cloud providers have personnel trained in DoD counterterrorism and have facilities which have been accredited to both FISMA-M and FISMA-H.
For those agencies that want to deploy their own internal cloud environments, flexible "pod" architectures are now available that combine virtualization, networking, and storage technologies from industry leaders. These "pods" are orderable using a single bill of materials and are validated to support secure multi-tenancy (SMT), which is essentially a pool of virtual application silos running on a shared infrastructure for a mixed workload of up to 1,500 users per pod. This approach reduces the amount of engineering design effort by the agencies and helps streamline the procurement process.
The SMT architecture protects data security and privacy, on or off premises, in five key ways:
Secure Separation
When deploying an SMT environment it is vital to make sure that one tenant does not have access to another tenant’s resources. Each tenant has its own IP space with the ability to authenticate to separate directory services. Each virtual silo can also be assigned its own administrative roles and access control lists. Each layer in the stack, the hypervisor, server, network, and storage, has undergone Common Criteria certification as well as accreditation in challenging DoD environments.
Service Assurance
The environment is designed in such a way that each tenant has isolated compute, network, and storage performance regardless of the demands on the system. Service assurance provides visibility into these virtual silos to verify that agencies are receiving the services for which they have paid.
The SMT solution is designed in a way that makes sure of the availability of services, even in the event of a failure, rebalancing of workload, or upgrade of the infrastructure.
Service Manageability
Each virtual silo, including the application it supports, can be managed through a third-party orchestration tool or directly using the vendor service catalogs and tools. This management approach includes workflow automation and minimizes the number of skill sets and processes required to run the infrastructure.
Integrated Data Protection
The "pod" architecture supports one approach for backup, restore, and replication of data offsite, despite having multiple tenants (that is, multiple virtual silos) and each tenant having more than one application in same silo. This, too, can be done in a self-service fashion by each tenant, if allowed by the service provider or service broker.
Now that SMT technology is available, whether that capability is provided by an external private cloud provider or on premises using preconfigured and validated "pods," public sector agencies need not let concerns over data privacy and security prevent them from leveraging the cost savings and efficiencies of cloud computing. Ultimately, government organizations will be able to do more with less, all while implementing a technology solution that positions them as future ready.