|SPECIAL REPORT|APRIL 2010
Although the cloud computing concept is still evolving,it has been defned by NIST ofcials as “a pay-per-usemodel or enabling convenient, on-demand networkaccess to a shared pool o confgurable and reliablecomputing resources, such as networks, servers, storage,applications and services that can be rapidly provisionedand released with minimal consumer management eortor service provider interaction.”The elastic, shared, sel-managing and sel-healingutilities inherent in cloud computing are so attractivebecause they support all users, no matter where theyare located. Also, these services can minimize inefcientinrastructure, while boosting initiatives such as Green IT,disaster recovery/COOP and Telework. Cloud computingcan also help ederal agencies create unifed, reliable,available inrastructures, comprised o interchangeableindustry-standard components. “Increasingly, agenciesare adding online submission processes or taxes,registration and bill payment services,” said JereyKaplan, managing director THINKstrategies, Inc. a marketresearch frm specializing in sotware as a service, inWellesley, Mass., who added agencies could also usecloud-based services to leverage third party resources orsituational computing requirements (think tax season).
Security Overshadows the Cloud
While most observers maintain the eventual migrationto cloud computing is inevitable, others remain steadastlyskeptical, citing security and privacy concerns asprominent obstacles to widespread deployment. Theseexecutives doubt externally controlled cloud servicescan be adequately protected and they stress the needor ederal agencies to careully scrutinize industryoerings to ensure adequate security. In March, the non-proft Cloud Security Alliance published a sponsoredreport on top cloud computing security threats, basedon inormation rom security experts at 30 organizationsinvolved in complex cloud environments. Top threatsinclude:
• Malicious employees of cloud computing providers –
this means potential customers must understand whatproviders are doing to detect and deend againstinsider threats.
• Nefarious use -- hackers actively target cloud providers,
partially because o relatively weak registration systems,which acilitate anonymity and also because providerspossess limited raud detection capabilities.
• Insecure interfaces and APIs -- reliance on a weak set
o interaces and APIs exposes organizations to securityrisks related to confdentiality, integrity, availability andaccountability.
• Shared technology vulnerabilities – many cloud providers
haven’t designed disk partitions, CPU caches and othershared elements or strong compartmentalization.
• Data loss or leakage – this can lead to compliance
violations and legal ramifcations.
• Account, service or trafc hijacking -- with stolen
credentials, attackers can access critical areas o deployed cloud services, which can be used tocompromise the confdentiality, integrity and availabilityo services.
• Unknown risks – While features and functionality may be
well advertised, detailed inormation about the complianceo internal security procedures, confguration hardening,patching, auditing and logging aren’t always readilyavailable.
Following Clouds Forward
While security concerns will continue or some time tocome, some ederal IT organizations are fnding that cloudcomputing initiatives may actually increase security i inormation stored is saely guarded within the confnes o a ‘private cloud.’ And while private clouds dedicate serviceto one organization, Juniper and IBM have joined in anOEM agreement signed last summer to allow IBM to oerJuniper’s networking technologies to advance a hybridconcept that could allow enterprises to seamlessly extendinternal private clouds to remote servers in a secure publiccloud. LeMaster said Juniper is investing in technologiessuch as:
• Converged enhanced Ethernet (CEE) – an evolution of
Ethernet enabling networking protocol convergence andthe addition o extensions to the existing protocol suite toprovide reliability without incurring perormance penalties.
• Flow awareness -- in which trafc can be treated
dierently depending on the subscriber to whom itbelongs, and the type o service it represents.
• Class of service awareness – in which classes of service
require varying levels o preerential trafc treatment, tocompress trafc and conserve bandwidth, or ensuresecurity and accountability, by ensuing network resourcesgo to applications according to a preset organizationalpriority.
• Data center reliability to support cloud-based services.