GAO Report GAO-10-855T of July 1, 2010 noted that "... 22 of 24 major federal agencies reported that they are either concerned or very concerned about the potential information security risks associated with cloud computing. Risks include dependence on the security practices and assurances of a vendor, and the sharing of computing resources [with other firms]. Agencies have also identified challenges in assessing vendor compliance with government information security requirements and clarifying the division of information security responsibilities between the customer and vendor."
How appropriate are the GAO concerns?
By far the largest vendor of cloud services is the Amazon Elastic Cloud (EC). According to best estimates it generated in 2009 revenues of about $220 million. That is a small amount compared with the Navy's annual IT operating costs of $4.9 billion (FY09). With the scope of Navy operations, and with the declared objective to operate a single network, it is inconceivable that the Navy would rely on the security practices of any one cloud vendor. It is also inconceivable that the Navy would wish to share computing resources with any other enterprise or agency.
The GAO concerns can be overcome by the following policies:
1. The Navy will operate and control all security practices of its cloud.
2. Navy personnel will manage and be solely accountable for security measures.
3. Network and computing operations will be managed by network control centers operated exclusively by Navy personnel.
4. Physical aspects of data centers may be operated by cloud providers but without control over the software or data.
5. There will be no division of responsibility between the Navy and a contractor with regard to information security.
6. The Navy will operate its cloud environment as a service-as-a-platform, totally isolated from any other shared service.
The GAO concerns about information security risks in cloud operations are not appropriate. GAO did not give consideration to security policies that the Navy could adopt to protect its operations.
The six policies outlined above should become the basis of guidelines for the Navy to proceed with secure cloud computing.