This week Brivo is participating in NIST's Cloud Computing Forum and Workshop. The objective of this forum is to explore how standards can be developed and implemented to accelerate the adoption of cloud computing in the government sector. Dr. Patrick Gallagher, the Director of NIST, kicked off the session, noting that the Federal Government spent $82 billion on IT in 2010 and that one focus of the cloud computing effort is to de-couple information services from the physical assets required to deliver them. This "natural evolution in computer architecture," Gallagher added, is essential for enhancing the efficiency of the government.
Vivek Kundra, the US CIO, was a bit more blunt in his assessment that the government does a poor job of implementing IT projects and therefore the government "is on a one-way street to the cloud," further noting that "the cloud-first policy is central to how we are evaluating capital expenditures across the government." Several speakers addressed cloud security by noting that IT security issues were nothing new and that sound risk assessment approaches will help agencies work though these issues in their move to the cloud. Doc Shankar of IBM noted that there was no silver bullet for security and that "trust, transparency, and procedures" shared between customers and cloud providers were the true key to security.
- John Szczygiel
It has long been one of the family secrets of the security industry that the standard proximity cards issued to our customers for years aren’t very secure. The standard 26-bit format, for example, has only 16 bits reserved for a “unique” identifier, which means that if every American had to share this address space, your “personal” card would also belong to roughly 4,729 other people. Makes you feel special, no?
Sure, there have been some advances—larger address spaces, “proprietary” formats, and so forth. But on the whole, the landscape didn’t change much until the introduction of smart cards and biometrics. With both of these technologies, there is now the option to have a completely unique and secure digital identifier that you alone can use for access to both physical and logical resources. No more sharing, no more duplication—and no one either claiming to be you, or, conversely, denying their own identity when they’ve tried to do something they shouldn’t.
The federal government currently leads the definition, use, and deployment of these types of credentials, most notably in the form of PIV, TWIC, and CAC cards. If you want to learn more about this, there’s a great resource at http://www.idmanagement.gov. At Brivo we’re happy to support the use of these secure identity techniques, as we recently announced here.
These technologies for unique identification also enable commercial enterprises greater control over their own employees and assets. We’ve recently helped a large retailer deploy a wide-area biometric solution that helps them control access to high-value goods. Biometrics were essential to the solution because cards and PIN codes are famously shared among employees, and they provide no capability for non-repudiation.
Despite these advances, the security industry is famous for its inertia and resistance to change. While many better technologies have been available for some time now, customers are often not informed about them, and are instead offered insecure alternatives because their provider can save a few cents on a card or a few bucks on a reader. Not very customer-focused.
But here’s my prediction. This situation won’t persist. Over the course of the next three to five years, the industry will sort itself out between the haves and the have-nots along the lines of incorporating secure identities into their product offerings. During that period, customers will become better educated—particularly those buyers approaching security from the IT side—and they won’t settle for a solution where someone else has “got their number”.
- Steve Van Till
I chose the term ‘Trifecta’ for today’s column because in horse racing, it designates three winners. And I think that’s what we have here.
First, there’s the federal government, with ICAM, which stands for Identity, Credential and Access Management. In a sense, it’s the other bookend to HSPD-12, which said “You must have a high quality credential.” And now ICAM comes along and says, “Here’s how you should use it.”
Second, there’s the cloud. Or Software as a Service. As we’ve discussed here before, it’s a new paradigm for procurement and delivery of software that says it’s smarter and more efficient for everyone concerned—both suppliers and users—to rent rather than own, consolidate rather than distribute, and by all means don’t pay for anything until you absolutely have to—which is to say, as a subscription.
Last but not least, physical security is a big winner in all of this because it’s moving from having no seat at the IT table, to having an essential role due its newfound connection to identity and privacy. Physical security providers have been quick to adopt cloud technologies and leverage them for a variety of new offerings informally known as Security-as-a-Service.
If you’d like to hear more, watch the Webcast on our Federal Government page. Just click on the “Federal Security Trifecta” link in the second paragraph.
- Steve Van Till
Federal CIO Summarizes Cloud Progress in New Publication
Released in conjunction with the May 20 Federal Cloud Summit sponsored by NIST at the Department of Commerce, Vivek Kundra’s “The State of Federal Cloud Computing
” outlines several new federal initiatives that will provide a big boost for cloud service providers of all stripes.
The first is Standards Acceleration to Jumpstart Adoption of Cloud Computing (SAJACC), a standards development effort that will be chaired by NIST and shared with the public through a new portal. The purpose of establishing standards is to increase portability of applications and interchangeability of service providers so that customers don’t get locked in to one particular technology stack.
The second is the Federal Risk and Authorization Management Program (FedRAMP), a much-needed cloud-era update to the aging FISMA framework for ensuring information security of federal computing applications. This “in for a dime, in for a dollar” approach leverages an initial security audit of a cloud provider from one agency across multiple other agencies who may choose to use the service at a later time. This prevents duplication of both effort and cost, and provides much faster deployment times for subsequent uses of a given cloud application.
The document also reiterates several of what are by now familiar themes previously introduced in earlier federal policy statements:
- energy reduction through data center consolidation is facilitated by cloud computing,
- federal budget planning for 2011 must include “an alternatives analysis that includes cloud computing,”
- cloud computing will help close the federal government’s technology gap.
The report also concludes with 30 case studies of federal, state, and local cloud projects—a useful compendium of implementation advice, economic benefit, and deployment success.