Ask tough questions before moving to cloud

Jimmy Sorrells, Vice President of Enterprise Products, INTEGRITY

wfedstaff |

Today, Fed Cloud Blog sits down with INTEGRITY, a company that provides IT security solutions for government, military, and commercial enterprises.

Jimmy Sorrells is Vice President of Enterprise Products and says his company provides high-assurance security software.

JS: We would provide foundational software to a lot of the cloud providers. If you’ve got somebody who’s going to provide storage or Web presence or lots of different cloud-types of technologies, we would be a foundational technology for them. . . . We’re doing security down between the hardware and the operating system level.

FCB: We talk a lot about risks associated with moving into the cloud. . . . Can you talk about some of the biggest vulnerabilities that a CIO or a CTO needs to be aware of right now?

JS: The cloud is a really apt description of the way people are going to implement things. It’s this big, nebulous bundle of stuff out there, and the the biggest vulnerability is — what do you know about these services that you’re going to start to rely on.

If you’re going to put your data into the cloud, or if you’re going to put some kind of presence for your company out into the cloud, what do you really know about the service provider that you’re going to do business with? What kind of assurance can they give you about how they’re going to protect your information? About how they’re going to guard your particular presence in their thing — whatever their thing is?

So, instead of talking about vulnerabilities in terms of attackers attacking, I really think that the more fundamental question is, if you’re an executive and you’re thinking about moving into the cloud, what is it that you know about your provider, and what is it that they can assure you about how they’re going to safeguard your information?

FCB: What about CIOs or CTOs already in the cloud? Now what are they worried about in terms of security?

JS: It’s very similar. What you’re worried about is — what is your service provider doing to safeguard you? What are they doing in terms of giving you assurance?

When you put your money in the bank, you’ve got an assurance that if something happens — if the bank gets robbed — you’re protected. We have the FDIC, and that gives people some level of confidence. . . . There are similar types of things for the IT space.

One government-supported program called Common Criteria — the National Information Assurance Partnership (NIAP) between the National Security Agency and NIST. They actually do qualifications on technologies that are there for the IT space. At this point, it’s probably not very well known, but CIOs that are in the cloud should be asking questions of their providers — how have you qualified your technology that’s safeguarding my information — and compare it against some of the standards that are being published by Common Criteria.

FCB: We have talked about lessons learned and best practices here — are there any groups out there, or resources available, especially for the federal CIO, that maybe they’re not aware of?

JS: [There is] the Cyber Secure Institute. . . . Their mission is basically to raise the awareness for CIOs and executives about Common Criteria and the organizations that will actually assure some level of technology that would at least point out to a CIO where the risks are.

If your technology is Common Criteria qualified, they have a ranking system from 1 to 7, so you can really quickly look and see and ask your provider where they are on that 1 to 7 scale. . . . I think a lot of CIOs don’t realize that resource is out there. . . . There are [also] blogs and discussion boards where people can empathize and get information about the fact that there are measures of how secure technologies are. I don’t think they’re being utilized much at all.

When CIOs are looking to go to the cloud these days, the first thing I would tell them is, go check out your provider.

FCB: After a CIO or CTO has decided to move into the cloud, at that point you’ve got to pick and choose and figure out what needs to go in the cloud or what could go in the cloud, versus what doesn’t. . . . Do you have any advice about how to figure out what is cloud-worthy, so to speak?

JS: We are very big proponents of data segregation — segregating your data in terms of need to know and using some of the lessons learned and examples from the Intelligence Community and DoD. They’ve always had this idea of need-to-know.

You shouldn’t treat your data as one big lump. You need to have striations in terms of the importance and [think about] how important it is to keep privacy and confidentiality of information. Some is very, very private and confidential — health records, employee Social Security numbers, [but] maybe some other things aren’t, from a privacy standpoint, that [could be] public. There’s lots of public facing documents that you really do want to be accessible freely by the public.

So, I would say that a strategy of data segregation and attaching privacy importance to that is the first thing that we would suggest you do. . . . As you build your confidence in your supplier, maybe you just want to start with your very public-facing data — some websites that talk about your company, and then, as you build confidence in your provider . . . you can start to put more and more private information [in the cloud]. You may never want to put the most important and private information in the cloud. That may be something that’s only intranet worthy.

The one thing that I want to add is that we’re kind of at an inflection point here in technology and with virtualization and cloud computing, things are morphing. The Internet is ubiquitous now. Information used to be on mainframes and then it went to PCs and now it’s moving out into this really public kind of a network. So, a word of caution, and a word to the CIOs that are running organizations — there are measures out there that will tell you how good your providers are in terms of security. I don’t think a lot of people know about it, so I would encourage the CIOs to go ask the hard questions.

Don’t just accept things on face value. Do the due diligence. Dig in and find out what you’re provider is doing in terms of security.

Read more: INTEGRITY just teamed up with Dell to provide a Secure Consolidated Client Solution for federal agencies.


Sign up for breaking news alerts