Today we bring you the second part of our three part discussion with Mark White, principal with Deloitte Consulting LLP who works with both the firm’s Federal and Technology practices and CIO of Deloitte Consulting.
We continue our discussion about security in the cloud.
Public v. Private: Not always all that different
“If the conversation is about the use of public cloud, then the issues of security and privacy are potentially different from just internal or on premise IT. The point that we would make is that they are really mostly different in scale, not in kind. That is to say, they’re the same sorts of security issues or privacy issues that I would face with an internal system, I’m just facing them in a slightly different — in fact, potentially profoundly different — scale that is the public cloud. If that’s the case, then the same disciplines and techniques and tools that I’m using to solve those problems in my internal system are the same sorts that I’ll use to solve them in public cloud implementations. We are underway now to prove those at cloud scale.
The claim would be that the difference between public cloud and a private cloud, or just a plain old in-house IT, is one more of scale than of kind with regards to security and privacy. There is one caveat to that that I would raise as a particular exception, which is the cardinality of the connection. By that I mean, how many different people can add information and access information? For those public cloud services . . . that are essentially retail in nature — so I’m reaching out to the constituency . . . [and] have a lot of consumer users — there’s an interesting difference. It is unusual for me to have an internal system with a lot of consumer users that is not already a demilitarized zone or a more secured part of my infrastructure.
So, that is one difference in kind that does require some thinking — what are our clients doing? The first thing is that we’re seeing very cautious adoption of public cloud by the federal user. Obviously, apps.gov is a great start on that. You’ll note that the majority of those [apps] are at the edge of the mission, so they’re a little bit safer because they’re not at the core of a mission, though I would argue that email or messaging technologies might be a little more core than we otherwise might think. . . . The adoption of public cloud by the federal user is relatively cautious and, for the most part, at the edge of the back office, not the core ERP, not the core mission information technology. There are exceptions that can be found in multiple cases but, for the most part, that’s true.
I believe that our federal clients are much more interested in private cloud possibilities. That is to say, to use the disciplines of virtualization, automation, IT services management to drive efficiency and effectiveness in their internal capabilities — so internal cloud, private cloud. That’s actually well and good, because that literally is taking the disciplines and the good stewardship that have been going on [with] data center consolidation, server virtualization, storage optimization, operations automation — that’s just taking that to the next level and presenting it to the mission user as a service catalogue that can be subscribed effectively.
That’s great. It gets you good efficiency. It gets you good effectiveness, because it changes you to an IT services management shop. It avoids the security and privacy risks issues, because it keeps everything inside the trust zone. . . . What it doesn’t get is the economies of scale that public cloud offers. There are very few enterprises in the world that run enough machine images to get to the cost per machine image that an Amazon web service can get to, just as an example. But that may not be the important thing. The efficiency and the effectiveness may be valuable, and, in fact, they are. We’re seeing that close look at private cloud as a way that they are moving forward.
The potential of community clouds
So, now I’m speculating. Now I’ve moved from the realm of things that we can actually point to examples of and [see] momentum around, to things that I believe there is momentum toward. And this is the idea of the community cloud.
Again, as originally described by the GSA in the request for information they sent out, [which was] easily 18 months ago, if not two years ago. The way I characterize that is, a set of people with private cloud capabilities, discover others — other entities, other missions, other agencies — that have a sharable trust. So, we don’t have exactly the same trust zone, but we have a sharable trust — something that’s a common basis of a trust — that would allow us to club together, to assemble ourselves together. There are two or three reasons that might occur: one is in pursuit of a common mission. [For example], the federal, state, local and tribal mission around law enforcement.
A second reason that could happen is — if you think about it — if I am a private service provider of private cloud SaaS, there must be a subscriber of cloud services that is also in the enterprise. So, I have this service catalogue that I’ve created and my users are subscribing these services and doing good things, and what we find out is that some of their counterparts in the mission . . . they are connecting operationally with others outside of my department or agency, and those others come back and say, ‘hey, could I subscribe those same services?’ So, an example of that is alerts and warnings. This idea of developing an alerts and warnings system for, for example, a natural disaster or other security event. A particular department or agency mission could have created one [and] by definition it’s subscribable by outside parties, so why wouldn’t we allow our partners in another department to subscribe that same service.
That goes on all the time now, it’s just done under inter-agency agreements. What we believe is, as agency ‘A’ — who has the alerts and warnings solution — and agency ‘B’ — with whom they work regularly and would like to subscribe it — as those two agencies themselves are offering private clouds, when they begin to do those exchanges, they’ll do them as cloud services. So, you’ll discover that I have services you’d like to subscribe, I’ll discover you have services I’d like to subscribe [and] suddenly we’re in community cloud.”