SAN FRANCISCO -- White House chief information officer (CIO) Vivek Kundra on Monday outlined the U.S. government's strategy for cloud computing, a shift he said is critical in order to cut costs and improve efficiency.
The U.S. government needs to move "from asset ownership to service provisioning," Kundra said in a keynote at the Cloud Security Alliance Summit at the RSA Conference 2011. The Obama Administration recently published the Federal Cloud Computing Strategy, which Kundra wrote.
In 1998, the U.S. government counted 432 data centers; by 2010, the number jumped to 2,094, he told the crowd of about 1,200 attendees. "It's difficult to manage that infrastructure and hard to secure," he said. Of the $80 billion the federal government spends on IT each year, $20 billion can be moved to cloud services and 800 data centers shut down by 2015, he said.
The shift to cloud computing would "crack down on wasteful spending and unleash an innovative spirit," Kundra said.
In the area of security, the U.S. government's cloud computing strategy is focused on moving to a centralized certification process, Kundra said, referring to The Federal Risk and Authorization Management Program (FedRAMP). The program will allow vendors to be certified once and sell to multiple agencies instead of having to be certified by each agency they sell to, he said. The goal is to have continuous monitoring to identify top threats, facilitated by near real-time dashboards, he said.
In the Federal Cloud Computing Strategy, Kundra said agencies assessing the risk in the context of cloud computing should consider the potential security benefits, such as improved platform strength and stronger backup and recovery, along with the potential vulnerabilities, including inherent system complexity and multi-tenancy issues.
"The transition to an outsourced, cloud computing environment is in many ways an exercise in risk management," he wrote.
The CSA Summit also featured a keynote from Salesforce.com CEO Marc Benioff who talked about a next-generation Internet of mobile systems and social media creating a complex security environment. "Security and innovation are tightly linked," he said. "We have to keep both in mind or we can't deliver the promise of enterprise cloud computing."
Jim Cavalieri, Salesforce.com's chief trust officer, outlined the company's security programs, which include facility security, network security, application and access security. "We are part of your security organization," Cavalieri said.
The vendor undergoes many third-party certifications and audits, and allows customers to conduct security reviews; however, those reviews must be coordinated with Salesforce.com so they don't trigger security alerts, he said.
The nonprofit CSA officially launched at the RSA Conference 2009 to promote best practices and education for cloud computing security. The group, which counts more than 13,000 members, is a coalition of security pros, industry experts and vendors. At Monday's summit, CSA announced it is starting to create version 3 of its Security Guidance for Critical Areas of Focus in Cloud Computing. The project is expected to take 6 to 7 months. Organizers are seeking more input from end users for this version.