recommended reading

Experts say security concerns about cloud computing are overstated

Think tank and industry experts downplayed widespread security concerns surrounding a government transition to cloud computing Thursday, saying the cloud may actually be safer than traditional storage of government information in federally owned data centers.

Technology has been developed, though not widely implemented, that allows cloud storage providers to host encrypted data that only the data's creators can decrypt, not its hosts, said Dan Reed, Microsoft's vice president for technology policy.

That technology also includes monitors that tell a government agency or other data creator if the cloud provider babysitting the data makes any attempt to decrypt it, he said.

There's also new technology in the pipeline that would allow agencies and other data creators to analyze and sift their own data while it's in the cloud without first decrypting the data itself, he said.

Reed was speaking at a panel discussion on the not-yet-introduced 2011 Cloud Computing Act, hosted by the Brookings Institution. There's been a great deal of speculation about what that act, sponsored by Sens. Amy Klobuchar, D-Minn., and Orrin Hatch, R-Utah, will include.

The act is expected out in a matter of weeks.

Cloud computing providers essentially sell information storage space on remote computer servers much like a utility sells electricity or water, with buyers paying only for the amount of space they actually use. Critics have said cloud storage limits federal agencies' ability to safeguard their own data.

Consolidating data into a cloud storage facility -- which may be the size of a football field or larger -- creates a larger target profile, according to Darrel West, director of Brookings' Center for Technology Innovation and the panel moderator, but it also creates economies of scale. "You can bring to bear some more best practices [and] professionals whose only job is to think about these kinds of issues," he said.

"There are some collateral advantages of cloud consolidation in terms of raising security standards," he said. "If you're a small business, odds are your security is not very good. You likely don't have the revenue or the IT expertise to procure world class security."

Another major question about cloud computing is the ease with which information will be able to be stored across international borders.

U.S. and European officials have been meeting regularly to try to reach standard or nearly standard agreements about how one nation's information should be treated when it's stored in another nation and what legal rights the hosting nation might have, according to Philip Verveer, the State Department's deputy undersecretary for information policy.

The Japanese tsunami wiped out personal records for many people in the worst-hit areas, Verveer said, which has prompted the Japanese government to consider storing duplicates of some of its vital government information in North America.

Japan and the host nation would have to negotiate a very complex agreement about Japan's control over that information before that could be a possibility, he said.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.


When you download a report, your information may be shared with the underwriters of that document.