By Roger Baker // January 5, 2015
Roger Baker, former chief information officer for the departments of Veterans Affairs (2009-13) and Commerce (1998-2001), is currently the chief strategy officer at Agilex.
Ever since the Office of Management and Budget issued its cloud first strategy in 2010, the security of cloud offerings has been a major concern for federal IT managers. It is the primary reason the largest share of cloud expenditures in government has been on private clouds.
These dedicated offerings are viewed as providing a better fit to existing information security models, as agencies can exert more control over the internal architectures and processes of the private cloud.
In contrast, agencies have believed that commercial cloud offerings were not secure enough for their applications, especially those requiring "high" protections under the Federal Information Security Management Act.
But time and investment by the private sector have turned that belief into a canard. The government’s own FISMA audits provide the primary proof. These audits observe widespread issues with configuration control, patch management, unsupported versions of hardware and software, disaster recovery and numerous other vulnerabilities.
Commercial cloud vendors aggressively avoid these problems as a fundamental part of their business model. They must constantly update their offerings to remain ...