Government Blogs
Cloud basics
Security in the cloud
Cloud computing may seem risky because you cannot secure its perimeter—where are a cloud’s boundaries? In addition, many government agencies must comply with regulatory statutes, such as the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes–Oxley Act of 2002 (SOX), and the Federal Information Security Management Act (FISMA). Yet your organization can move forward even while security standards are being defined. The National Institute of Standards and Technology (NIST) likens the adoption of cloud computing to that of wireless technology. Agencies learned how to protect their wireless data as they moved forward—and they will do the same with cloud computing.i

It comes down to this: Federal, state, and local agencies vary in their security and regulatory compliance needs, and you know your needs best. You must look carefully at how well cloud providers protect key functions and sensitive data.

Your own private cloud
Agencies with sensitive information and workloads would probably never want all of their data in a public cloud. Private clouds offer the scalability and shared resources of cloud computing on your terms—and on your turf, if you can afford it. To achieve true cloud scalability in a private cloud, you must forecast demand to support the requisite degree of excess capacity and then invest accordingly.
Some agencies have the need and the budget to do so. Within the U.S. Department of Defense (DoD), for example, groups can obtain access to the private cloud created by the Defense Information Service Agency. Called Rapid Access Computing Environment (RACE), it enables DoD users to quickly set up operating environments within a secured cloud. The Department of Homeland Security is also building a cloud platform able to serve up enterprise email and other services to its workers.ii Michigan and Utah have plans to turn their states’ IT departments into private clouds so that they can provide more resources to local governments, schools, and agencies.iii
Why you might avoid the cloud
  • A regulatory or security issue prevents you from hosting even encrypted data in a public cloud.
  • An application requires greater reliability or speed than the Internet.
  • You want control over your assets, including physical possession of the hardware your data resides on. A private cloud offers one solution if you still want to take advantage of cloud benefits.

Security checklist
  • Integration. Look for integration points with security and identity management technologies you already have, such as Active Directory, and controls for role-based access and entity-level applications.
  • Privacy. Make sure a cloud service includes data encryption, effective data anonymization, and mobile location privacy. In federal agencies, your contract with the service provider should include provisions for complying with the Privacy Act of 1974.iv
  • Identity and access. When you place your resources in a shared cloud infrastructure, the provider must have a means of preventing inadvertent access. How can identities federate across different services and from your internal environment to the cloud? How are the databases protected for access?
  • Compliance. What certifications does your provider possess? How do you handle dispute resolution and liability issues? What industry or government standards do you comply with? Are there clearly defined metrics for the cloud service to be monitored? How are e-discovery and criminal compliance requests handled? What are the processes to move into the cloud and back?
  • Service integrity. How is the software protected from corruption (malicious or accidental)? How does your provider ensure the security of the written code? How do they do threat modeling? What is the hiring process for the personnel doing administrative operations? What levels of access do they have?
  • Jurisdiction. The location of a cloud provider’s operations can affect the privacy laws that apply to the data it hosts. Does your data need to reside within your legal jurisdiction? Federal records management and disposal laws may limit the ability of agencies to store official records in the cloud.
  • Information protection. Who owns your data? Can it be encrypted? Who has access to encryption keys? Where is the backup located, and do you have an on-premise backup? How is the backup purged? What requirements do you have with regard to the physical location of your data?

Microsoft in the cloud
As one of the largest hosted services providers in the world, Microsoft offers a solid track record as an online solution provider. Long established in the cloud, Microsoft continues to invest heavily—U.S.$9.5 billion per year—in research and development to help drive the technology further.
Compliance
Recognizing that data in many forms is one of government’s most prized assets, Microsoft has invested more than U.S.$2 billion in new data centers around the world. These centers today meet or exceed U.S. federal government and international security body standards. Microsoft online services and data centers adhere to stringent HIPAA, SOX, and FISMA requirements, and we expect to attain FISMA accreditation and certification by the third quarter of 2010. The data centers are also Statement on Auditing Standards (SAS) 70 and International Organization for Standardization (ISO) 27001 certified, and they are audited by independent, third-party security organizations.
Uptime
Microsoft guarantees 99.9 percent uptime at its data centers, which are outfitted to operate during power outages and after natural disasters. Microsoft replicates data from its primary data centers to secondary data centers for redundancy, without storing any data off-site.
Data with or without borders
If your data needs to stay within the U.S. borders, Microsoft can guarantee that it will, with multiple data centers across the United States that provide reliability and failover for government customers.
In addition, our data centers preserve the chain of custody for documents. When moving documents between on-premise and cloud services, documents retain the format and fidelity needed to create a reasonable facsimile for investigations or Freedom of Information Act (FOIA) requests.
How green is our cloud?
Microsoft data centers are designed to reduce total energy consumption by 25–40 percent compared to traditional facilities.
Calculate cloud cost savings
Get a customized estimate of the potential cost savings your organization might achieve by building on the Windows Azure platform. Try our Total Cost of Ownership Calculator.

CLOUD BASICS SERIES
Entering the cloud

Get the basic information that agencies need to consider for cloud computing.

Government benefits in the cloud

Learn how agencies can benefit from moving into the cloud.

Security in the cloud

Explore security issues around cloud computing and ways to avert them.

SaaS

Deliver applications and services to users—regardless of their location—with Software as a Service (SaaS).

PaaS

Benefit from a cloud operating environment where you don’t have to manage the infrastructure, with Platform as a Service (PaaS).

IaaS

Rent data center capacity as needed, rather than owning and running hardware, with Infrastructure as a Service (IaaS).

Private cloud

Discover if a private cloud—with dedicated resources, additional control, and customization—is right for you.

i Beizer, Doug. “NIST creates cloud-computing team.” Federal Computer Week, February 25, 2009.
http://www.fcw.com/Articles/2009/02/25/NIST-cloud-computing.aspx
ii Hoover, J. Nicholas. “DHS Plots Its Cloud Computing Strategy.” InformationWeek, December 18, 2009.
http://www.informationweek.com/news/government/cloud-saas/showArticle.jhtml?articleID=222002709&cid=RSSfeed_IWK_All
iii Towns, Steve. “State CIOs Offer Government Cloud Option.” Government Technology, January 24, 2010.
http://www.govtech.com/gt/articles/734128
iv Vijayan, Jaikumar. “Report Cites Potential Privacy Gotchas in Cloud Computing.” Computerworld, February 25, 2009.
http://www.computerworld.com/s/article/9128636/Report_cites_potential_privacy_gotchas_in_cloud_computing