Around the world, governments are looking to cloud computing to help them meet their goals. On February 12, I published a blog post within which I highlighted that, in recent years, more than 50 governments have published strategies or initiatives that focus on cloud computing. As I described, their approaches to cloud adoption vary. However, certain government perspectives consistently emerge.
For instance, many governments devote considerable space to articulating the benefits of cloud computing. They capture how using cloud services can help them achieve far greater computing power and scalable, on-demand services, enabling them to address key public priorities with increased agility. In addition, they recognize how cloud computing might dramatically reduce their operating costs and enable them to shift employee resources toward innovating and better serving their communities. However, few governments devote much space to exploring how cloud computing might help improve their security or better ensure the availability or resilience of their data or services.
Instead, cloud security is often framed in government strategies and initiatives as a challenge. Likewise, in its 2014 paper entitled Cloud Computing: The Concept, Impacts and the Role of Government Policy, the Organization for Economic Co-operation and Development (OECD) characterized security and risk management in the cloud as a challenge. However, the OECD paper also acknowledged “the potential for cloud computing to diminish vulnerabilities—an aspect that is sometimes neglected.” Indeed, the OECD paper listed numerous security benefits of cloud computing, especially when the resources of large cloud services providers (CSPs) are utilized. Relative to governments, OECD wrote that large CSPs may provide physical access control more cheaply, improve computing resources dedicated to security more easily, and install critical updates more habitually.
The potential security and resiliency benefits of cloud may sometimes be neglected or overlooked not only because moving IT resources off premises creates real challenges but also because of the anxiety that accompanies any major change. Still, a few governments have recently started to acknowledge the potential security and resiliency benefits of utilizing cloud services. For instance, in late 2014, Estonia conduced a successful research project with Microsoft, testing the resiliency benefits of moving two government services to the public cloud. Indeed, in Comparison of Availability Between Local and Cloud Storage, a 2015 study, the Leviathan Security Group explained that large CSPs can better ensure high availability during emergencies than on-premises IT because of geographic replication. In addition, in February 2015, in the wake of several Bolivian government websites being hacked, Bolivian lawmakers announced that they are developing a “sovereign cloud” to strengthen the nation’s cybersecurity.
As they evaluate all of the ways in which cloud computing can help them achieve their goals, Microsoft encourages governments to consider the security and resiliency benefits that may be applicable to certain government data sets or services. In the coming months, this blog series will continue to evaluate what we’ve learned from working with governments on cloud security. It will also examine how cloud strategies might help governments to mitigate cloud security and compliance risks, enabling them to realize cloud benefits, including security and resilience as well as lower costs and increased agility.