Vivek Kundra, the federal CIO appointed by President Obama in March, announced on Tuesday a cloud computing initiative designed to cut spending on government data centers, but maintain a high level of security.
Speaking at NASA's Ames Research Center in Mountain View, Calif., Kundra said the government should leverage what exists on public websites.
“Nearly $19 billion [per year] is spent on government infrastructure,” he said. “We need a new model to lower costs and innovate. The government should solve problems, not run data centers.”
Kundra also announced, starting immediately, the availability of a website for federal agencies to acquire commercial products, including Google and Salesforce.com services. The website, called Apps.gov, resembles an online store, complete with product descriptions and shopping carts.
As for security, nonclassified data would be managed by approved product providers on Apps.gov, Kundra said. But classified data and processes will be handled separately, though a cloud computing platform developed by NASA called Nebula.
“Our focus is on security, and the aim is to embed security into applications,” he said. “These are legitimate concerns.”
He also stressed that the distribution of security products through a central website will help to reduce risk.
“Even today, some smaller agencies do not have much security,” he said. “To be effective, security must come from the center.”
Still, Kundra admitted that the initiative may take as long as a decade to fully implement, and some critics suggested the security issues may remain beyond that.
“We have a lot of work to do in determining the actual risk in moving our existing IT assets to the cloud,” Adam Vincent, CTO of public sector solutions at cloud security vendor Layer 7, told SCMagazineUS.com Tuesday. “The legal and ownership ramifications must be examined closely.”
Internet-based services, even ones that are not classified, will introduce additional cybersecurity risks, beyond what is seen today, Vincent said.
“The government has significant requirements in terms of identity management and audit,” he said. “These will not be solved quickly in cloud computing.”