NIST Cloud Computing Forum & Workshop May 20, 2010

Keynote: US CIO Vivek Kundra

Report released on May 20 on cio.gov on the state of cloud computing in the public sector: http://cio.gov/pages.cfm/page/State-of-Public-Sector-Cloud-Computing Federal Leadership with Cloud Computing is working to: o Working with CIOs to identify consolidation opportunities o Centralize certification of cloud solutions for agencies and vendors FedRAMP program o Standards for security, interoperability, and data portability Case studies highlighted (from report): o SEC Using Salesforce for Investor Advocacy Relations they cut time to process from 30 to 7 days o Recovery.gov recently moved to Amazon EC2 cloud service This is the first government-wide system to move to the cloud o US Spending moved May 20 to the NASA Nebula cloud o State of Utah using a hybrid cloud with Salesforce, Google Earth, and Wikispaces to coordinate at state and local levels o LA using Google Apps o HHS Using Salesforce to coordinate the implementations of electronic health records systems o DOI Consolidating email systems (over 80,000 boxes) o NASA halted a process already in place to move toward a Cloud First policy The cloud computing standards development journey begins today.

Industry Panel Responses: When the panel was asked about opportunities for cloud computing: o Innovation o Time to deploy short time allows the ability to fail often What the US Government should and shouldnt do: o The Government needs to act like a customer. The industry is driven by what customers what and the Government has to know and explain what they want. o NIST should coordinate de facto standards There needs to be stop gaps and coordination of standards as new things appear o Look to international community GovCloud in EU o Take feedback from first adopters and use this as a key driver to feed back into standards development Security and privacy what things are overstated/understated/just right? o Understated: Security and lack of transparency by providers to show what they are doing to address security concerns. Customers do not know what they are doing and therefore cannot adequately assess concerns o Overstated: defining the cloud Its important to not continue to site on the sidelines until a definition is nailed down. o Just right: jurisdictional issues o Understated: how cloud exacerbates current problems, such as with privacy. If old infrastructure had issues, there will just be different problems. Also, access issues

will not go away as the laws and guidance in this area is outdated. Scaling up can multiply problems o Understated: Differing rules for international customers Biggest challenges (outside of privacy and security) o Overall management of data how to move it in the cloud, how to move it out, how to access once its in. Impact on the broadband network. o How to move to tools and capabilities with current employees there is a psychological impact to owners of systems of services. Individuals will need to think in a different way and focus on gains to be had instead of what they may lose. o From the systems perspective monitoring, perception, and anticipating needs Resourcing o Could be easier to do in a cloud environment, such as getting an inventory of systems o People need to get more comfortable with technology o It will take some time for vendors to become more transparent Impediments to adoption o Global norms need to have some agreement on policy and best practices. They suggested NIST as the body to coordinate these efforts o FedRAMP is critical to this process to provide a higher bar for a common understanding of security. The focus should be on compatibility and interoperability. o Pace of development is so rapid that it may be difficult to find the right place to standardize. What should the role of government de facto standards vs. traditional standards and where should cloud computing come in? o Standards shouldnt squelch innovation o Standards should help use products more efficiently and safely o Too early to tell The government should do guidance and create a framework and let the marketplace work itself out o Provide clarity and let it happen continue to do work of creating a definition for cloud computing so that the same words mean the same things. Where should there be standards in the short, medium and long term? o Data management o Short: Infrastructure (OBF), identity management o Medium: Identity management, access control Compliance and International issues o This is an area of US government de facto and de jure standards are in conflict o US should work with EU o Commercial and national interests are conflated o Help government use technology as its supposed to be used

NIST Cloud Computing Overview

1. Cloud Computing publication In process and will use NIST definition 2. Standards Acceleration to Jumpstart Adoption (SAJACC) 3. FedRAMP

Standards Acceleration to Jumpstart Adoption of Cloud Computing (SAJACC) NIST answer to how to support adoption during this interim period of needing standards and the time before they are actually written. NIST is working on creating a strategy, process and portal for community collaboration. Publicly accessible Standards Portal: o Method of communication and exchange o Users submit use cases to be validated by NIST o Goal is to enable interoperability for cloud computing before formal standards are complete. Until standards mature, what they are looking to create is a process to test system requirements. o NIST is populating existing standards and de facto specification in the portal Within the larger security issues there are several other issues: trust, multi-tenancy, encryption, and compliance (included mention of Federal regulations) o Data management another area of concern How to transfer data in How to transfer data out How to backup to cloud How to restore from cloud How to archive/preserve in/to cloud From the use cases submitted, NIST will create a taxonomy around o Portability about keeping costs down and being able to cheaply and easily move from cloud to cloud o Interoperability o Security FedRAMP Federal Risk and Authorization Management Program Came out of Cloud Computing Advisory Council which is made up of 75 members from 25 agencies Problem: agencies must do risk management of shared systems individually. They are duplicating efforts. They may have incompatible requirements. Acquisition is slowed by this lengthy compliance process. They are looking to develop a program for government-wide risk management so that agencies can leverage authorizations already in FedRAMP. Agencies keep responsibility and authority to ensure systems and determine suitability of systems. With FedRAMP, the anticipated benefits include: o Risk management cost savings and increased effectiveness o Interagency vetted approach o Rapid acquisition o Consistent application of Federal security requirements

Government Implementation Panel

Overview of each agency on the panel: NASA Nebula Originally built to make an effort to unify security frameworks for 3000+ website platforms.

USAspending.gov is an example of a site using Nebula At NASA now, employees are free to get a laptop, provision resources and broker cloud vendors seamlessly to users

US Census Uses Iaas with the Akamai content delivery network They had an issue with the time it would take to stand up 2010census.gov, so they used Akamai They use Everbridge for mass notification of temporary Census employees, approximately 500,000 They also have an internal private cloud used for correspondence tracking and other activities. Maryland Department of Transportation Began using Salesforce in 2006/2007 for state statistics reporting as required after the election of a new governor. Released a public portal in December 2009 roads.maryland.gov DOD CIO DISA is their infrastructure provider through RACE Focused on adoption of cloud computing and developing a data strategy Have a Cloud First mindset Most Challenging issues and how theyve worked through them: NASA: using the same definitions for cloud, platform and infrastructure for systems developers and system administrators. Also acceptance in the agency. US Census: bridging IT and services and explaining how cloud computing is just a mode to deliver services. Also demonstrating value to the organization, setting up a few for service shop, and moving away from the old mindset of buying a server and setting up a system. DOD: unknown as it is an evolving technology. Also, trying to make clouds work together across clouds (e.g. identity management) MD DOT: Resistance from those not understanding within the office. Also the psychological impact to the data owners of what it means to not have data in house.