The report's findings resonate as outages from major cloud providers have impacted customers in recent weeks. Amazon Web Services, for example, experienced a power outage during an electrical storm, knocking out service to some customers in late June. Salesforce.com, the major software-as-a-service (SaaS) provider, has had two outages in as many weeks.
The report lists some qualities of service level agreements (SLAs) that should be addressed for NS/EP functions to be moved to the public cloud. These include continuous monitoring of the cloud infrastructure by the provider, third-party audits, data encryption and various certifications and accreditations, including continuously evolving accreditation requirements from the Federal Risk and Authorization Management Program (FedRAMP).
Jamie Dos Santos, president of Terremark Federal Cloud and a member of the NSTAC, runs an infrastructure-as-a-service (IaaS) offering aimed specifically at public agencies and she says the government is in a unique position to push public cloud providers to meet the security standards needed to host NS/EP functions. She says it's a constant work in progress.
"Government agencies need to work with cloud service providers to design and implement business continuity plans that will ensure the availability of mission-critical data during national security and emergency situations," she says. "Ensuring that the cloud service provider has achieved and exceeded regulatory compliance for the security and reliability of the infrastructure powering their cloud environments is critical."
One way to ensure availability is to spread the workloads across multiple cloud providers, but that's difficult at this point, the report notes. Even if the federal government does encourage providers to meet certain security criteria, there is no guarantee those will be adopted across the entire industry. The lack of standards in the industry prevents the portability of workloads across various cloud providers, the report states.
So will the public cloud ever get to the point of being able to host critical government information? The report says federal government processes related to NS/EP will be ready to move to the cloud "if and when cloud computing can demonstrate a regime of policy, legal authority, security, and oversight that is comparably rigorous, complete, and trustworthy relative to those currently in place for NS/EP activities."