Don't Neglect Identity in Your Government Cloud

 Got any calls lately from vendors who want to share their new cloud computing strategy? I certainly have - and from some unlikely sources. ...

by / September 28, 2009

 Got any calls lately from vendors who want to share their new cloud computing strategy? I certainly have - and from some unlikely sources. Whether public, private, government or some other word is out front, the word "cloud" has become our new pixy dust - ready to solve all our technology and budget problems.

 Over the past several months, virtually every technology company in the world has developed a cloud computing strategy. A new cloud headline seems to surface every few days. Here are a few:

  IBM Cloud Computing Helps Chinese City of Dongying Develop into a 'Smarter City'

     "IBM is helping the Dongying government build a cloud that will provide software development and test resources for software startup companies via the web through a self-service user interface."

     Google Plans Private Government Cloud

"As the government moves to adopt cloud computing and considers limited use of free consumer services, Google is trying to address lingering concerns about security and control in the cloud."

    A look at Amazon's Government Cloud Strategy

    "Amazon.com has targeted its cloud computing business at web startups, large companies, and scientists. But the Seattle online retailer has also been eyeing another potential customer for its cloud: government. The company is quietly building an operation in the Washington, D.C. area, and is aiming to become a key technology provider to federal and state governments and the U.S. military."

 Don't get me wrong. I am as excited about cloud computing as everyone else. Michigan is busy developing our own government cloud strategy as well. There are a myriad of benefits, yada, yada, yada.

 But while I am a big cloud believer, I'm starting to get a bit nervous. When everyone gets bullish on some new technology, I start to worry about what we're missing. Nothing can be that good or that easy. (If it was, why have we been so dumb up until now?)

 So where are the gotchas? Everyone talks about security and privacy, and I did an intro piece on some cloud concerns a few months ago. But on my recent trip to South Africa I was confronted with some other aspects of this topic that grabbed my attention.

  As background, I attended two excellent presentations on e-Government from a South Korean and Austrian perspectives. Both of these countries started their e-Government efforts with mandated identity management projects that offered good provisioning and an excellent understanding of who is accessing what. (To see the powerpoints, visit this GovTech 2009 website and download: "Seamless eGovernment - a key to inclusive public services" by Prof. Reinhard Posch, CIO, Austrian Federal Government (Austria) &

"Innovation of Government Services through e-Government - Korean Cases" by
Cheung Moon Cho, Consultant: Korea Government, Department of Communication ).

  So why is this identity issue vitally important for new government clouds? In short, most of us in government have legacy system issues and those age-old problems of access controls, logging, knowing who is accessing what, the provisioning of data, and a host of related authentication controls.  Another challenge will include linking our exisiting directory information with our cloud providers information while insuring "need to know" principles.  The reality is that the same audit problems that plague many government organizations today will not go away in tomorrow's cloud computing architectures. We can't outsource the responsibility. 

 As with other technical advances, there are certainly quick wins and low hanging fruit opportunities with cloud computing that don't involve federated identity management or other access control issues. One excellent example includes low-cost cloud storage for non-sensitive data, which appears to be a no-brainer for most governments.

No doubt, we can (and will) go much deeper into this cloud identity topic in the future. But reinventing state and local governments around cloud computing must address the thorny identity management issues we all face today. Don't neglect a well thought out identity and provisioning strategy for your planned government cloud.   

 What are your thoughts on this topic?       

  

Dan Lohrmann Chief Security Officer & Chief Strategist at Security Mentor Inc.

Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.

During his distinguished career, he has served global organizations in the public and private sectors in a variety of executive leadership capacities, receiving numerous national awards including: CSO of the Year, Public Official of the Year and Computerworld Premier 100 IT Leader.
Lohrmann led Michigan government’s cybersecurity and technology infrastructure teams from May 2002 to August 2014, including enterprisewide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan.

He currently serves as the Chief Security Officer (CSO) and Chief Strategist for Security Mentor Inc. He is leading the development and implementation of Security Mentor’s industry-leading cyber training, consulting and workshops for end users, managers and executives in the public and private sectors. He has advised senior leaders at the White House, National Governors Association (NGA), National Association of State CIOs (NASCIO), U.S. Department of Homeland Security (DHS), federal, state and local government agencies, Fortune 500 companies, small businesses and nonprofit institutions.

He has more than 30 years of experience in the computer industry, beginning his career with the National Security Agency. He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US/UK military facility.

Lohrmann is the author of two books: Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD for You: The Guide to Bring Your Own Device to Work. He has been a keynote speaker at global security and technology conferences from South Africa to Dubai and from Washington, D.C., to Moscow.

He holds a master's degree in computer science (CS) from Johns Hopkins University in Baltimore, and a bachelor's degree in CS from Valparaiso University in Indiana.

Follow Lohrmann on Twitter at: @govcso