Appearing in July before the Committee on Oversight and Government Reform and the Subcommittee on Government Management, Organization, and Procurement, EMC’s Nicklous Combs provided an overview on cloud computing in federal IT. A condensed version of his testimony follows:

Chairman Towns, Chairwoman Watson, and Members of the Committee, thank you for the opportunity to address the opportunities and risks associated with moving federal IT into the cloud. My name is Nick Combs and I am the chief technology officer for EMC Corporation’s Federal Division. EMC is a global leader in cloud computing infrastructure and services.

First, let me comment on the term “cloud computing” and its definition. Confusion in the marketplace generally arises from discussion of different approaches to cloud deployment, that is to say discussions of private, community, public, or hybrid clouds.

The National Institute of Standards and Technology (NIST) has provided definitions of these delivery models that help provide more clarity:

Private cloud — Infrastructure deployed and operated exclusively for an organization or enterprise. It may be managed by the organization or by a third party, either on or off premises.

Community cloud — Infrastructure shared by multiple organizations with similar missions, requirements, security concerns, etc. It also may be managed by the organizations or by a third party on or off premises.

Public cloud — Infrastructure made available to the general public. It is owned and operated by an organization selling cloud services.

Hybrid cloud — Infrastructure consisting of two or more clouds (private, community, or public) that remain unique entities but that are tied together by standardized or proprietary technology that enables data and application portability.

The benefits of cloud computing

Cloud computing provides the characteristics that every IT organization needs by enabling IT infrastructures to be flexible, on-demand, efficient, and resilient.

According to the analyst firm IDC, more than 70 percent of organizations’ IT budgets are dedicated to just keeping the lights on and only 30 percent of budgets are available to bring new capabilities to the organization.

We are at a point where government agencies are spending a majority of IT budgets just to maintain our current systems and infrastructure. Cloud computing offers the means through which to address this imbalance.

Through the cloud, organizations can centrally manage their IT systems and provide uniform policy implementation. Cloud computing brings a level of automation to IT that dramatically reduces costs by sharing resources and frees up more resources to deliver the capabilities that organizations need.

Federal strategy for cloud computing

The transition to cloud computing will not occur overnight; rather it requires a journey to realize all the benefits the cloud has to offer. Many federal organizations have already begun to build a bridge to the cloud by adopting some form of virtualization.

In fact, virtualization has become the foundation of the cloud and, in my view, is the great enabler of cloud services across the various deployment models. Cloud computing is virtualization taken to its most logical extreme, creating the ultimate in flexibility and efficiency, and revolutionizing the way we compute, network, store, and manage information.

Virtualization capabilities are also evolving outside the server realm. In fact, EMC recently announced breakthrough capabilities that enable virtual storage over distance. The industry’s first distributed storage federation will provide unprecedented business agility by eliminating the current boundaries of physical storage. This is a key enabler to future cloud architectures.

Cloud security and risk management

Information security is by far the biggest concern of federal CIOs considering implementing cloud infrastructure and services. Admittedly, with cloud computing comes sophisticated automation, provisioning, and virtualization technologies that have significant security implications, so we must look at security in a whole new way.

While perimeter and point security products will still be used by organizations, companies such as EMC and VMware are embedding controls and security management in the virtual layer, creating an environment in the virtual world that is far safer than what exists in the physical.

Industry must continue to develop and deliver technology components that support centralized, consistent management of security across the technology stack.

With virtualization and cloud computing, applications have become completely disassociated from the IT infrastructure on which they run. It provides the flexibility to have the same application run in the datacenter next door on one day, in a centralized datacenter hundreds of miles away the following day, and in a service provider datacenter another day. For that reason, security cannot solely rely on the controls of the IT infrastructure such as the network perimeter.

Security must evolve to become much more centered on the users and on the information they are accessing. For that reason, emerging technology practices such as adaptive authentication and data loss prevention are both widely used in the commercial world. However, they are only beginning to be adopted in federal government organizations. Such practices must be more broadly deployed. Security cannot be an afterthought; it must be embedded in the fabric.

When implemented correctly, cloud environments can be much more secure than today’s IT environments, which are often protected by inadequate perimeter security practices. Security must be risk-based and driven by flexible policy that is aligned to the business or mission need. The need for a common framework to ensure that security policies are consistently applied across the infrastructure is critical to success.

Key message for federal IT

Technologies and effective best practices exist today to deliver private cloud environments inside federal organizations to gain dramatic improvements in IT efficiency, while also providing the security required to protect sensitive information within the government enterprise.

Multi-tenant federated clouds can be deployed where similar security requirements exist. However, placing information on a public cloud today should be limited to public-facing information only—and then only if the providers can provide the level of auditing and protection procedures needed to deal with breaches of sensitive information.

Ultimately, cloud computing offers great potential for federal information technology, and federal departments and agencies should be encouraged to embrace that potential.

NOTE: Nick’s full testimony, as well as other supporting documents and a webcast of the hearing are available on the committee page.