[House Hearing, 111 Congress]
[From the U.S. Government Publishing Office]
CLOUD COMPUTING: BENEFITS AND RISKS OF MOVING FEDERAL IT INTO THE CLOUD
=======================================================================
JOINT HEARING
before the
SUBCOMMITTEE ON GOVERNMENT MANAGEMENT,
ORGANIZATION, AND PROCUREMENT
and the
COMMITTEE ON OVERSIGHT
AND GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED ELEVENTH CONGRESS
SECOND SESSION
__________
JULY 1, 2010
__________
Serial No. 111-79
__________
Printed for the use of the Committee on Oversight and Government Reform
Available via the World Wide Web: http://www.gpoaccess.gov/congress/
index.html
http://www.house.gov/reform
U.S. GOVERNMENT PRINTING OFFICE
58-350 WASHINGTON : 2010
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC
area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC
20402-0001
COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM
EDOLPHUS TOWNS, New York, Chairman
PAUL E. KANJORSKI, Pennsylvania DARRELL E. ISSA, California
CAROLYN B. MALONEY, New York DAN BURTON, Indiana
ELIJAH E. CUMMINGS, Maryland JOHN L. MICA, Florida
DENNIS J. KUCINICH, Ohio JOHN J. DUNCAN, Jr., Tennessee
JOHN F. TIERNEY, Massachusetts MICHAEL R. TURNER, Ohio
WM. LACY CLAY, Missouri LYNN A. WESTMORELAND, Georgia
DIANE E. WATSON, California PATRICK T. McHENRY, North Carolina
STEPHEN F. LYNCH, Massachusetts BRIAN P. BILBRAY, California
JIM COOPER, Tennessee JIM JORDAN, Ohio
GERALD E. CONNOLLY, Virginia JEFF FLAKE, Arizona
MIKE QUIGLEY, Illinois JEFF FORTENBERRY, Nebraska
MARCY KAPTUR, Ohio JASON CHAFFETZ, Utah
ELEANOR HOLMES NORTON, District of AARON SCHOCK, Illinois
Columbia BLAINE LUETKEMEYER, Missouri
PATRICK J. KENNEDY, Rhode Island ANH `JOSEPH'' CAO, Louisiana
DANNY K. DAVIS, Illinois BILL SHUSTER, Pennsylvania
CHRIS VAN HOLLEN, Maryland
HENRY CUELLAR, Texas
PAUL W. HODES, New Hampshire
CHRISTOPHER S. MURPHY, Connecticut
PETER WELCH, Vermont
BILL FOSTER, Illinois
JACKIE SPEIER, California
STEVE DRIEHAUS, Ohio
JUDY CHU, California
Ron Stroman, Staff Director
Michael McCarthy, Deputy Staff Director
Carla Hultberg, Chief Clerk
Larry Brady, Minority Staff Director
Subcommittee on Government Management, Organization, and Procurement
DIANE E. WATSON, California, Chairman
PAUL E. KANJORSKI, Pennsylvania BRIAN P. BILBRAY, California
JIM COOPER, Tennessee AARON SCHOCK, Illinois
GERALD E. CONNOLLY, Virginia JOHN J. DUNCAN, Jr., Tennessee
HENRY CUELLAR, Texas JEFF FLAKE, Arizona
JACKIE SPEIER, California BLAINE LUETKEMEYER, Missouri
PAUL W. HODES, New Hampshire
CHRISTOPHER S. MURPHY, Connecticut
MIKE QUIGLEY, Illinois
Bert Hammond, Staff Director
C O N T E N T S
----------
Page
Hearing held on July 1, 2010..................................... 1
Statement of:
Charney, Scott, corporate vice president, trustworthy
computing, Microsoft Corp.; Daniel Burton, senior vice
president, global public policy, Salesforce.com; Mike
Bradshaw, director, Google Federal, Google Inc.; Nick
Combs, chief technology officer, EMC Federal; and Gregory
Ganger, professor, electrical and computer engineering,
director, Parallel Data Lab, Carnegie Mellon University.... 81
Burton, Daniel........................................... 96
Bradshaw, Mike........................................... 108
Charney, Scott........................................... 81
Combs, Nick.............................................. 117
Ganger, Gregory.......................................... 128
Kundra, Vivek, Federal Chief Information Officer,
Administrator for e-Government and Information Technology,
Office of Management and Budget; David McClure, Associate
Administrator, Office of Citizen Services and Innovative
Technologies, General Services Administration; Cita
Furlani, Director, Information Technology Laboratory,
National Institute of Standards and Technology; and Gregory
Wilshusen, Director, Information Security Issues,
Government Accountability Office........................... 10
Furlani, Cita............................................ 37
Kundra, Vivek............................................ 10
McClure, David........................................... 23
Wilshusen, Gregory....................................... 49
Letters, statements, etc., submitted for the record by:
Bradshaw, Mike, director, Google Federal, Google Inc.,
prepared statement of...................................... 110
Burton, Daniel, senior vice president, global public policy,
Salesforce.com, prepared statement of...................... 98
Charney, Scott, corporate vice president, trustworthy
computing, Microsoft Corp., prepared statement of.......... 84
Combs, Nick, chief technology officer, EMC Federal, prepared
statement of............................................... 119
Connolly, Hon. Gerald E., a Representative in Congress from
the State of Virginia, prepared statement of............... 151
Furlani, Cita, Director, Information Technology Laboratory,
National Institute of Standards and Technology, prepared
statement of............................................... 39
Ganger, Gregory, professor, electrical and computer
engineering, director, Parallel Data Lab, Carnegie Mellon
University, prepared statement of.......................... 130
Issa, Hon. Darrell E., a Representative in Congress from the
State of California, prepared statement of................. 8
Kundra, Vivek, Federal Chief Information Officer,
Administrator for e-Government and Information Technology,
Office of Management and Budget, prepared statement of..... 13
McClure, David, Associate Administrator, Office of Citizen
Services and Innovative Technologies, General Services
Administration, prepared statement of...................... 26
Towns, Chairman Edolphus, a Representative in Congress from
the State of New York, prepared statement of............... 3
Watson, Hon. Diane E., a Representative in Congress from the
State of California, prepared statement of................. 72
Wilshusen, Gregory, Director, Information Security Issues,
Government Accountability Office, prepared statement of.... 51
CLOUD COMPUTING: BENEFITS AND RISKS OF MOVING FEDERAL IT INTO THE CLOUD
----------
THURSDAY, JULY 1, 2010
House of Representatives, Committee on Oversight
and Government Reform, joint with the
Subcommittee on Government Management,
Organization, and Procurement,
Washington, DC.
The committee and subcommittee met, pursuant to notice, at
10 a.m., in room 2157, Rayburn House Office Building, Hon.
Edolphus Towns (chairman of the committee) presiding.
Present from the Committee on Oversight and Government
Reform: Representatives Towns, Watson, Cummings, Connolly,
Quigley, Cuellar, Murphy, Foster, Chu, Issa, Bilbray, Jordan,
Chaffetz, and Luetkemeyer.
Present from the Subcommittee on Government Management,
Organization, and Procurement: Representatives Watson,
Connolly, Cuellar, Murphy, Quigley, Bilbray, and Luetkemeyer.
Staff present: Krista Boyd, counsel; Linda Good, deputy
chief clerk; Velginy Hernandez, press assistant; Adam Hodge,
deputy press secretary; Carla Hultberg, chief clerk; Marc
Johnson and Ophelia Rivas, assistant clerks; Mike McCarthy,
deputy staff director; Amy Miller and Gerri Willis, special
assistants; Jenny Rosenberg, director of communications; Leneal
Scott, IT specialist; Mark Stephenson, senior policy advisor;
Lawrence Brady, minority staff director; John Cuaderes,
minority deputy staff director; Jennifer Safavian, minority
chief counsel for oversight and investigations; Adam Fromm,
minority chief clerk and Member liaison; Kurt Bardella,
minority press secretary; Benjamin Cole and Seamus Kraft,
minority deputy press secretaries; Justin LoFranco, minority
press assistant and clerk; Christopher Hixon, minority senior
counsel; Hudson Hollister, minority counsel; and John Ohly,
minority professional staff member.
Chairman Towns. The meeting will come to order.
Thank you for being here.
The purpose of today's hearing is to examine the benefits
and risks of cloud computing for the Federal Government. At the
most basic level, cloud computing is Web-based computing
whereby computing resources are shared and accessible over the
Internet on demand. In this way, cloud computing is like most
utility services.
Before the electric grid was developed, business owners who
wanted to use machinery also needed to produce enough energy to
run that machinery. That meant investing heavily to build and
maintain a power source. The electric grid revolutionized the
country by centralizing the resource and allowing businesses to
simply purchase electricity.
Cloud computing promises the same for computing power.
Instead of building and maintaining an entire IT system in-
house, businesses can purchase computing power and tap into
that resource over the Internet.
Cloud computing is a very real technology that the Federal
Government has already begun to embrace. The Federal Cloud
Computing Initiative and an online cloud computing storefront
were launched in September 2009.
I have read that the Government-wide implementation of
cloud computing will be a decade-long journey. It is the job of
this committee to ensure that journey is well thought out, that
the benefits and risks are fully examined, and that there are
comprehensive plans in place to ensure that we do this the
right way, the first time around.
The shift to cloud computing offers the Federal Government
tremendous promise, but it is not without risk. The balance
between risk and reward is an important one and I hope to get a
better understanding of that balance today.
It is clear to me that security and privacy are real
concerns. Our natural impulse is to hold the things we value
close to us, but cloud computing requires entrusting data to
others. The law's current focus on the physical location of
data also presents unique privacy and legal challenges.
A major benefit of cloud computing is the potential for
significant cost savings. It makes sense: cloud computing
allows agencies to pool resources and pay only for the
computing power that they actually use.
I look forward to today's hearing, to a thorough
examination of the Federal Cloud Computing Initiative, and to
addressing the emerging legal and policy issues that Federal
cloud computing presents. I want to thank all of our witnesses
for appearing here today and I really look forward to your
testimony.
At this time, I would like to yield 5 minutes to the
ranking member of the committee, the gentleman from California,
Congressman Issa.
[The prepared statement of Chairman Edolphus Towns
follows:]
[GRAPHIC] [TIFF OMITTED] 58350.001
[GRAPHIC] [TIFF OMITTED] 58350.002
[GRAPHIC] [TIFF OMITTED] 58350.003
Mr. Issa. Thank you, Mr. Chairman. I too am looking forward
to this important hearing. I too am expecting that if you and I
are still serving here on the dais in 10 years, we will still
be holding hearings on some portions of this.
I base that on a hearing we had just a week ago, in which
we recognized that half way through a contract that saved the
American people, through its government, huge amounts of money
if we implemented new contracts the GSA had negotiated for
telecommunications, ones that offered high Internet speeds,
better telecommunication, better redundancy, and new features,
were not implemented, even though they would save money,
because, of course, bureaucrats move slowly.
So today, as we hear about cost savings, I will not yawn. I
will not pretend to be disinterested. But I will not be a true
believer from the dais that cost savings will drive this move
to cloud computing. I will be particularly interested in
details as to how companies believe that they can implement
guaranteed security in a cloud environment.
As all of you know, we do not guarantee security; we have
breaches every week, every month, sometimes every day in
government. And even here in the Capitol, the Chinese mainland
government has repeatedly breached and taken confidential
information from the House. They regularly are able to
penetrate our security.
So as we look to the Internet through a Web browser, we
need to do better, not just as good as we are doing here today.
Often said, history does not always repeat itself, but it
very often rhymes. Today, as we start looking at cloud
computing, at my age, I find that it is rhyming rather
humorously. When I began my career, we were still using NCR-
500's. We would put as many of those card reading computers as
close as we could to the source, and they would run the cards
back and forth, distributing to us punching machines so that we
could prepare our jobs and then go to that massive and
expensive product and have it run.
By the time I was a young officer, I was running a DEC
facility with PDP-11/45s and DEC-10's, wonderful computers that
could multitask, that could have multiple clients at one time,
that could load-share and balance, that could distribute
priorities of who needed what and when. But yet it was still
sending to the big machine and the machine deciding what we
would get when.
As we look at the cloud, there is no question that we can
look at the cloud as thousands, millions of computing devices
available to us to load-share. Or, in the rhyming way, we can
look at it as simply deja vu all over again. In fact, the
cloud, in any configuration, is nothing but a return to those
DEC-10 machines. You can have different sizes; you can have
dual processors; you can share multiple across. We once had 14
PDP-11s all deciding, with one central arbitrator, who got what
load when, for what computing in order to keep us in real time.
All of this has been done before, but not nearly at the
scale it is being done. And, in my case, all of my previous
history in the military was a closed system, an extremely
closed system. Today we are going to talk about an open system,
one in which encryption over a public line is our guarantee,
and our only guarantee, that the data flowing back and forth
will remain in the hands of those that it came from and is
intended to go back to.
I look forward to hearing how we can, and should, implement
both public and, often, private cloud computing systems; how
the Government can, once and for all, recognize that owning a
computer is not as important as owning computer power time,
something that, 30 or 40 years ago, everybody understood that
owning time on a computer was what you did, not in fact owning
a computer.
But weaning the Federal Government off of the idea that
they have endless arrays of PCs and servers all within a server
room that they can walk to will take time and will take
initiative by this committee. So because this is a Government-
wide problem, we believe, the chairman and I, that this is a
government oversight solution that must be pushed through day
after day, Congress after Congress.
With that, Mr. Chairman, I yield back the balance of my
time and thank you for this hearing.
[The prepared statement of Hon. Darrell E. Issa follows:]
[GRAPHIC] [TIFF OMITTED] 58350.004
[GRAPHIC] [TIFF OMITTED] 58350.005
Chairman Towns. I would like to thank the gentleman from
California for his statement.
At this time, we would like to ask you to stand so I can
swear you in.
Raise your right hands.
[Witnesses sworn.]
Chairman Towns. You may be seated.
Let the record reflect that all the witnesses answered in
the affirmative.
Let me begin with you, Mr. Kundra. As you know, you have 5
minutes and, of course, at the end of 4 minutes the yellow
light will come on, which means caution, and then 1 minute
after that the red light will come on, and every place in the
United States of America that means stop. So, Mr. Kundra, will
you start?
STATEMENTS OF VIVEK KUNDRA, FEDERAL CHIEF INFORMATION OFFICER,
ADMINISTRATOR FOR E-GOVERNMENT AND INFORMATION TECHNOLOGY,
OFFICE OF MANAGEMENT AND BUDGET; DAVID McCLURE, ASSOCIATE
ADMINISTRATOR, OFFICE OF CITIZEN SERVICES AND INNOVATIVE
TECHNOLOGIES, GENERAL SERVICES ADMINISTRATION; CITA FURLANI,
DIRECTOR, INFORMATION TECHNOLOGY LABORATORY, NATIONAL INSTITUTE
OF STANDARDS AND TECHNOLOGY; AND GREGORY WILSHUSEN, DIRECTOR,
INFORMATION SECURITY ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE
STATEMENT OF VIVEK KUNDRA
Mr. Kundra. Good morning, Chairman Towns, Ranking Member
Issa. Thank you for the opportunity to testify today on cloud
computing and the Federal Government's approach toward cloud
computing. What I would like to do is draw your attention to
the first slide that you see before you.
Earlier this week, the Obama administration focused on
addressing some of the most persistent and structural issues we
have faced as an administration when it comes to information
technology. The U.S. Government is the largest buyer of IT on
the planet. We spend approximately $80 billion annually on
information technology systems.
Yet, as you see on this slide, I want to point to one
example. The Department of Defense spent 12 years and $1
billion on deploying an integrated human resource system which
ended up failing, and Secretary Gates said, essentially, that
what we ended up with was an acronym that nobody could
pronounce. Therefore, earlier this week, on Monday, we
announced aggressive steps in terms of how we are going to
confront some of these issues.
June of last year we deployed an IT Dashboard that shines
light on every aspect of Government operations when it comes to
information technology spending with literally the picture of
every agency CIR right next to the IT investment that they are
responsible for so the American people could see where they
were in terms of cost, schedule, and whether they are meeting
performance targets or not.
What we are doing is approaching this problem in three
ways: No. 1, effective immediately, we are going to be
reviewing the most troubled IT investments across the Federal
Government as part of the fiscal year 2012 budget process and
make decisions around where we need to halt, terminate, or turn
around these investments; No. 2, effective immediately, we have
halted future task orders on financial systems across the
Federal Government for the CFO Act agencies to make sure that
we are not throwing good money after bad money; and, No. 3, in
the next 120 days, we are focused on making sure that we
address some of the structural issues, understand what is going
on, why, for the last 50 years, as we have tried to address
some of these persistent problems, we continue to have
spectacular failures in Federal IT.
On slide 2, what I want to draw your attention to is what
the Federal Government has been focused on. Unfortunately, the
number of data centers in the U.S. Government has gone from 432
to over 1,100 in a decade, while in the private sector IBM went
from 235 data centers to 12. That is not sustainable in the
long-term as we continue to plow capital in data center after
data center.
The next slide shows how other industries have applied
these innovations around utility models. As you pointed out,
Chairman Towns, we have seen this happen in the electricity
space, where every home used to have to use candles to light
their homes, to where now they just plug into the grid. Or,
with water, every home used to have to essentially have a well
to get water; now what we see is the ability to turn on and off
a tap to consume those resources.
That is one of the reasons we are moving toward the cloud
environment. It is not just about cost, it is also about making
sure that we are providing better service so CIOS are focused
not on investing on yet another data center, but actually
providing better services.
I want to point you to the next slide, which is a tale of
two cities. In the first story, how the Government deployed an
IT system versus how a private sector company deployed an IT
system. When we deployed a Cash for Clunkers program, we
deployed the traditional approach to IT, and as demand grew,
the system was unstable and continued to crash over a 30-day
period, and we had to literally re-engineer the solution, buy
new hardware and configure it.
Yet, a company called Animoto faced similar problem but was
using cloud technology. With 250,000 new users enrolled over a
3-day period, they were able to scale from 50 virtual machines
to over 4,000 virtual machines and supported, at peak times,
20,000 new users an hour.
What I want to point to in the next slide is what the
Government has done so far in terms of making sure that we are
focused on some of the security issues that you have raised;
making sure that we are addressing some of the standards that
we need to promulgate as a function of interoperability, data
portability, and security; and procurement. And Dave McClure
will talk about the procurement strategy and Cita Furlani will
talk about our standards activities. But this work has been
underway since April of last year.
I want to leave you with a closing slide that you see on
slide 7. What you see on the left is a cave. This is where most
of the Federal Government's HR records are. What you see on the
right is what the American people expect from their Government.
The culture in the Government historically has been there is a
form for that, and the American people have to wait in line,
hold on the phone, or they actually have to come in and submit
these complicated forms.
Yet, in the private sector, what we have seen is
innovation. And what we are trying to do is close that gap by
making sure that we are responsibly and safely moving to a
cloud environment.
Thank you for the opportunity to testify, and I look
forward to your questions.
[The prepared statement of Mr. Kundra follows:]
[GRAPHIC] [TIFF OMITTED] 58350.006
[GRAPHIC] [TIFF OMITTED] 58350.007
[GRAPHIC] [TIFF OMITTED] 58350.008
[GRAPHIC] [TIFF OMITTED] 58350.009
[GRAPHIC] [TIFF OMITTED] 58350.010
[GRAPHIC] [TIFF OMITTED] 58350.011
[GRAPHIC] [TIFF OMITTED] 58350.012
[GRAPHIC] [TIFF OMITTED] 58350.013
[GRAPHIC] [TIFF OMITTED] 58350.014
[GRAPHIC] [TIFF OMITTED] 58350.015
Chairman Towns. Thank you very much for your testimony.
Mr. McClure is the Associate Administrator of the General
Services Administration's Office of Citizens Services and
Innovative Technologies. Welcome, Mr. McClure.
STATEMENT OF DAVID McCLURE
Mr. McClure. Thank you, Chairman Towns, Ranking Member
Bilbray, all the other committee members here this morning.
Thanks for having me testify in front of you on what the
General Services Administration is doing to assist in the
adoption of cloud computing.
I think Vivek has done a good job in outlining for you what
we see as some of the tremendous benefits of cloud computing
being adopted in the Federal Government.
At GSA, we also believe that the adoption of safe and
secure cloud computing by the Federal Government represents a
huge opportunity for us in terms of getting access to more
modern technology and lowering the costs that we are spending
on technology; and various forms of cloud computing are already
in place in the Federal Government today.
Quick example, at GSA we have put the Government's main
primary information portal, USA.gov, into a cloud computing
environment last year. We are already reaping the benefits in
terms of a more reliable uptime from the system; we have
lowered our overall computing costs by an estimated $1.7
million; and we actually have raised the security posture of
the system by going to a more reliable security arrangement
with our cloud provider. So it does have tremendous benefits.
As you also know, GSA plays a lead role in the President's
sustainability agenda. We anticipate that cloud computing will
be a major factor in reducing the environmental impact of
technology and also will help achieve some of our national
sustainability goals. Cloud computing can be part of an overall
strategy to reduce the need for these multiple data centers
that we have all over the Government and the energy they
consume. So we see it helping improve services by lowering the
cost and also maintaining a better environment compared to the
redundant and often needlessly redundant brick and mortar data
center structures that we have in place today.
As part of our leadership in the cloud computing
environment, we have stood up a cloud computing program
management office, it is housed in my office at GSA. It
provides the technical and administrative leadership for the
administration's cloud computing initiatives.
We support the design and operation of cloud procurement
vehicles; we look at ways in which we can identify enhancing
security requirements, working closely with NIST, as well as
with OMB; we have facilitated the adoption of these
requirements in the last few months; we also sponsor some cloud
demonstration projects from a piloting perspective so that we
can demonstrate how this technology can be effective before
going full bore; and we are engaged in data center analysis and
strategy planning with OMB as part of our responsibilities with
the PMO as well.
I think we also play a huge role in disseminating
information throughout the Government on just what is happening
in cloud computing. We are a knowledge repository for examples,
best practices, and things that have really worked for us to
date.
So let me just highlight real quickly a few of those areas
for you. I think one of the most significant challenges we face
in cloud computing is certainly in the security area. Agencies
are concerned about the risk of housing data offsite, in a
cloud, if federally mandated security controls and
accountabilities are not in place.
The Federal CIO, our cloud PMO, the CIO Council, which has
a security working group, and NIST have come together to try to
tackle that problem. We have developed a process and
corresponding security controls that have been agreed to by
multiple agencies. We are calling this program FedRAMP. It
provides a uniform Government-wide risk management approach for
enterprise level IT systems and it will enable agencies to
either use or leverage existing security authorizations.
Mr. Chairman, this is a first in the Federal Government,
and it should greatly reduce our security cost; it should
enable rapid acquisitions of solutions; it should reduce agency
levels of effort; and it should shift the focus of security to
monitoring and protecting our computing environments.
GSA is working with NIST and the CIO Council to make sure
that this program is put in place and we will be piloting
several things through FedRAMP to get it up to speed with some
improvements as we test it out.
The second area is providing newly commercial-provided
cloud services via a Web site called Apps.gov. This is the
primary responsibility of GSA. It is modeled on GSA product and
service acquisition storefronts; it provides an easy, simple
way to find, research, and procure commercial cloud products
and services. And we feel like that has been a real benefit to
Federal agencies both in the softwares of service area and soon
to be in infrastructures of service for cloud computing.
A new class of Internet-based applications have also come
onboard called Web 2.0 that focus on delivering information to
diverse communities. Many of these solutions are Web-based and
many are also hosted in the cloud. We at GSA are making sure
that we are providing, as common tools to agencies, social
media Web 2.0 tools that are completely policy compliant with
all Federal privacy and security policies, and it gives them an
advantage in terms of doing this independently on their own.
And I think we have already achieved some significant cost
savings by putting some of these in place Government-wide.
So cloud computing, from our perspective, has the ability
to fundamentally reshape how we are approaching Government
operations and how we are using computing power for business
process improvement and citizen service delivery support. It
can also shift the focus to the added value use of information,
which I think is what our next decade is truly about; and do
this in a very cost-effective way in today's digitally oriented
world.
Chairman Towns. Mr. McClure, could you sum up?
Mr. McClure. Yes. And, third, I think it frees up some
resources for us to really focus on some of the real
information needs of the Government as well.
So, in general, I think we are supporting the effort the
best way we can with some of our procurement activities and
some of our best practices support, and I think these are
adding up to really advance the computing cause. Thanks.
[The prepared statement of Mr. McClure follows:]
[GRAPHIC] [TIFF OMITTED] 58350.016
[GRAPHIC] [TIFF OMITTED] 58350.017
[GRAPHIC] [TIFF OMITTED] 58350.018
[GRAPHIC] [TIFF OMITTED] 58350.019
[GRAPHIC] [TIFF OMITTED] 58350.020
[GRAPHIC] [TIFF OMITTED] 58350.021
[GRAPHIC] [TIFF OMITTED] 58350.022
[GRAPHIC] [TIFF OMITTED] 58350.023
[GRAPHIC] [TIFF OMITTED] 58350.024
[GRAPHIC] [TIFF OMITTED] 58350.025
[GRAPHIC] [TIFF OMITTED] 58350.026
Chairman Towns. Thank you very much for your testimony.
Ms. Furlani is Director of the Information Technology
Laboratory at the National Institute of Standards and
Technology. Welcome.
STATEMENT OF CITA FURLANI
Ms. Furlani. Thank you, Chairman Towns and members of the
committee. I appreciate the opportunity to appear before you
today to discuss our role in the deployment of cloud computing
technology in the Federal Government.
Our role is to promote the effective and secure use of the
technology within Government by providing technical guidance
and promoting standards. The three cybersecurity objectives,
ensuring the confidentiality, integrity, and availability of
information technology systems, are particularly relevant to
cloud computing. These three objectives provide a technical
foundation to help address the associated privacy requirements.
This cloud model that I have listed in my testimony is
composed of five essential characteristics, three service
models, and four deployment models, which are laid out fully in
the written testimony.
The NIST cloud computing definition is the following: Cloud
computing is a model for enabling convenient, on-demand network
access to a shared pool of configurable computing resources,
such as networks, servers, storage, applications, and services,
which can be rapidly provisioned and released with minimal
management effort or service provider interaction.
This definition has been broadly recognized and helps to
clarify a complex emerging information technology paradigm.
However, there is still much work to be done. We have initiated
focused activities to develop Federal cloud computing security
guidance, as well as to facilitate the development of cloud
computing standards. The following are specific NIST efforts
which promote the effective and secure use of cloud computing
technology within Government: NIST held a cloud computing forum
and workshop in May to engage stakeholders on ways to best
accelerate the Federal Government's secure adoption of cloud
computing. Over 500 stakeholders attended this event.
We are developing a cloud computing special publication
which will provide insight into the technical benefits, risks,
and considerations related to the secure and effective uses of
cloud computing, and provide guidance in the context of cloud
computing to provide interoperability, portability, and
security. This publication will also identify future research
areas in cloud computing.
As requested by OMB, NIST serves as the Government lead
working with other Government agencies, industry, academia, and
standards development organizations to leverage appropriate
existing standards and to accelerate the development of cloud
computing standards where gaps exist. We have initiated the
Standards Acceleration to Jumpstart Adoption of Cloud Computing
[SAJACC]. The SAJACC goal is to facilitate the accelerated
development of high-quality standards and to reduce the
technical uncertainty during the interim period before many
cloud computing standards are formalized.
NIST, in a technical advisory role, supports the Federal
interagency efforts which have been mentioned to the
development of a concept for a Federal approach to coordinate
and apply consistent security authorization requirements for
cloud computing systems. The NIST role is to provide guidance
for a technical approach and process which is consistent with
NIST security guidance in the context of the Federal
Information Security Management Act.
NIST has also initiated a strategic virtualization
laboratory effort to research and evaluate the security of
virtualization techniques and to mitigate security
vulnerabilities in virtualized and cloud systems. This will
inform NIST cloud and virtualization guidelines.
We have also initiated a Modeling and Analyzing Complex
Behaviors in Cloud Computing project. This project seeks to
understand and predict behavior in large distributed
information systems. In cloud computing, NIST is initiating a
study of the applicability of our modeling and analysis
techniques to computational clouds.
As you have just heard, this is a big effort. Thank you for
the opportunity to testify today on NIST's role in the
development and deployment of cloud computing technology. I
would be happy to answer any questions you may have.
[The prepared statement of Ms. Furlani follows:]
[GRAPHIC] [TIFF OMITTED] 58350.027
[GRAPHIC] [TIFF OMITTED] 58350.028
[GRAPHIC] [TIFF OMITTED] 58350.029
[GRAPHIC] [TIFF OMITTED] 58350.030
[GRAPHIC] [TIFF OMITTED] 58350.031
[GRAPHIC] [TIFF OMITTED] 58350.032
[GRAPHIC] [TIFF OMITTED] 58350.033
[GRAPHIC] [TIFF OMITTED] 58350.034
[GRAPHIC] [TIFF OMITTED] 58350.035
[GRAPHIC] [TIFF OMITTED] 58350.036
Chairman Towns. Thank you very much, Ms. Furlani.
Mr. Wilshusen.
STATEMENT OF GREGORY WILSHUSEN
Mr. Wilshusen. Chairman Towns, Ranking Member Issa,
Chairwoman Watson, and Ranking Member Bilbray, and other
members of the committee, thank you for the opportunity to
participate in today's hearing on cloud computing.
At Chairwoman Watson's request, GAO has been reviewing the
information security implications of cloud computing and
Federal efforts to address them. Today we are releasing our
report. My statement will summarize the contents of that
report. But first, if I may, Mr. Chairman, I would like to
recognize two members of my staff, V.J. DeSouza and Season
Dietrick, who were instrumental in the preparation of that
report.
As has been discussed, cloud computing is a form of shared
computing where users have access to scalable, on-demand
information technology services and resources. Service
providers offer these capabilities using several service and
deployment models, including, for example, a private cloud
which is operated solely for an organization and a public
cloud, which is available to any paying customer.
Cloud computing has both positive and negative information
security implications. Potential security benefits include
those related to broad network access, possible economies of
scale, and use of self-service technologies. Federal agencies
frequently cited as potential benefits low cost disaster
recovery and data storage, on-demand security controls,
consistent application of those controls, and a reduced need to
carry data and removable media.
However, the use of cloud computing can also create
numerous information security risks. Twenty-two of 24 major
agencies reported that they were concerned or very concerned
about the potential security risk associated with cloud
computing. These risks include: ineffective or noncompliance
security practices of the service provider, inability to
examine controls of the provider, data leakage to unauthorized
users, and loss of data if cloud service is terminated.
These risks generally relate to the dependence on the
security practices and assurances of the service provider and
the sharing of computing resources. They also may vary
depending upon the cloud deployment model used. For example,
private clouds may have a lower threat exposure than public
clouds, but evaluating this risk requires an examination of the
specific controls in place for the cloud's implementation.
Federal agencies have begun efforts to address information
security issues for cloud computing, but specific guidance is
lacking and often efforts remain complete. Although individual
agencies have identified security measures needed when using
cloud computing, they have not always developed corresponding
guidance. In addition, several Government-wide cloud computing
initiatives are underway by organizations such as OMB and GSA.
Nevertheless, much work remains. For example, OMB has not
yet finished the cloud computing strategy or defined how
information security issues will be addressed in the strategy.
GSA has begun a procurement for expanding cloud computing
services, but still needs to develop specific plans for
establishing a shared information security assessment and
authorization process. Furthermore, NIST has not yet issued
cloud-specific security guidance. Both Federal and private
sector officials have identified the need for such guidance.
Accordingly, in the report being released today, GAO
recommended that OMB, GSA, and NIST take several actions to
address these issues. These agencies generally agreed with our
recommendations and indicated that actions were planned or
underway to implement them.
To summarize, the use of cloud computing offers promise,
but also carries risk. Until Federal guidance and processes
that specifically address information security are developed,
agencies may be hesitant to implement cloud computing programs,
and those that have implemented such programs may not have
appropriate security controls in place.
This concludes my statement. I would be happy to answer any
questions.
[The prepared statement of Mr. Wilshusen follows:]
[GRAPHIC] [TIFF OMITTED] 58350.037
[GRAPHIC] [TIFF OMITTED] 58350.038
[GRAPHIC] [TIFF OMITTED] 58350.039
[GRAPHIC] [TIFF OMITTED] 58350.040
[GRAPHIC] [TIFF OMITTED] 58350.041
[GRAPHIC] [TIFF OMITTED] 58350.042
[GRAPHIC] [TIFF OMITTED] 58350.043
[GRAPHIC] [TIFF OMITTED] 58350.044
[GRAPHIC] [TIFF OMITTED] 58350.045
[GRAPHIC] [TIFF OMITTED] 58350.046
[GRAPHIC] [TIFF OMITTED] 58350.047
Chairman Towns. Thank you very much.
Let me just announce to the Members that there are three
votes, and what I would suggest is that we break now and then
come back 10 minutes after the last vote. The witnesses, of
course, need to stay in the area. Thank you very much. It will
at least be half an hour or more before we get back.
So we will recess.
[Recess.]
Chairman Towns. The meeting will reconvene.
Let me again apologize, but we have to vote around here.
And if you don't vote, they put your name in the newspaper.
Let me begin with, I guess, this question probably to you,
Mr. Kundra and to Mr. McClure. It seems to me that the shift to
cloud computing will move a lot of responsibility that we
currently maintain in-house to contractors. What impact will
that move have on the Federal IT work force? Will we lose a lot
of jobs as a result of this?
Mr. Kundra. If I can step back for a second and look at the
current environment that we are in. For example, based on the
FISMA report of last year, there are over 4,000 systems in the
U.S. Government that are maintained by contractors. Just to
give you examples of that, with the Navy, their network
infrastructure, over 300,000 desktops are maintained and
operated by EDS/HP. Our travel system in the U.S. Government,
for example, Northrop Grumman actually manages that
infrastructure.
So I want to be really careful as we talk about cloud
computing in terms of how we treat it versus other IT systems.
Like any technology, part of what we are trying to do is make
sure that, as we move toward a cloud, that what Federal
employees are doing, they are armed in training and that we are
focusing on work, as I highlighted on my earlier slide in my
opening testimony, that serves the American people. And what I
mean by that is making sure that there is appropriate training,
a path to actually fundamentally re-engineering the functions
of those agencies.
But cloud computing is not something that is going to
change the way, in terms of the procurement side of it, because
what we are already doing is we have already engaged in the
last 10, 20, 30 years in a lot of outsource systems, and this
is just another area that we are applying security and
standards to.
Mr. McClure. Yes, Mr. Chairman, I think it is a good
question in terms of the work force impact. As you know, a lot
of Federal IT spending is on infrastructure, and as we free up
some of the personnel that are actually dedicated to
maintenance of legacy systems and infrastructure, you can move
them to more high value job categories and into analytical
categories for the information.
I will just draw on my own experience with USA.gov. That
was heavily dependent upon a staff that was engaged in day-to-
day operations and maintenance activities, the updates, the
patches, and so forth. By moving it to a cloud environment, we
freed up those people to actually focus more of their time on
applications for true business needs and high-value security
functions.
So that is the fundamental shift that could occur here, is
that we are actually enabling an IT work force in the
Government to be more focused and more targeted on high-value
needs that we have.
Chairman Towns. Thank you very much.
Let me say this to you, Mr. Wilshusen. It seems clear to me
that there are certain things that should never be placed in
the cloud, particularly classified or maybe even sensitive
information, because it is simply not worth the risk, I don't
think. Do you agree?
Mr. Wilshusen. I would say that there are certain
applications and information in which it would probably perhaps
be imprudent to put in a cloud, but it really depends on what
type of cloud is being used, whether it is a private cloud,
perhaps, behind an agency's firewalls; and specifically what
types of controls and the effectiveness of those controls that
are placed over the systems operating in that particular cloud.
It is important to remember that the individual systems
that are being used, even in the traditional sense now at many
agencies, we have reported over years that many of them are not
that secure in and of themselves, and it really gets down to
assuring that the security controls over the systems that are
processing the information are effective and protecting the
information, be it classified information, be it unclassified
or sensitive information, to a level that is required.
But I would say that, certainly, what agencies are doing
now are kind of taking a go slow approach in terms of limiting
the type of information that they are putting in the cloud
implementations that they are presently using. Most agencies
that we looked at using this kind of low-impact or low-
sensitivity information for those clouds which may particularly
be in a public cloud.
And even in the private clouds they are still using, for
the most part, low-impact information until they work out the
issues related to adequately securing that information. Indeed,
one of the risks that we have identified with our report is the
fact that it may be difficult for agencies to currently assess
the security and risk over the cloud implementations that are
available.
Chairman Towns. Thank you very much. I see my time has
expired.
The gentleman from Utah, Mr. Chaffetz.
Mr. Chaffetz. Thank you.
Thank you all for being here. It is very encouraging to see
the presentations; it makes immense sense, particularly Mr.
Kundra. I appreciate that.
How do you get everybody moving in the same direction,
though? I mean, you just know the discussion is going to
happen. You are going to go over to the Bureau of Indian
Affairs and they are going to say, oh, but you don't understand
this and, oh, we have all this safety and security, and we have
to have our own proprietary system. How do you standardize, how
do you push them?
Because I think we would probably all sit down and say we
need a unified way to move forward, but the reality is that is
why we end up with the thousands of different legacy systems
that we have. How do you do that? I don't have a solution to
that.
Mr. Kundra. Part of the way that we are addressing that
challenge is grounded in the budgeting process, so it is part
of the fiscal year 2012 budget process. What agencies are doing
is they are actually developing plans to consolidate
infrastructure, to consolidate data centers, and that activity
is vital as we think about where does it make sense for us to
continue to invest in infrastructure versus where are there
opportunities to move to the cloud in a safe and secure manner.
Second thing is the program management office that we have
stood up at GSA, where that is a center of gravity with the
leadership that is being provided from an execution
perspective.
Third is making sure, with the Federal CIO Council, that we
create the appropriate economic incentives. And what I mean by
that is consider what it takes right now for any vendor to
actually get certified to sell to the U.S. Government. Well,
you have such a high barrier for entry because you have to get
certified. If you are dealing with CDC, NIH, or if you are
dealing with the FBI, and then you have to go deal with GSA.
That is very difficult because the economics or the economies
of scale don't work out.
So, from a security perspective, one of the things we are
doing in cloud computing is we have launched the FedRAMP
program, where we are going to create a certification board
made up of members from the Department of Defense, Department
of Homeland Security, from GSA, and an agency that actually
wants to procure that technology, so that you go through that
certification, but you don't just stop there; you move toward a
continuous monitoring environment so you are not just
generating paperwork reports from a security perspective.
Mr. Chaffetz. But is the idea that if you meet that minimum
standard that would suffice for, say, some of these that truly
do warrant more sophisticated security type applications, that
if you meet that standard, that all the rest of the agencies
would fall into line? Is that the idea?
Mr. Kundra. Absolutely. They will be able to then leverage
the work that has been done across the Federal Government. To
give you a simple example, the State Department, over the last
6 years, has spent $138 million on these paperwork exercises as
far as certification and accreditation is concerned, and that
is multiplied across the board with multiple agencies and
departments.
What we are trying to do is move away from this environment
of just generating paperwork reports and much more toward
continuous monitoring, and that is an area that NIST has been
spending a lot of energy in terms of how do we get realtime
data on the security of the systems, rather than just reports.
Mr. Chaffetz. Some of the business models that we see out
there that use kind of a version of cloud computing, if you
will, are reliant upon those eyeballs and then selling those
eyeballs, in essence, in an advertising manner to be able to
say, oh, well, we can supplement it. It is free as long as you
use it, but we are going to sell some advertising against it.
Is there a standard that you have thought through on how
that would work or not work? Because the sensitivity of who is
looking at that information, selling of advertising, those
types of things may look appetizing to kind of defray the cost,
but there are also some security issues on the companies taking
that information and then, in essence, packaging it up to an
advertiser. Have you thought through how that works or won't
work?
Mr. Kundra. If we look at the Recovery Board and its move
to the cloud when it comes to Recovery.gov, they went through
those issues, and part of what they did was, as they were
negotiating the contract. And that is why I want to be careful
as we think about the move to the cloud not being something
that is brand new, that has never happened. It is essentially
contracting.
As I mentioned, we are moving toward contracting systems,
whether we are dealing with Lockheed Martin, Raytheon, or a
number of other companies. In the same way, Recovery actually
said, you know what, with the cloud vendor, the data must in
the United States and here are a set of prerequisite solutions.
And, frankly, they have to comply with Federal statutes such as
FISMA and security guidance that has come out of OMB and NIST.
Mr. Chaffetz. Well, Mr. Chairman, I know my time is short,
but I am fascinated to continue on in having these further
discussions, because my guess is, and it is just a guess, but
is that the law is woefully behind in terms of the velocity and
the speed in which these types of applications change. It is
just the nature of the beast.
We will have to be vigilant on that, but I appreciate the
hearing today. Thanks for your input.
Thank you, Mr. Chairman.
Chairman Towns. Thank you very much.
I now yield 5 minutes to the gentlewoman from California.
Ms. Chu. Thank you, Mr. Chair.
I would like to ask the panel concerns about the current
electronic privacy laws as we head toward this cloud computing.
Specifically, commentators have raised concerns about the
Electronic Communications Privacy Act and that it hasn't
changed in nearly 25 years.
I am also on the Judiciary Committee, and we had a hearing
on the fact that information in the clouds in large part is not
protected by privacy laws; whereas, information in written
communication is protected by the privacy laws. Basically, we
have not changed these laws in these 25 years to accommodate
this.
So, looking ahead, what steps should Congress take to
ensure that the privacy of both individual information and
Government records is maintained?
Mr. McClure. I think that is a great question. There are
two directives that were issued by the OMB Director last Friday
dealing with this issue of protection of personal
identification information on third-party sites, which are
largely where a lot of SAS cloud applications are being used;
and those issues were reinforced by the policy that the
protection of personal identifiable information is in place,
that agencies have to take steps to ensure that is occurring.
And if there is personal identification information collected,
that it is specifically explained and posted why it is being
collected and what it is being used for.
So I think what we are doing in the policy area is actually
bringing up some of the older policies for inspection and
looking at ways in which we can modernize them in this
environment but still offer security and privacy protections
that are fundamental to the data needs of the Government.
Ms. Chu. And are there specific laws that you think need to
be changed and updated?
Mr. McClure. I think that the next step will be to open up
and look at some of the laws. We are trying to look at the
directive and guidance that can come out of the administration,
out of the executive branch, because that is normally how
agencies implement the basic fundamentals of the laws
themselves. So step one, I think, is can we get greater
velocity and movement in what these changes need to be, and
then I think, longer term, we can open up some of the statutes.
Ms. Chu. Then next let me ask about security concerns. I
believe, in testimony this morning, Mr. Bradshaw from Google
will argue that the cloud can provide better information
security than current legacy systems and, in particular, that
the ability of agencies to store information in the cloud,
instead of on personal computers, will actually allow for
improved security. What do you think about this argument?
Mr. Kundra. Well, I think when it comes to security, we
need to remain ever-vigilant. Whether that is security in our
mobile security or whether that is on systems that are
Government-owned and operated or it is in an cloud environment.
I don't think there is one answer that fits every single
imaginable implementation of these technology solutions.
That is one of the reasons President Obama, after coming
into office, quickly issued a directive to his Homeland
Security Council and National Security Council to do a bottom-
up review of cybersecurity. That is one of the reasons we have
focused on investing over $3.6 billion in a comprehensive
national cybersecurity initiative and that is one of the other
reasons what we have done is looked at our cyber posture and
have said, look, we really need to move away from these
paperwork exercises and to realtime monitoring of how these
systems are implemented.
It used to be that you could literally come in and certify
a system, and then come back 3 years later, which was the
policy that was actually in place, and figure out whether it
was still secure or not. But we have shifted that by guidance
that we issued that moves us to more of a realtime monitoring
approach where DHS, working with agencies, is going to make
sure not only do we have continuous monitoring, but also
investments in red teams that would actually look at our own
systems to figure out if we have vulnerabilities or not.
The days of just writing a report and hoping things are
secure are over. We are confronting attacks on a real-time
basis; therefore, we must confront them with realtime
monitoring on a continuous basis. And NIST has actually been
doing some really good work in the space from a framework
perspective.
Ms. Furlani. Agreed. The risk management framework defines
ways to assess risk so that the program officials can actually
make those decisions with the facts in front of them.
Ms. Chu. So you are saying basically there would be better
oversight, you would be monitoring this. But is there something
inherent in the system that would make it more secure? For
instance, would the information be fragmented in various
locations?
Mr. Kundra. Broadly speaking, when you are able to
concentrate compute power in one place, you are inherently
managing one system, rather than managing hundreds and hundreds
of systems and trying to get firewalls in place, making sure
that you are getting realtime traps of what is going on in
servers and routers and switches.
So you can make that argument, but in my view there needs
to be a more fundamental shift, which is the cloud is not such
a special technology, necessarily, that it is exempt from a
security perspective, but it is just another implementation of
IT and it is a natural evolution of where we have come from.
Congressman Issa very well articulated sort of the
historical evolution of where we have ended up in terms of
cloud, but there are three big things that have happened. No. 1
is bandwidth, the ability to have access to bandwidth in ways
that were not available before. No. 2 is processing power;
Moore's Law and the ability to have processing power in ways
that were not available before.
And No. 3 is storage, and the cost of storage has gone down
exponentially. Therefore, now you are able to provide services
in a centralized fashion that you couldn't before. But you
still have to take the appropriate security safeguards. That is
one of the reasons we have charged NIST with making sure that
we are convening the right folks and that agencies have to
comply with current statutes and security policy.
Mr. Wilshusen. And if I may add, getting to the central
question, is it more secure in a cloud versus in agency legacy
systems, as I mentioned before, it really gets down to how
security is implemented over those systems. Certainly we have
reported in the past that agency legacy systems have had
significant weaknesses in them.
But there are some very real risks associated with putting
information out in the cloud, particularly if they are public
clouds. To the extent that agencies will now have to rely on
the security of the service providers and have mechanisms in
place to assure that those providers are adequately securing
the information that they are given and processing. And just
because it goes out to the cloud does not necessarily make it
more secure, but there are some risks associated with it going
out to the cloud.
But there are possibilities where there are certain control
elements that can help security over this data, but at the same
time it gets back again to making sure there is verifiable
implementation of effective security that is over those
systems.
Chairman Towns. The gentlewoman's time has expired.
I now yield 5 minutes to the ranking member of the
committee, the gentleman from California, Congressman Issa.
Mr. Issa. Thank you, Mr. Chairman.
I am going to pick up right where you left off. I am going
to ask a leading question. Let's say I am the labs, the
Department of Energy labs, and I have five sites. If those
sites have a firewall and access to everybody inside to the
Internet, and I take all five sites and I take all the assets
that are inside, behind the firewall, and I move them to a
private cloud, I move them to one, two, or three sites out on
the Internet, and I make a VPN connection with them and I make
all traffic to and from, no independent traffic, so it all goes
there. And then from those locations, through those firewalls
that are maintained, I can also go out and surf the Web.
So I am not taking away any result, but I am simply moving
everything to where your communication is simply to one or more
locations, and then from there they are centrally located.
Isn't it true I haven't changed anything at all? Assuming these
are exactly the same assets, just moved, I haven't changed a
thing; they are neither any more nor less secure as a result.
Mr. Wilshusen. As long as the same set of security controls
are implemented over the information.
Mr. Issa. OK. So, as a baseline, I think you could all
agree that, as long as you have an Internet portal, location
out of that portal to some other location, if nothing else
changes, makes no difference at all; it is neither more secure
nor less secure.
Mr. Wilshusen. As long as your Internet Web portal is
securely configured and secure.
Mr. Issa. Right. Well, you are only as secure as your
firewall to begin with. So now going over and looking at GSA
and Mr. Kundra, let's look at it another way. The bureaucracy.
Every site, including the Congress, that is Internet access
capable out of our firewalls, in other words, they are not
closed systems, they are open to the Web, we could take every
one of them and we could move them to Northern Canada so that
we wouldn't have to worry about cooling year-round.
And as long as we had the bandwidth, we would have changed
nothing, isn't that right? Now, we are making the assumption.
We are not going to cloud computing, we are just moving our
data centers 500 milliseconds of latency time away, but we are
moving them. Anyone disagree that we are changing nothing?
[No response.]
Mr. Issa. OK. So going back to those old systems of where
we had a 1200 baud connection to some mainframe and we were
going back and forth, the only thing that has really changed
from those old systems in that situation is bandwidth; and
bandwidth is no longer a limiting factor, right?
Mr. Kundra. Yes. But, I mean, there are a lot more as far
as cloud is concerned.
Mr. Issa. OK. Now we want to get to being able to
distribute our load, balance our load among more than one, but
maybe hundreds or thousands of computing so that we get
economies that we could not otherwise get and the ability to
have surge without having, as you said, the Government solution
that we had with Cash for Clunkers, being you have to buy more
PCs all the time. We want to have that in place, right?
So I am going to look at GSA and I am going to say why
aren't you here today saying $80 billion, we would like $1
billion to put up resources that would be available to new
requirements and to those who wanted to move from where we are
to there, where that, in a sense, you would be saying, look, we
are not going to worry about your budget, we are going to worry
about proving that we can take $1 billion and get what used to
be $2 billion, but get it better, faster, and more reliable.
Why are we not talking about a top-down implementation
rather than the opening statement that, sadly, I heard where we
talked about 500 people going to a big convention and trying to
get buy-in? Five hundred people trying to get buy-in is what we
were here a couple weeks ago talking about when we find that
agencies, years after the GSA provides better, faster, cheaper
solutions for Internet and telephone access, we find that we
don't have them because the bureaucracy is slow, because they
have their systems, because something as simple as is it safer
or less safe?
If the GSA took $1 billion and said we are going to
contract a world-class private cloud in which all the vendors
have locked doors and separate everything, but we are going to
prove that it still is better, cheaper, faster, and provides
that, and we are going to make it available to innovative
projects or to innovative people that are already wanting to
move from owning to simply having, why is it that is not what
we are here today talking about? Because, otherwise, I fear
that it will be 10 years from now, and even though you will
have created the opportunity, the buy-in will be slow in
coming.
Mr. McClure. Well, Congressman, I think we are moving
pretty aggressively in that area. We already, on our Apps.gov
store site, have softwares of service solutions available
Government-wide that provide economies of scale. We just closed
yesterday an infrastructure as a service blanket purchase
agreement offering that should be able to leverage cloud-based
infrastructure purchasing Government-wide. So those vehicles, I
think, we are rapidly putting in place to allow the economies
of scale to actually work.
Mr. Issa. But each agency is going to have to make those
individual decisions, all the things we are hearing that slow
the process down.
Mr. McClure. Exactly, except, remember, what we have been
talking about this morning also is a Government-wide
certification process for the security of these infrastructure
offerings, which is quite different from the way we have
operated in the past. So an agency could get on our BPA,
actually choose one of the vendors, but then each agency would
go through its own certification, testing, and control
processing.
That is where the process has gotten very inefficient. If
we can successfully stand up a FedRAMP process that allows a
consensus to be built around the testing and controls being
accepted by all parties, or if there is a variation that only
the incremental testing is needed, not reinvention of it, we
have moved the ball, I think, considerably down the path much
further than we have previously.
We also have several pilots. I think one of the other
things we have to do--the question earlier was the bureaucracy
not accepting this. So we have pilots underway to show proof of
concept in these cloud arrangements that I think can also move
the needle further down the road by actually showing where
these successes are, that security is in place and that cost-
savings are being produced. It is, show me, I am from Missouri,
and I think that is a valid concern. That is why we are working
collaboratively in the E-Gov area to show some of these pilots
and their merits.
Mr. Issa. Thank you.
Mr. Chairman, I might just note that although GSA doesn't
control it directly, House Administration does, that you and I
are part of a grand experiment where 540 servers in our
individual offices are being moved to 540 virtual ones with no
cloud capability, simply relocated. So as I went through that
painful example of if you took everything and just moved it
somewhere, but didn't get any of the benefits of the cloud, you
wouldn't have changed anything, that is what we are doing in
Congress.
Chairman Towns. Right.
Mr. Issa. Thank you, Mr. Chairman.
Chairman Towns. You are right.
I yield 5 minutes to the gentlewoman from California, Ms.
Watson, who has been very involved in this issue.
Ms. Watson. Thank you so much, Mr. Chairman. I am so glad
that we are working in conjunction with the full committee
because we have been looking at procurement, and we want to
take a deeper look, and I want to continue to restate the
purpose for today's hearing: to look at the benefits and the
risks of the Federal Government's use of the cloud computing
services. So, if you don't mind, I will read my statement, my
opening statement.
Chairman Towns. Without objection, so ordered.
Ms. Watson. At its basic level, the term ``cloud
computing'' is a metaphor for Internet-based computing. Some
have described it as a new name for an old concept: the
delivery of computing services from a remote location, similar
to the way electricity and other utilities are provided to most
customers. A preponderance of technology experts believe that
by 2020 most people will access software applications online
and share and retrieve information through the use of remote
server networks. This is a dramatic departure from today's
environment where we depend on software housed on individual
computers.
The use of cloud computing by Federal agencies has
significant benefits for collaboration across a broad
information infrastructure, as well as for reducing costs
associated with long-term information technology investments.
It holds out the promise of enabling IT assets to remain on the
technological cutting edge over their life cycle at reduced
costs.
It is therefore appropriate that President Obama has
targeted the Federal Government's IT infrastructure as part of
his mandate to cut agency budgets by 5 percent in 2011,
particularly when we consider that the Federal Government
spends $76 billion annually on IT investments and that the
majority of those investments are for software and IT services.
Despite these benefits, we remain concerned with potential
or unknown security risks associated with cloud computing
across the Federal agency community. For example, Federal
customers may become dependent on their cloud computing
vendor's effective implementation of security practices or
protocols for ensuring the integrity and reliability of agency
data and applications.
The cloud computing model also raises privacy issues, as
well as the level of control over data, due to issues of
portability across different platforms or the fact that vendors
may not be willing to divulge proprietary information.
Due to these concerns, in July 2009, I requested that the
GAO evaluate the technical and security risks associated with
cloud computing across the Federal Government. I am pleased to
announce that GAO is releasing the report at the hearing today,
and you probably have heard some of them in my absence. Mr.
Greg Wilshusen, who was just reporting when we recessed, was
relaying some of the findings.
The GAO report notes that while individual agencies have
identified security measures needed when using cloud computing,
they have not always developed corresponding guidance, and that
OMB and GSA have yet to complete Government-wide cloud
computing security initiatives. Overall, I believe the report
makes the point that cloud computing has both advantages as
well as disadvantages, Mr. Chairman, with respect to
cybersecurity and that the administration should move
deliberatively and with caution in considering when or when not
to use cloud computing platforms.
Concerns involving vendor cybersecurity have not arisen in
a vacuum or in an ad hoc manner. Specifically, we know, through
reporting done in the Wall Street Journal and other
publications, that multiple technology and industrial base
companies, including Google, have been compromised by
cyberattacks believed to be sourced from the People's Republic
of China. It has subsequently been reported that both the
Federal Bureau of Investigation and the National Security
Agency have examined these episodes to determine their origins
and the extent of damages sustained by all parties.
Cyberattacks place personal data, intellectual property,
and our national security at grave risk, and require our
partners in the Government contractor community to be ever-
vigilant in securing those systems and infrastructures used to
service both Federal agencies and private citizens alike.
While I understand the aforementioned incidents may not be
appropriate for discussion in an open hearing, Mr. Chairman, I
believe our vendor panelists need to address the broader issue
of how they plan on meeting Federal information security
standards for protecting those programs and Federal data that
may be hosted through their cloud services.
[The prepared statement of Hon. Diane E. Watson follows:]
[GRAPHIC] [TIFF OMITTED] 58350.048
[GRAPHIC] [TIFF OMITTED] 58350.049
[GRAPHIC] [TIFF OMITTED] 58350.050
Ms. Watson. I really needed to be here full-time to hear
what the panelists have said, but if I might take a few minutes
to raise a question, I would appreciate the time.
Chairman Towns. Let me suggest to the gentlelady that what
I will do is recognize Mr. Luetkemeyer and then come back to
you.
Ms. Watson. All right. That is fine. Thank you, Mr.
Chairman. I yield back.
Chairman Towns. I recognize Mr. Luetkemeyer from Missouri.
Mr. Luetkemeyer. Thank you, Mr. Chairman. I was under the
impression that statements like that normally were submitted
for the record, but I guess it is proper to read the entire
thing.
Chairman Towns. If you have a statement, you can read it.
Mr. Luetkemeyer. I am sorry?
Chairman Towns. If you have a statement, you can read it.
Mr. Luetkemeyer. I think that these gentleman probably have
more to do than listen to my statement, so I would be glad to
submit it for the record. Thank you, sir.
Mr. Wilshusen, I am just kind of curious. What percentage
of the Government's different duties and agencies do you think
would be appropriate to put the cloud type of computing in
place?
Mr. Wilshusen. Well, I don't know if I can really state
what percentage of systems should be placed in the cloud; I
think it really depends upon what each agency feels would be
best for its interest to go to a cloud environment. Certainly,
in doing that, there are a number of benefits that come by
placing systems and information out into a cloud. I think some
of the other panelists have talked about those benefits. But
they also have to weigh the risk in doing that. But I really
couldn't hazard a guess as to what percentage of systems should
be placed in a cloud.
Mr. Luetkemeyer. Who approves the move to go to the cloud
type of computing, is that something that there is a
congressional committee that oversees this or is it just your
department or various agencies? Who has the authority to make a
decision like this, to dump everybody's information to a cloud?
Mr. Wilshusen. Oh, I think that would probably be up to the
individual agencies, but perhaps Mr. Kundra might be better
able to answer that.
Mr. Luetkemeyer. OK. Mr. Kundra.
Mr. Kundra. It is like any other IT system, it would be the
Chief Information Officer of the agency and the Chief
Information Security Officer to make sure that, before moving
any system to the cloud, that, one, they have made sure they
have taken into account all the statutory requirements; two,
all the policy guidance around privacy and security that have
existed for many years.
Mr. Luetkemeyer. I know that there are a couple of agencies
and different groups that already use the cloud type of
computing in our Government. Do you know how many? And are
there other companies, other States, other countries that have
gone to this type of computing that we can look at as models?
Just kind of elaborate on that a little bit.
Mr. Kundra. Sure. What I would love to do is share with you
a report we put together where we have highlighted illustrative
case studies, whether that is at a State level, local level,
and even within the Federal Government.
But just to give you one example, GSA, as part of the Open
Government Directive, when every agency had to engage within 45
days to get input from the American people, what GSA did was it
provided a cloud solution, and they went through the
appropriate security protocols. Instead of every agency having
to go out there and build a proprietary system, they were able
to leverage this cloud solutions and agencies, instead, focused
actually on the content of how they were going to interact with
the American people, how they were going to process that input,
rather than standing up yet another set of data centers or
servers.
Mr. Luetkemeyer. In your testimony you indicate that the
administration announced three actions this week. The first one
was to take under review troubled IT projects across the
Federal Government and identify serious problems. Can you
identify some of the serious problems and how this cloud
computing would impact those? Would that be something that
would work with this situation or are they problems that are
beyond this type of solution?
Mr. Kundra. Well, I think they are larger problems in
Federal IT. So as we look at the fiscal year 2012 budget, the
President has called for a freeze on non-defense natural
security spending and also the 5 percent cut that agencies have
to meet, and one of the ways agencies are going to be able to
make sure that they are still delivering services effectively
is through investments and information technology.
Mr. Luetkemeyer. Well, what are some of the serious
problems? Is the cut you identified a serious problem?
Mr. Kundra. No. What we want to make sure is that taxpayer
money is being spent well, so some of these serious problems,
the example I gave----
Mr. Luetkemeyer. Identify a serious problem for me. I am
just curious as to what the problems were that have been
identified.
Mr. Kundra. Procurement cycles, for example, that may take
18 months or problems around the Government scoping IT projects
with deliverables that take 2, 3, 4 years. And we have seen
best practices where, at the local, State level, or even the
private sector, where buyers are saying, look, you have to
deliver value in 6 months, not 3 years from today.
We have also seen problems in terms of how some of these
systems are actually scoped, overly prescribing requirements
that will end up in failure as a result of everything being
overly specified.
Mr. Luetkemeyer. OK, so basically the problems you
identified there were problems of process and procedure versus
something to be solved with the cloud, is that correct?
Mr. Kundra. Right. Well, cloud is a technology, by no means
a silver bullet that is going to solve all the IT problems we
have. It is one approach, it is not the answer to everything
that is wrong with Federal IT.
Mr. Luetkemeyer. All right. Thank you.
Thank you, Mr. Chairman.
Chairman Towns. I thank the gentleman from Missouri.
I now yield to the gentlewoman from California 5 minutes.
Ms. Watson. Thank you so much, Mr. Chairman.
Cost saving estimates for the Federal Government derived
from the use of cloud computing very greatly, anywhere from 25
percent to above 90 percent in savings. The wide range in cost
estimates is in part due to the fact that cloud computing is
still evolving, and savings are dependent on the type of cloud
platform that is deployed.
The required level of security is also an unknown variable.
What other valuables should we take into account in measuring
potential savings from cloud computing and what cost savings
estimate can we reasonably expect? And let's start with Mr.
Kundra and then go right down the panelists.
Mr. Kundra. Sure. So from a savings perspective it is very
much around the problem you are trying to solve. And what I
mean by that is when Recovery.gov moved to the cloud, they
saved $750,000 on an annual basis, which is very different than
what GSA did when they moved USA.gov to the cloud; I believe it
was $1.7 million is what GSA saved. But in some cases it may
end up costing more because of security requirements that would
have to be implemented. So I don't think there is a single
number that is going to lead to these savings.
Ms. Watson. It is a range.
Mr. Kundra. Well, even within the range that is why you see
such a wide, in terms of degrees of freedom, from 25 to 99
percent, or whatever the number is. For example, with the Open
Government Directive, that was a nominal cost to provide a
platform for every single agency to engage the American people.
We didn't have to go out there and spend millions of dollars
and engage in a multi-year contract. So there is also a lot of
cost avoidance as a result of leveraging these cloud solutions.
And as we look forward, part of what we are doing is we are
making sure we recognize that the power here, when we talk
about cloud computing, is it is also greener from a computing
perspective, because you don't have to go out there and keep
building data center after data center. I mentioned earlier in
my testimony how we have gone from over 400 data centers to
over 1,100 in a 10-year period; whereas, in the private sector
we have seen a move toward consolidation.
So it is greener in terms of making sure that we are
leveraging these assets more effectively, and also provides
better customer service. Those are the other benefits. The
example I used around Cash for Clunkers, where we had
challenges around the system not being able to stay online
because demand was so high, versus a private sector company
that leveraged a cloud solution that kept up with demand
without any failure.
Ms. Watson. We don't want to keep our heads in the clouds.
A pun is the worst form of humor.
Mr. McClure.
Mr. McClure. Yes, I think that is absolutely right, what
Vivek was saying. I think we have to be careful with numbers on
averages being thrown around. I think the examples that we have
documented in the Federal Government, if you read the report
Vivek was talking about in terms of the dozens of examples of
cloud computing, if it has been used for improving software
development activities it is one range of cost; if we are
actually saving storage cost because it is more efficient in a
cloud environment is another type of savings; if we have
actually saved software development money by taking a common
tool that is plug-and-play into an environment. So I think the
cost savings will be dramatically different depending upon the
type of application and type of cloud environment that we are
putting these solutions in.
But I would agree that we shouldn't focus totally on cost.
Speed, agility, the ability to move quickly into the computing
environments are significantly enhanced in these cloud
environments, and those are huge payoffs for service delivery
to citizens.
Ms. Watson. Ms. Furlani.
Ms. Furlani. I think where NIST contributes to this is the
standardization or the recommendations of consistency in
applying the guidelines and the standards across the agencies
so that these cost savings can be realized. Understanding our
risk management framework, the release we just put out, an 837
updates and permits the leveraging of the certification and
accreditation issues that we have mentioned; the baseline
controls that Vivek has referenced, where you can actually
continuously monitor security controls are actually deployed
appropriately.
So what NIST contributes is this capability of standards
and guidelines to provide consistency so agencies can leverage
each other's capabilities more effectively and make the cost
savings real.
Chairman Towns. Would the gentlewoman yield?
Ms. Watson. Yes.
Chairman Towns. Do we really know enough to set standards?
Ms. Furlani. That is what we are working on, to identify
where the standards need to be, and that was the starting point
in the workshop where we had many stakeholders come and help us
understand. We have guidelines now for how IT systems should be
deployed, and that was what I was referencing.
But the applicable standards in the cloud computing
environment will be dependent on which model of cloud computing
you are actually addressing and which kind you are trying to
use for your own particular program and your own mission
requirements. So it all comes back to the program official
understanding the risks that are being undertaken and having
guidance, which we provide, to assess that risk and make the
decisions as to which standards are available and which can be
monitored.
Mr. Wilshusen. And although we did not look at the specific
cost savings and issues related to cloud computing in our
report, we did discuss the need for OMB to complete a strategy
on its implementation of cloud computing and initiatives across
the Government, and in our report we talked about the
information security issues that need to be addressed in that
strategy.
But what also should probably be included in that are
performance measures, particularly as they relate to cost
savings; the speed, how much faster is it to obtain the
resources that my other panelists here have been discussing? So
certainly the need to develop performance measures, which data
can be collected on, and then one can evaluate just how cost-
effective and what cost savings have been acquired through the
use of cloud computing.
Ms. Watson. Mr. Chairman, I know my time is up, but I just
want to say that our subcommittee will continue to look at this
issue, procurement and is it a cost savings. And what I am
hearing today, we have to customize this particular IT, this
cloud kind of IT for the services that you provide. I don't
think one method will suit all. It is a work in progress, it is
evolving, so we are going to keep tabs on it in the very near
future and report back to the full committee. Thank you so much
for the extra time.
Chairman Towns. I thank the gentlewoman for her work and
what she is doing in her subcommittee.
I now yield to the gentleman from California.
Mr. Issa. I am going to continue. I am a big fan of cloud
computing, so don't have anything I say cause you to think that
it is anything other than my fear of the bureaucracy that
causes me to sound like we are not going to get there as quick
as we would like to and I want to look at other things.
Mr. Kundra, if we simply did a move and manage, just assume
for a moment that anyone who is eligible to go to the cloud,
instead of going to cloud, we just move and manage, meaning,
like Congress, we say we are going to take it out of all your
offices, where everybody had an individual server. You have
enough bandwidth or we will provide you enough bandwidth at a
relatively low cost. We are going to centrally manage. We are
going to, where appropriate, have multiple servers and multiple
raids.
We will make those decisions, but we are providing you with
an equivalent amount of processing to whatever you had, but we
are going to relocate it. Literally the way they did it in
Congress is they picked up your server and took it to another
place, and then over time, using VMware or an equivalent, they
are going to give you pieces of more powerful servers.
From a purely speed of chipping away at that $80 billion
and freeing up dollars for innovation and other uses, isn't
that a step that can be done today without any of the concerns
that are being talked about, about the fitness of some future
vendor? In other words, if you assume that each agency, unless
they consent otherwise, doesn't have sharing between agencies
and so on, how would you envision that as a, if you can't get
what you want, would this be a step?
Mr. Kundra. Sure. And that is actually exactly what we are
engaged in. One of the things we have done is we have looked at
this problem around expenditures in information technology, and
approximately $20 billion annually is spent on infrastructure.
So if you take the entire $80 billion, break it down to just
infrastructure spend on servers, routers, switches, networks.
Mr. Issa. Air conditioning, backup generators, UPSes.
Mr. Kundra. Exactly. So the first step we are taking is to
make sure that, one, across the entire Federal Government we
have detailed plans as far as data center consolidation is
concerned.
So that is an effort that is underway, and part of the 2012
budgeting process, what agencies have to do is make sure they
come in to the budget process to say, look, what is your plan?
What is your strategy? For example, Department of Homeland
Security has committed to move from approximately 24 data
centers down to 2. GSA has over eight data centers. And I could
cite department by department.
Mr. Issa. And they are supposed to be the example of best
of, right?
Mr. Kundra. Well, look, we didn't get here overnight; this
is a multi-decade problem. Over the last 50 years that is how
the Government has been growing. In my testimony I talked about
how companies like IBM have consolidated; whereas the
Government continues to grow.
Mr. Issa. Well, let me ask a question as to that. If that
is the case, we here probably are the most parochial group you
are going to find. We get reelected based on whether or not
people believe we care about them. So it is not uncommon that
we would want a data center in our district, particularly if it
created good paying jobs.
Chairman Towns. I want two. [Laughter.]
Mr. Issa. I would second that for the chairman.
Now, it happens that Brooklyn may not always be the best
place. And I know that the electric costs in San Diego are not
the lowest. So what are you, cumulatively or individually,
doing to create, if you will, that best of location, best of
price cost for some of these data systems, and what are you
doing to ensure that GSA actually goes to zero--here me out for
a second--zero data centers? Because there is no reason for you
to have a unique data center that is only GSA.
You can have a unique room in a larger data center that
five other agencies each have a room in. But what would be the
cost-effectiveness of having your own eight at your own sites.
By the way, you probably would pick sites based on the
Congressmen who have the most influence on you, and I am
perhaps one of them, while Homeland Security might look to Mr.
King and so on other there. What are we doing to ensure that
these sitings are both as consolidated as possible and as
efficient as possible?
Mr. Kundra. And that is part----
Mr. Issa. And as least interfered by people like us as
possible.
Mr. Kundra. Well, one, we look forward to working with the
Congress as we take on this really, really difficult problem--
--
Mr. Issa. I think you are getting those two data centers.
Mr. Kundra [continuing]. Because you have 1,100, and what
was really interesting was when we went back and looked at the
data, some agencies couldn't produce that data right away in
terms of where is your data center; how many servers do you
have; what is your rack utilization? And what we are finding,
unfortunately, is that in some agencies server utilization is
actually at 7 percent. And when you think about cloud
computing, that is where you have a lot of wasted capacity,
because what ends up happening is everybody engineers their
solution for what they expect the peak to be. Therefore, they
overbuild and it ends up costing a fortune to maintain those
systems.
So by this December----
Mr. Issa. You mean like the stories that we have seen where
servers are actually retired, never having been powered up, but
they were bought?
Mr. Kundra. Right. And that is the type of waste we are
taking head on, and that is why, by this December, agencies
across the Federal Government have been directed by OMB to come
up with road maps and plans on how they are going to
consolidate. And part of what we want to make sure is that we
are responsible in the consolidation, because what you don't
want to do is consolidate to one place where now everybody
knows if you go after that one place, you are going to be able
to bring down all of Federal IT.
So we have to figure out how do we, in this environment,
where we have over 1,100--and that number may go up, by the
way, because the final plans aren't due until this December--
how do we make sure that there is enough geodiversity to ensure
security, but at the same time that it is not so crazy that you
have data centers popping up every year all over the country.
Mr. Issa. Thank you.
Thank you, Mr. Chairman.
Chairman Towns. Thank you very much.
Let me thank all the witnesses for your testimony. You have
been very, very helpful and I know the subcommittee will
continue to work on this as well. We want to thank you for your
time and, of course, the suggestions and recommendations. We
look forward to working with you. Thank you very much.
Mr. Kundra. Thank you very much.
We would like to call up our second panel.
Mr. Scott Charney is corporate vice president of
trustworthy computing at the Microsoft Corp. Welcome. Mr.
Daniel Burton is senior vice president of global public policy
at Salesforce.com; Mr. Mike Bradshaw is director of Google
Federal; Mr. Nick Combs is chief technology officer of EMC
Federal; and Gregory Ganger is professor of electrical and
computer engineering, as well as director of the Parallel Data
Lab at Carnegie Mellon University.
Welcome and thank you all for being here. Let me say to you
that we always swear our witnesses in, so if you would stand
and raise your right hands.
[Witnesses sworn.]
Chairman Towns. You may be seated.
Let the record reflect that all the witnesses answered in
the affirmative.
Let me start with you, Mr. Charney, and we will just go
right down the line. You know you have 5 minutes. You know how
it works. After the light comes on caution, then red, and all
of that, which will allow us ample time to raise questions. And
you can see that we have a lot of questions. So why don't we
just start with you, Mr. Charney, and come right down the line?
STATEMENTS OF SCOTT CHARNEY, CORPORATE VICE PRESIDENT,
TRUSTWORTHY COMPUTING, MICROSOFT CORP.; DANIEL BURTON, SENIOR
VICE PRESIDENT, GLOBAL PUBLIC POLICY, SALESFORCE.COM; MIKE
BRADSHAW, DIRECTOR, GOOGLE FEDERAL, GOOGLE INC.; NICK COMBS,
CHIEF TECHNOLOGY OFFICER, EMC FEDERAL; AND GREGORY GANGER,
PROFESSOR, ELECTRICAL AND COMPUTER ENGINEERING, DIRECTOR,
PARALLEL DATA LAB, CARNEGIE MELLON UNIVERSITY
STATEMENT OF SCOTT CHARNEY
Mr. Charney. Thank you, Chairman Towns, Ranking Member
Issa, Chairwoman Watson. Thank you for the opportunity to share
Microsoft's view on the benefits and risks of cloud computing
for the Federal Government.
My name is Scott Charney. I am the corporate vice president
for trustworthy computing and environmental sustainability at
Microsoft. I also serve as one of the four co-chairs for the
Center for Strategic and International Studies Commission on
Cybersecurity for the 44th Presidency. Prior to joining
Microsoft, I was Chief of the Computer Crime and Intellectual
Property Section at the U.S. Department of Justice.
In my testimony today, I want to describe how cloud
computing impacts responsibilities for the security, privacy,
and reliability of IT systems, and I want to highlight the
importance of Electronic Communications Privacy Act reform and
identity management issues.
While cloud computing creates new opportunities, it also
presents new challenges. More specifically, a Government agency
using a cloud service may shift certain security, privacy, and
reliability responsibilities to the cloud provider. To ensure
this is done properly, Government agencies need to clearly
identify their security, privacy, and reliability requirements
to the cloud provider, and cloud providers need to be
transparent about the steps taken to meet those requirements.
In Microsoft's case, we employ a holistic approach in
managing security, privacy, and reliability issues, an approach
that is designed to meet or exceed customer requirements. This
approach, which encompasses physical personnel and IT security,
has three parts: first, we have a risk-based information
security program that assesses and prioritizes security and
operational threats to the business; second, we maintain and
regularly update a detailed set of security controls to
mitigate risk; third, we use a compliance framework to ensure
that controls are designed appropriately and are operating
effectively.
A key part of this process is the Microsoft Security
Development Lifecycle [SDL], which helps to improve security
and privacy protections in our software and our services. The
SDL consists of processes and tools designed to reduce the
number and severity of vulnerabilities in software products,
manage risk in computing environments, ensure appropriate and
agile response when incidents occur, and help protect people
and their personal information by imposing mandatory
engineering practices related to security and privacy. By
building and managing resilient infrastructure with trustworthy
people, we can further ensure a high availability in 24/7
support in our service level agreements.
While the cloud is getting ready for the Government, the
Government must get ready for the cloud. Agencies continue to
struggle to identify, manage, and account for the security of
data and systems. Moving to the cloud does not eliminate an
agency's responsibility for its data. To adapt to the cloud, an
agency must clearly identify and communicate its requirements
and expectations to the cloud provider, who, in turn, must
indicate how those requirements and expectations will be met.
Progress is being made. The Federal Risk and Authorization
Management Program [FedRAMP], is an important initial effort to
create efficiencies and define responsibilities. This program
enables common assessments of cloud service providers, allowing
a cloud provider to certify once and have that certification
shared among the agencies. In addition to increased
efficiencies, FedRAMP can ensure better transparency into cloud
provider practices.
In addition to managing its own systems, the Government has
a policy role to play. In this regard, it must ensure that
privacy protections for citizens keep pace with technological
changes. Congress enacted the Electronic Communications Privacy
Act almost 25 years ago. Dramatic technology advancements,
including the shift to cloud computing, require ECPA, as it is
known, to be updated and aligned with reasonable privacy
expectations. Additionally, industry and Government must create
more robust identities for Internet use, particularly as we
adapt to the cloud.
There are over 1.8 billion Internet users worldwide. The
mechanisms used to identify people and devices on the Internet,
even when sensitive data or critical infrastructures are
involved, is weak. And as the Government offers more citizen
services online and individuals store more sensitive
information in the cloud, electronic identifications will
become increasingly important. The recently released draft
National Strategy for Trusted Identities in Cyberspace
represents significant progress in the dialog about how to
create trust in online transactions, but much remains to be
done.
In closing, clarity and transparency about Government
requirements and cloud provider offerings is critically
important. The more precise and transparent we are, the greater
the trust we will build and the greater the opportunity we
create.
Thank you for your important leadership on the issue of
cloud computing, and I look forward to working with you on this
important topic.
[The prepared statement of Mr. Charney follows:]
[GRAPHIC] [TIFF OMITTED] 58350.052
[GRAPHIC] [TIFF OMITTED] 58350.053
[GRAPHIC] [TIFF OMITTED] 58350.054
[GRAPHIC] [TIFF OMITTED] 58350.055
[GRAPHIC] [TIFF OMITTED] 58350.056
[GRAPHIC] [TIFF OMITTED] 58350.057
[GRAPHIC] [TIFF OMITTED] 58350.058
[GRAPHIC] [TIFF OMITTED] 58350.059
[GRAPHIC] [TIFF OMITTED] 58350.060
[GRAPHIC] [TIFF OMITTED] 58350.061
[GRAPHIC] [TIFF OMITTED] 58350.062
[GRAPHIC] [TIFF OMITTED] 58350.063
Chairman Towns. Thank you very much, Mr. Charney.
Mr. Burton.
STATEMENT OF DANIEL BURTON
Mr. Burton. Thank you, Chairman Towns, Chairwoman Watson,
Ranking Member Issa, members of the committee. Thank you for
holding this hearing and inviting me to share my views.
As the senior vice president for global public policy at
Salesforce.com, I am deeply involved in discussions with
Government about cloud computing, and I applaud the efforts of
this committee and the subcommittee to shed light on this
effort.
Salesforce.com is a leading enterprise cloud computing
company whose applications allow organizations to input, store,
process, and access data about their customers over the
Internet. In addition, we provide a cloud collaboration tool
called Chatter and a cloud technology platform called
Force.com. Several U.S. Federal agencies already use
Salesforce, including the Army, HHS, NASA, GSA, the State
Department, the Census Bureau, and many others.
In my remarks, I will make reference to the Salesforce
enterprise cloud computing model, not the consumer cloud
computing model popularized by companies like Amazon and eBay.
Descriptions of cloud computing are like the parable of the
blind men and the elephant. One blind man grabbed its trunk and
said it resembled a giant snake; another its legs and said it
was a tree; a third its tusks and said it was an enormous
walrus, and so on. This parable will sound familiar to anyone
who follows cloud computing. Some companies state that since it
involves third-party data centers, they are cloud providers;
others say that since it uses subscription payments, they are
cloud providers; still others say that since it is accessed
over IT networks, they are cloud providers.
While each of these descriptions is true as far as it goes,
by themselves these discreet services do not constitute cloud
computing. Nor can the companies that provide these discreet
services be called cloud computing providers any more than an
elephant can be called a snake, a tree, or a walrus.
True cloud computing consists of a combination of third-
party data centers, subscription payments, Internet access, and
something known as multi-tenant architecture, which NIST notes
in its definition.
A good analogy for multi-tenancy is a skyscraper. Just like
a skyscraper allows many occupants to run their businesses
discreetly in the same building, multi-tenant cloud computing
allows many users to run their applications discreetly on the
same computing platform. Although users share the underlying
infrastructure, they can only view the data and applications
that pertain to them. In this way, multi-tenant cloud computing
is like online banking; it lets a number of people use their
accounts simultaneously, while keeping their information secure
and private.
The great benefit of multi-tenancy is that it can satisfy
the needs of numerous organizations on a single computing
stack. Salesforce, for example, processes the data and
applications for its 77,000 customers on just a few thousand
serves. A single tenant computing model, which is sometimes
referred to as a private cloud, could require several hundred
thousand servers to manage a customer base this size.
For Government, multi-tenant cloud computing offers cost
savings, flexibility, fast deployment, and lower risk of
project failure. Traditional Government IT systems require up-
front investments in hardware and software, and can take years
to implement. As a result, they are often out of date and over-
budget by the time they are deployed. Multi-tenant cloud
computing eliminates large up-front costs and lets Government
agencies start with a few users and scale rapidly so there is
much less chance of waste and failure.
I understand that cost data ownership, security, and
interoperability are of particular interest to this committee.
Most studies conclude that cloud computing offers important
cost savings. A recent Brookings study concluding that the cost
savings for Government average between 25 and 50 percent.
Salesforce cast studies support this conclusion.
As for ownership of data, Salesforce claims no rights to
the information its customers submit to our cloud services. We
use and process this information only as our customers instruct
us to or to fulfill contractual and legal obligations. If a
customer decides it no longer wants to use our cloud services,
we make their information available to them in a format that
allows them to move it elsewhere.
The Salesforce security management system is based on
internationally accepted security standards like ISO27001.
Perhaps the most compelling evidence of our security is the
fact that over 77,000 organizations around the world, including
very large institutions in highly regulated sectors like
financial services, health care, and government, trust their
information on cloud applications to Salesforce.
When it comes to interoperability, the proof is in
performance. Over 50 percent of the transactions we process are
handled automatically. In other words, about 150 million times
per day our computers seamlessly operate with outside computers
without human involvement.
I appreciate the committee's efforts to advance the
Government's ability to take advantage of this important
technology and look forward to your questions.
[The prepared statement of Mr. Burton follows:]
[GRAPHIC] [TIFF OMITTED] 58350.064
[GRAPHIC] [TIFF OMITTED] 58350.065
[GRAPHIC] [TIFF OMITTED] 58350.066
[GRAPHIC] [TIFF OMITTED] 58350.067
[GRAPHIC] [TIFF OMITTED] 58350.068
[GRAPHIC] [TIFF OMITTED] 58350.069
[GRAPHIC] [TIFF OMITTED] 58350.070
[GRAPHIC] [TIFF OMITTED] 58350.071
[GRAPHIC] [TIFF OMITTED] 58350.072
[GRAPHIC] [TIFF OMITTED] 58350.073
Chairman Towns. Thank you very much, Mr. Burton.
Let me just say to the committee members that we have three
votes, and we will hear from Mr. Bradshaw and then I will
recess the committee, and we will return 10 minutes after the
last vote.
Mr. Bradshaw.
STATEMENT OF MIKE BRADSHAW
Mr. Bradshaw. Thank you, Mr. Chairman, Chairwoman Watson,
Ranking Member Issa, and members of the committee. I lead the
Google team that provides cloud computing services to the
Federal Government, and I am pleased to be here.
Federal IT is at a crossroads. Down one path, the adoption
of cloud computing, we see more competition and innovation;
down another path, which keeps IT tethered to the traditional
desktop computing model, we have more of the status quo,
meaning fewer choices and less competition. If there is one
thing I want to leave you with today, it is this: the cloud is
secure, the cloud saves taxpayer money, and the cloud can make
Government more efficient. We believe Federal IT procurement
policy should encourage competition and choice.
As you have heard today, there are three basic types of IT
infrastructure: cloud, there is legacy, and a hybrid model that
tethers the cloud to legacy systems.
Google offers cloud solutions that are used by 2 million
businesses. A growing number of State and local governments,
from Los Angeles to Orlando, use the cloud, as do Federal
agencies, including the Departments of Defense, Energy, and
Interior, as well as NASA, the SEC, and the GSA.
I would like to focus on three benefits from Federal
adoption of the cloud: one, enhanced security; two, savings for
taxpayers; and, three, more competition and innovation.
First, the cloud offers security advantages over legacy and
tether cloud alternatives. Under legacy computing models, we
store critical data on our computers and servers either at work
or at home. This is the equivalent of keeping cash under our
mattress. Storing data securely in a multi-tenant cloud is like
keeping cash in a bank. Cloud providers are security
professionals, and they can offer better security than
customers do on their own.
There have been several examples where Government laptops
and hard drives were lost or stolen, compromising the sensitive
personal information of hundreds of thousands of individuals.
In fact, GAO confirmed in 2009 that recent data losses
occurring at Federal agencies have been the result of physical
thefts or improper safeguarding of systems.
An important security benefit of full cloud model is that
you can control security updates much more consistently and
easily. Research shows most organizations take between 25 to 60
days to deploy security patches, and some CIOS admit it can
take up to 6 months. In the cloud, everyone gets security
updates as soon as they are available, not weeks or months
later. Attacks come frequently, and cloud computing allows us
to react quickly.
Hackers do not care about the labels assigned to cloud
computing, whether the cloud is public or private or otherwise.
Hackers will exploit security vulnerabilities where they find
them. That is why security must be judged based on an
examination of specific security controls in place by a given
cloud computing implementation.
At Google, we protect data by shredding and splitting it
across numerous servers and data centers, making an attack much
harder because no user's data resides on a single disk or
server. The data is replicated and spread across different
locations. So if a hurricane or an earthquake strikes one
place, the application keeps running elsewhere. This is
important for backup and disaster recovery. It was a key
consideration for the city of Los Angeles because of their
location in an earthquake zone. Backup and recovery solutions
are built into Google's cloud architecture, and it comes at no
extra cost.
Second, the cloud can save taxpayer dollars. This April,
Brookings found that the Government agencies that switched to
some form of cloud computing saw up to 50 percent savings. Last
year, Forrester calculated that Google's cloud-based email
service was one-third the cost of legacy email. To put that in
context, the Federal Government spends $76 billion per year on
IT, with $20 billion of that devoted to hardware, software, and
file servers.
Other cost savings come from improving productivity,
enabling more Federal employees to telework, and reducing
energy consumption.
Third, introducing more choices into the Federal
marketplace will intensify competition, which in turn will
drive innovation up and prices down. The Federal Government is
embracing cloud computing, and we support the administration's
effort to drive the adoption of the cloud, including FedRAMP.
We strongly support the effort to accelerate the process.
Naturally, legacy providers would benefit if they didn't
have to compete with the cloud, so it is not surprising that
some may try to slow this transition by fomenting fear of cloud
security. This overlooks the security problems we have seen in
legacy IT systems and it fails to recognize how these problems
can be solved by the cloud.
Ms. Watson [presiding]. We are out of time now, so we are
going to recess and we will reconvene 10 minutes after the last
vote. Thank you so much.
Mr. Bradshaw. Thank you.
[The prepared statement of Mr. Bradshaw follows:]
[GRAPHIC] [TIFF OMITTED] 58350.074
[GRAPHIC] [TIFF OMITTED] 58350.075
[GRAPHIC] [TIFF OMITTED] 58350.076
[GRAPHIC] [TIFF OMITTED] 58350.077
[GRAPHIC] [TIFF OMITTED] 58350.078
[GRAPHIC] [TIFF OMITTED] 58350.079
[GRAPHIC] [TIFF OMITTED] 58350.080
[Recess.]
Chairman Towns [presiding]. Mr. Combs.
STATEMENT OF NICK COMBS
Mr. Combs. Chairman Towns, Ranking Member Issa, thank you
for the opportunity to address this important session.
Prior to my current role as CTO of EMC Federal, I served
more than 25 years in Federal Government, primarily in the
Army, DOD, and the intelligence community, so I echo the
remarks of Mr. Issa about concerns with security.
During my career in Government and public sector, I have
personally experienced many of the IT challenges facing Federal
agencies today. Cloud computing is the buzz word of the day in
IT, but the characteristics the cloud brings are what is
important for Federal organizations. IT environments must be
flexible, on-demand, efficient, and resilient.
Organizations must change, and the IT infrastructures that
support them must be able to keep pace. At no other time has it
been more important to change our IT landscape, as
organizations are experiencing unprecedented levels of
information growth and are under constant pressure to deal with
the costs associated with maintaining our legacy IT
environments.
Many Federal organizations have already begun to build the
bridge to the cloud by adopting some form of virtualization. In
fact, virtualization has become the foundation of the cloud
and, in my view, is a great enabler of cloud services across
the various deployment models.
Cloud computing is virtualization taken to its most logical
extreme, creating the ultimate in flexibility and efficiency,
and revolutionizing the way we compute, network, store, and
manage information. Cloud computing has the potential to make
the biggest impact in IT since the development of the
microprocessor, but it is not going to happen overnight. This
will be a journey, but we will realize benefits at many points
along the way. In the end, we will be able to provide
organizations with much greater flexibility to ensure we can
meet the demanding needs of our Federal Government.
Many challenges and questions are yet to be fully answered,
including acquisition, availability, performance, scalability,
solution maturity, vendor lock-in, and, of top concern,
security. I have addressed many of these in my written
statements; however, due to time constraints, I will focus on
security. We have an opportunity to get it right with cloud
computing by engineering security into the solution, not
bolting it on, as has been in the past.
Admittedly, with cloud computing sophisticated automation,
provisioning and virtualization technologies, there is
significant security implications. These risks require that we
look at security in a whole new way. While perimeter and point
security products will still be used by organizations,
companies such as EMC and VMware are embedding security
controls and security management in the virtual layer, creating
an environment in the virtual world that is safer than the
physical world today. Industry must continue to develop and
deliver technology components that support centralized,
consistent management of security across the technology stack.
The level of transparency that cloud computing vendors
provide is critical when utilizing private sector partners.
While there is a lot of talk about service level agreements
helping to satisfy Federal security needs, SLAs alone are
inadequate. The Government must take a trust, but verify
approach and cloud vendors should be required to provide the
tools and capabilities to allow customers visibility into those
clouds to ensure the SLAs are being met.
Fundamentally, security must be risk-based and driven by a
flexible policy that is aligned to the business or mission
need. The need for common framework to ensure that security
policies are consistently applied across the infrastructure is
critical to successful risk management. That is one of the
principle reasons that EMC supports updating the Federal
Information Security and Management Act [FISMA], important
legislation that will update the law to enable more operational
risk management.
Technologies exist today to deliver private cloud
environments inside Federal organizations to dramatically
improve IT efficiency and still provide the security required
to protect sensitive information within the Government
enterprise. Multi-tenant federated clouds can be deployed where
similar security requirements exist. However, placing
information on a public cloud today should be limited to public
facing information only, and then only if the providers can
prove the level of auditing and protection procedures are
implemented to deal with breaches of sensitive information.
Ultimately, cloud computing offers great potential for
reducing cost and increasing efficiency and transparency
throughout the Federal Government, and Federal departments and
agencies should be encouraged to embrace that potential.
I again thank the committee for allowing EMC and me to
contribute to this important effort. I look forward to taking
your questions.
[The prepared statement of Mr. Combs follows:]
[GRAPHIC] [TIFF OMITTED] 58350.081
[GRAPHIC] [TIFF OMITTED] 58350.082
[GRAPHIC] [TIFF OMITTED] 58350.083
[GRAPHIC] [TIFF OMITTED] 58350.084
[GRAPHIC] [TIFF OMITTED] 58350.085
[GRAPHIC] [TIFF OMITTED] 58350.086
[GRAPHIC] [TIFF OMITTED] 58350.087
[GRAPHIC] [TIFF OMITTED] 58350.088
[GRAPHIC] [TIFF OMITTED] 58350.089
Chairman Towns. Thank you very much for your testimony, Mr.
Combs.
Mr. Ganger.
STATEMENT OF GREGORY GANGER
Mr. Ganger. Thank you for this opportunity to testify along
with the others. I am a professor of electrical and computer
engineering at Carnegie Mellon University, where I am also the
director of a research center focused on issues like cloud
computing, and have been for over a decade. I hope that my
independent voice from an elite educational institution can
help with clarifying the issues being explored today.
You have heard from a number of folks already today, and
obviously, from the questions, investigated the issues
yourselves as well; and I will attempt to avoid being
needlessly redundant. But I will underscore a few important
points and raise a few new ones.
As we have heard and as you have read, cloud computing is a
buzz word for using others' computers together with yet others
in order to achieve efficiency, instead of doing everything
yourself. It is a natural evolution as a part of a service-
based economy. In fact, as Mr. Issa noted, it is a bit of a
return to the past in some ways. I won't get into the details
of it now, but there is actually a good reason why it has gone
back and forth a little bit as engineering technology and
economies of scale have changed.
One aspect of the definition of cloud computing that I want
to make sure doesn't get lost is the differentiation between a
private cloud and a public cloud, which has to do with who
shares the cloud. A private cloud is something that an
organization does itself and might be shared amongst the sub-
organizations of that organization. So in the Federal
Government imagine all the agencies sharing a cloud. As
contrasted with a public cloud that might be offered to many
organizations to share, as is usually thought of when one hears
the term cloud computing because of the Internet analogy of
everybody being able to access the Internet.
But the private cloud is something that we don't want to
lose sight of because it is going to play a part of the
approach that gets taken with the breadth of Federal IT
functions. In fact, this is another thing that was brought up
earlier, this notion of moving to a centralized management
site. That is one step toward a private cloud approach.
And there are some private cloud initiatives that are going
on in the Government right now. For example, the NBC of the
Directorate of the Interior has some cloud computing functions
and there is also an activity called Nebula that NASA is doing
for scientific activities.
The benefits of cloud computing, when done well, can be
huge. We have heard a number of examples. I liked the example,
in particular, of IBM going from 235 data centers to 12. In my
written testimony I talk about several others, including HP
going from 85 data centers to 6 over the course of the last 4
years and reporting from that 60 percent reductions in their
data center costs across the board, while at the same time
increasing the amount of computing and storage that they are
doing. So the savings are real and they are large.
As with most things, your mileage may vary, and this was
brought up multiple of you already, and just how much you save
is going to depend, for example, on how efficient the function
that you are moving was already. And the efficiency of existing
implementations of functions varies widely, so naturally the
savings you are going to get is going to vary as well.
But one big benefit that I haven't heard talked about as
much that you don't want to lose sight of as well is the speed
of deploying a new application. In the traditional model, where
you have to procure, buy, deploy, set up a set of computers
before you can even start to develop the application that you
are trying to deliver, and that process may take many months,
18 months was the example that Mr. Kundra used, comparing that
to the notion of renting some computing utility and getting
started right away is a sea change in terms of how quickly you
can move in a new direction.
There are risks. It is natural to address them with
questions, which is why I started with the benefits. Security
is a very natural one. It is very important, in talking about
security, to not start from the mentality that doing it
yourself means that it will be done perfectly. There are too
many examples where that is not the case, and, in fact, having
a collection of security experts try to do the job for a larger
collection of people, rather than having each of those people
do it themselves, makes a lot of sense.
You get more ability to move forward quickly when you have
the experts doing it for people rather than everybody doing it
themselves. It doesn't mean that everything is going to want to
migrate to a central place, but it is going to mean that a lot
of things are going to make sense to that kind of
centralization.
Lock-in fears mean that standardization is going to be
critical. Resistance to change is going to mean that change
management and new training is going to be critical, as well as
centralized knowledge sharing portals and information sharing.
And IT culture changes are going to mean that the IT staff are
going to have to be retrained to new roles as well. They are
not going to go away; you are still going to need expert IT
staff to manage the interaction between any given agency, for
example, and the cloud computing provider, but their roles are
going to change, they are going to move closer to the
applications folks.
But the potential is great; it needs to be embraced. I am
thrilled to see that is happening, and thank you for letting me
be here and I am happy to answer any questions that you have.
[The prepared statement of Mr. Ganger follows:]
[GRAPHIC] [TIFF OMITTED] 58350.090
[GRAPHIC] [TIFF OMITTED] 58350.091
[GRAPHIC] [TIFF OMITTED] 58350.092
[GRAPHIC] [TIFF OMITTED] 58350.093
[GRAPHIC] [TIFF OMITTED] 58350.094
[GRAPHIC] [TIFF OMITTED] 58350.095
[GRAPHIC] [TIFF OMITTED] 58350.096
[GRAPHIC] [TIFF OMITTED] 58350.097
[GRAPHIC] [TIFF OMITTED] 58350.098
[GRAPHIC] [TIFF OMITTED] 58350.099
Chairman Towns. Thank you very much.
Let me thank all of you for your testimony.
I guess I just want to ask all of you this question, and
you can sort of answer it as briefly as you possibly can. What
do you see as the greatest benefit and the greatest risk to the
Federal Government in terms of cloud computing? If you just go
right down the line and sort of be as brief as possible.
Mr. Charney. I see a couple of huge benefits. One, of
course, we have talked about, which is cost savings. But the
other huge benefit, I think, is that the aggregation of data
will allow, in appropriate circumstances, much deeper analysis
of data. When you think about how we are going to do health
care in the future, for example, the ability to analyze a lot
of data and see trends and other things could be hugely
valuable to the Government.
In terms of risk, it really does come back to the things we
have talked about: security, privacy, and reliability. We are
going to be dependent on this cloud, and if you can't access
this cloud, or if cyber criminals go after the cloud because
the aggregation of data presents a rich target, or people don't
have faith that the data in the cloud is both protected and not
improvidently used by the cloud provider, we will lack trust.
Mr. Burton. Yes, I think the benefits of cloud computing
are enormous, and that is why it is really taking off in the
private sector; and to look at those benefits: cost advantages,
speed advantages, scale advantages, ease of use advantages,
customization advantages, and, not to be overlooked, tremendous
innovation advantages, because once people are on a cloud
platform, you can easily develop new applications, you can
deploy them instantly, you can share them with other agencies.
If you look at risk, usually at the top of the risk list is
what this committee has focused on, and that is concerns about
security and privacy.
Mr. Bradshaw. I think there are great advantages to cloud
computing. Innovation, innovation of features and
functionality, but, more important, innovations around
security, our ability to react much more quickly now to
security threats. There are great cost savings as well for the
taxpayer.
As far as risk, I do think we, right now, are in the risk
of trying to label cloud computing a certain way so that we
don't understand the security issues in it. We label it and
dismiss it based on labels versus really what the security
requirements are for the environment.
Mr. Combs. Thank you, Mr. Chairman. I agree with all the
comments that have previously been stated, but the greatest
benefit, I think, is speed to delivery of capabilities, like
Mr. Ganger brought up. Today, it takes far too long to
implement new capabilities in organizations. With cloud
computing we can rapidly implement capabilities and, therefore,
keep up with the changing needs of the Government.
As far as the greatest risk, I have to go back to my
intelligence community days, that is the loss of the
information. In the intelligence community, in the Department
of Defense realms, that loss of information can mean the loss
of lives. In the commercial world, that loss of information can
be the loss of intellectual property and lots of money.
So those are the greatest benefits and the greatest risks
as I see them. Thank you.
Mr. Ganger. I would say that the greatest benefit, as most
have noted, is efficiency, efficiency both in terms of cost and
in terms of the ability to roll out a new application, a new e-
Government approach in each of the individual applications that
one wants to get started, both of those forms of efficiency.
In terms of the greatest risk, I guess I am going to depart
from a lot of people here and say that I would worry that the
greatest risk is entrenchment and the difficulty that one has
in making a transition from a comfort level that one has with
the way they do things currently to something very different.
And given how widespread the IT functions of the Federal
Government are already, we heard about 1,100 data centers,
getting all those people around the idea of looking at cloud
computing and seriously considering not doing it all
themselves, it is a tough sell to do that with people, to get
them to really seriously consider doing that. The security
aspect is one of the concerns that will get raised, and there
are legitimate security concerns, but the technical security
concerns, to me, seem smaller than the entrenchment concerns
that will be rallied around, for example, the security word.
Chairman Towns. Thank you very much.
I now yield 5 minutes to the ranking member from
California.
Mr. Issa. Thank you, Mr. Chairman.
Mr. Ganger, I am going to followup with you as the honest
broker. Eleven hundred data centers. In your opinion, is there
any reason that this committee shouldn't drive the bureaucracy
toward, let's say, 200 data centers and force people who have
8, like GSA, to have 8 that are co-located within those 200
centers? And wouldn't that represent billions of dollars in
savings and a consolidation toward a private cloud--which is
the second question, since you are writing--which is aren't we
big enough at $80 billion worth of total IT services, tens of
billions of dollars worth of specific software support and $20
billion worth of infrastructure support, aren't we big enough
to own our own cloud?
I don't want to quote, but I will, the Rolling Stones,
1967, when they said ``Get off of my cloud,'' but why would we
get onto somebody else's cloud to begin with? Why wouldn't we
say we are big enough to go alone or to be co-located with
other locations, but have complete segregation so that security
is designed in from the door on?
Mr. Ganger. OK, so I will try to take them in the order
that you gave them.
Mr. Issa. No, no, take them in the order best for you.
Mr. Ganger. OK. So do you drive data center reductions? I
don't have a lot of insight into what the 1,100 are doing. It
would shock me to hear that an analysis of the 1,100 doesn't
lead to being able to do 200, for example.
Mr. Issa. Earlier testimony, it took a long time to find
out how many they had and where they were in some cases.
Mr. Ganger. Which means, by the way, that it is going to
take longer to do the consolidation than one might hope, right,
because there is going to have to be a lot of learning about
what functions those different data centers are doing in order
to make a consolidation actually work.
Mr. Issa. But just shared bandwidth efficiency, facilities
advantages, all of that would be in the hundreds of millions of
dollars, enough to pay for the consolidation in a short period
of time.
Mr. Ganger. Yes, absolutely, I agree. Huge advantages to be
had there. And I would be really surprised to learn that type
of consolidation couldn't be done and that those advantages
couldn't be realized. The corporate world has done it and we
have seen two examples of very large corporations that have
gone from two and three digit numbers of data centers to single
and 12 was the second example numbers of data centers.
In terms of is the Government big enough to do a private
cloud, there is no question the Government is big enough to do
a private cloud. The question that you would have to ask
yourself isn't whether you are big enough to do it, it is
whether you have the expertise to do it for all of the
different types of cloud technologies that you might need to do
it for.
Mr. Issa. OK. I am going to move to the cloud folks for a
moment.
Mr. Burton, you offer a public cloud solution that is
already purchased by agencies of the Government, and they buy a
product as a COTS product, basically. So that can proliferate
with vendors offering them, and the only problem, of course, is
certifying that the data they put on to your cloud is in fact
safe, secure, and so on, right? Would you say that there are
things like Mr. Combs might mention, the NSA or the CIA, that
never really should be customers of yours, at least not with
the same computer and the same location that are dealing in the
clandestine world?
Mr. Burton. Yes, I think without a doubt not only in the
Federal Government, in the private sector there are certain
data sets that are so secret, so sensitive that they will never
go on to a multi-tenant cloud structure.
Mr. Issa. There is a company in Atlanta called Coca-Cola. I
suspect that is at least one formula you will never host.
Mr. Charney, in light of that, won't there always be some
private computing facility-based, like some of our labs
activities, where even the hard drives have to be removed
between uses? So, in a sense, isn't this committee looking at
the migration of public, private, and legacy, with an
inevitability that one size doesn't fit all?
Mr. Charney. I agree with that completely. I mean, there
will be cases where organizations, Government agencies want to
run an on-premises system and control it very tightly, like
some of the intelligence communities. There will be places
where the Government is a community of interest and can share a
cloud, and there may be places for public information that a
public cloud service is not a big concern because it is
information you want to share anyway. The key is customer
choice and mapping the cloud model to the risk model.
Mr. Issa. Mr. Bradshaw, I understand that you are a super
salesman, among other things. You would like to sell as much of
your product as you can, I am sure. But wouldn't you also agree
that there is a segment that could be moved sooner, rather than
later, to public cloud, a segment that needs to have that
transition, and then a segment that will never, in the
foreseeable future, make that transition?
Mr. Bradshaw. I absolutely agree with that. We have aimed
our initial offering at the sensitive, but unclassified, level
to meet that or exceed it. But we do agree there are some
things that we would not recommend you move to the public
cloud.
Mr. Issa. And I will close with one thing on behalf of the
chairman and myself, both. Isn't one of the challenges to a
truly transparent cloud, when it is pointed toward the public,
that portion of cloud computing, the fact that all of our
various Government agencies have failed to have standards that
are interoperable and easily searchable so that you can know
that a name or a particular cell in a data base will in fact
correspond not just, but including Web sites?
Mr. Bradshaw. I do believe it is very difficult to put
standards in place that meet the requirements of all the
individual agencies and individual bureaus within the agencies,
and take advantage of information technology at the same time.
That is a big challenge. But I do think we can use the current
regulations that are in place, get a great understanding of how
things compare, and then all of us, we have security experts in
our company, let's take advantage of those and work with you to
continuously update these through continuous monitoring and
things like that.
Mr. Issa. Thank you.
Anyone else before the chairman reclaims my time?
[No response.]
Mr. Issa. Thank you all.
Chairman Towns. Thank you very much.
I now yield 5 minutes to the gentlewoman from California.
Ms. Watson. Thank you.
As I mentioned in my opening statement, in light of the
recently reported cyberattacks involving China and other nation
states, I would like to hear some specifics from each one of
our vendors about how we would protect our particular systems,
and I would like specifics on how your companies plan to
demonstrate compliance with the requirements on a regular
basis. And I would just like you to go down the line.
And then I am going to ask, since we are not going to have
time within this session to hold additional hearings in our
subcommittee, how you would provide this information and would
you give us kind of a summary in writing to our committee? And
then we will submit that to your committee.
So just tell us in your own words about what you, as an
individual vendor, would do to protect the security.
Mr. Charney. I think there are really two parts to the
question. First, in terms of how we protect security, the real
key is having a documented information security program that
looks at the assets you want to protect, what the threats to
those assets are, and then you build and test a set of controls
to protect those assets.
But the China question is a little bit difficult in the
sense that one of the changes we have seen over the last 20
years is a major change in the threat model. When I was at the
Justice Department prosecuting cyber crimes in 1991 and 1992,
at the beginning of my career there, a lot of the hackers were
young students exploring networks.
Now we have what we call the advanced persistent threat; we
see more and more nation state activity on the Internet, we see
more organized crime activity on the Internet, we see a black
market for vulnerabilities. A regular documented information
security program that might be adequate for most commercial
purposes may not be completely adequate for an advanced
persistent threat.
This is why, for example, as I said earlier, I don't think
the intelligence community should be parking its information on
even public or shared tenant clouds. The advanced persistent
threat is going to require a much more careful analysis and
different cybersecurity strategies. I have, in fact, written a
paper on this very point and would be happy to share it with
the committee.
Mr. Burton. Thank you for that question, Chairwoman Watson.
Security is something that our smallest customers take very,
very seriously; whether you are a corner pizza store
maintaining your customer data or a multinational bank or
health care company or an agency of the Federal Government.
Ms. Watson. Let me be more specific. How do we have
assurance that our Federal information within our systems can
be protected? And I know this is not the place where you can
give direct answers.
Mr. Burton. I will respond to that.
Ms. Watson. Good.
Mr. Burton. Each of our customers can come in and do
security reviews with Salesforce, and they do not go on to our
platform until they are satisfied with our security. We comply
with major international security standards, ISO27001, SAT Type
2 Systrust. All of those are available. We feel that without
trust no one is going to use Salesforce.
So we have site. Anyone can look at it, this committee can
look at it, Trust.Salesforce.com, and if you look at that site
you can see what the performances of our system every single
day. I looked at it this morning. We processed 315 million
transactions yesterday, each one in about 300 milliseconds on
that site. You can see the types of security attacks we are
facing; you can see all of our credentials.
If you want to lock down your security, it provides you who
to talk to, how to get at that. So we feel that not only
security standards, but transparency is critical to the whole
cloud model, and that is why we have this trust site that is
available for anyone to look at.
And I think just the one question, to come back really, I
think, to a comment Mr. Issa raised, is, yes, there, are some
data sets that are so sensitive, so secret that they should be
kept outside of a cloud environment.
But I think if you look at the vast majority of the data
that the U.S. Federal Government processes and stores, it falls
into a lower level of security, and I think that is perfectly
adequate for a strong vendor with good security to manage on a
multi-tenant platform in a cloud.
Mr. Bradshaw. Thank you. Google has made a commitment at
the executive level of the corporation to meet Federal security
requirements. We have completed and submitted to the Government
our FISMA certification package and we are waiting to hear. We
do meet the security and privacy requirements that are laid out
in the Federal statute under FISMA and we make those findings
available upon request.
I think what we also do, we are so focused on security. We
all know this is a growing threat for everybody. We look at two
areas, one is reducing the threat environment. So we are very
focused on bringing down things that had been exploited in the
past, trying to limit that, limit the doors that have made
these threats possible; and then looking at moving some
appropriate data to an environment where we can take our
security professionals and we can take just multiple layers of
security and protect that data for you.
Ms. Watson. You are so out there, that is why I mentioned
Google, because I say to myself would you Google that, please,
quickly. We know the problems that all of you are facing, so I
just want to get some ideas how you are addressing them.
Mr. Combs.
Mr. Combs. Thank you, ma'am. Today's security architectures
are nothing more than a broken safety net of point security
solution products. We have to move from point security products
to an information-centric approach to managing our data. It is
all about two things: it is about identities.
Those systems and processes that either need to have access
or be restricted access to our resources, and the information.
That information must be either available or restricted however
an organization's policies defines. That gets into your second
part, which is Government risk and compliance.
What we are doing at EMC is we have acquired technologies
and we are further developing them to allow portlets for
organizations to look inside our cloud offerings and to ensure
that we are providing the Government the risk and compliance
capabilities that matches their requirements.
Ms. Watson. What I am going to advise my staff to do is
send letters to all of you, and you can respond to the
questions that we have in your letters. So you will get
something and we will try to do it as soon as possible.
Thank you so very much, and thank you, Mr. Chairman, for
the time.
Chairman Towns. Thank you very much.
I now yield to the gentleman from Utah, Mr. Chaffetz.
Mr. Chaffetz. I like the enthusiasm, Mr. Chairman. I
appreciate that.
Thank you all for being here, I appreciate it. Full
disclosure: I think I have been a consumer of all of your
products and services, with the exception of the parallel data
lab. I can't think of something, although you probably have
something I have consumed along the way, all with great
success. You are obviously market leaders and we appreciate
your perspective here, and we won't do it justice in the 5-
minutes, so if there is additional information you want to
share with us, please know that we would love to have you
followup on that.
Mr. Bradshaw, starting with you if I could, in your written
testimony you say, ``The most important component of feeling
comfortable with one's data in the cloud is trusting a cloud
services provider and the practices and policies they have in
place.'' Ronald Reagan famously said once, trust but verify.
How does that work in a government-type model? Because the
second part of my questions is how does Google, which is so
unique in all the world, how does your business model fit with
government types of services, where you have relied a lot on
getting a lot of eyeballs and then converting those into
advertising dollars? How does that work in a business model
with the Federal Government or State government?
But going back to this, OK, it is great to say, hey, trust
us, that is the most important thing, but how do we gain a
comfort level that information is secure?
Mr. Bradshaw. I agree with you on that. First of all, I am
in a group called Enterprise, which is a separate group from
the consumer group you are very familiar with. We actually look
at the consumer products and determine how we can change them
so they fit into a government or into a commercial environment.
So the products are slightly different and they are modified
for that reason.
As far as trust, we understand this is the biggest thing
for you on security and privacy, so we try to be as transparent
as possible. I think sometimes we make sure we put something
out in a blog as soon as we find it so that you will understand
what kind of problem we have. I think the benefit of that to
you, and to me as well, is that the technology allows us to
very quickly react to some of these attacks that we have seen,
look at the situation, and then correct it, and immediately
make that fix available to a lot of people. So, again, this is
where the innovation just really plays to this increasing
threat model we are all seeing.
Mr. Chaffetz. And that is where I think one of the
interesting questions going forward, is how do those cloud-
oriented companies, and in their business model, how do they
make that work. We will have to explore that further.
The GAO, in their report, reported that 23 out of 24
agencies identified multi-tenancy as a potential information
security risk. Do you find that? Is that baseless or is that
something you would concur with?
Mr. Bradshaw. I don't concur with this. I think we have
many examples where we have multi-tenant application solutions
that we use and we are very comfortable with, such as an ATM,
you know, a banking system where multiple people are in the
same system. We are very comfortable with that. I think the
Government has several examples where they have solutions they
have been using for years where they are multi-tenant.
So I think you can gain so many benefits from this
environment, again, because we are putting the data in one
location and we are putting multiple layers around it.
Mr. Chaffetz. Mr. Charney, how would you address that, the
GAO concern?
Mr. Charney. I think multi-tenancy can be fine, but I think
it also raises different threat models, and the ATM analogy is
not quite right; and the reason for that is I can go up to an
ATM machine and put in my card and take out money, and it may
be true that my account is stored with other accounts, but the
ATM is not a platform on which I can load software. There has
been some research done where academics have basically hosted
in the cloud applications designed to attack the rest of the
cloud, and with multi-tenancy in that environment,
virtualization becomes key to separating the data.
So it doesn't mean multi-tenancy is dangerous; what it
means is it presents a different threat model and you need to
make sure you are mitigating those threats.
Mr. Chaffetz. So what are those technologies that ought to
be highlighted in terms of differentiating?
Mr. Charney. I think there are a few things. The key thing,
of course, is that you have secured development of the
virtualization technology; that the people who are developing
that technology are trained in security and that they use good
development practices and security to make sure that the
containers that are built through virtualization are in fact
robust.
Mr. Chaffetz. Do we possibly have enough personnel in order
to achieve that? I mean, it is hard enough to hire as it is in
some of these specialized fields.
Mr. Charney. Many years ago, when Microsoft adopted the
Security Development Lifecycle, we took the view that,
basically, keeping it to ourselves for competitive advantage
was the wrong approach. We decided that what we needed to do
was share our best practices.
And what we did was we published books on threat modeling,
unsecured code development, and on the Security Development
Lifecycle itself; and we published some of the tools we use in
Visual Studio, which is our product for developers, and we have
also made tools publicly available, like our threat modeling
tool. We believe that there are not enough well-trained
security experts on the planet today, and it is something the
Government can help address as well.
Mr. Chaffetz. Mr. Chairman, thank you.
I can spend hours with each of you, but thank you for your
time, and appreciate any followup. Thank you.
Ms. Watson [presiding]. I would like now to yield 5 minutes
to our distinguished member, Mr. Bilbray.
Mr. Bilbray. Thank you, Madam Chair.
I want to followup on my colleague's comments about this
exposure, I guess it was 23 out of 24. That really kind of
makes us focus on the task at hand when we have that kind of
exposure, and I again would like to followup by asking why you
think we have these risks but, more importantly, what can we do
to address these risks and try to avoid impact by them?
Basically, how do we armor the system and protect the system?
Mr. Charney. I think in part there is a lot of concern
because the technology is new and evolving. Therefore, we are
not familiar with the risks and, undoubtedly, what will
sometimes occur is we will learn new things along the way. I
think there is a natural and healthy tendency to say I need to
protect my data, and I may put it in this new environment that
has these new threat models that I don't fully understand.
The way to address that is through transparency; that is,
that the cloud providers need to be transparent about how they
run their operations and manage their information security
program, and governments need to be clear about what their
requirements are so that both parties to the transaction get
greater comfort level with both what they are trying to
protect, what they think is needed to protect it, and whether
those controls are in place.
Mr. Bilbray. Before we go on, let me just say, Madam Chair,
it is kind of just reminding me of when I got here in 1995 and
the leadership was changing after 40 years, that there were a
lot of members of the previous majority that actually were
terrified at the concept of having Internet between offices and
among offices because they were worried about security.
Literally, that was the fear at that time.
Of course, at the same time we were still delivering
buckets of ice, 95 years after the invention of refrigeration,
but that fear was there even among Members of Congress as late
as 1995, and I am sure it has been much more recent than that.
Mr. Burton, you had a comment.
Mr. Burton. Yes. I would very much like to comment on that
question. Multi-tenant cloud computing is a mature technology.
Salesforce has been doing this since its founding 10 years ago,
and you have major banks, major health care companies running
mission-critical applications on this platform today. Gardner
says 25 percent of all new software sales are going to be
softwares of service cloud computing next year.
So I think while there are issues to consider, it is a
mistake to say this is new, this is unproven, this is untested,
don't go there. This has been tried and proven successfully in
the marketplace.
I think the key question about multi-tenancy, the key
question about security is know your vendor. Does the cloud
provider let you do deep security reviews? Does it have
international security standards? Does it have transparency and
trust so that you can go in and see what is going on? And I
think as government agencies start exploring this, they will
find that, in fact, there are some cloud providers that provide
that today. There are lots of others who don't. There are lots
of issues.
We are going to be discussing this for some time, but I
don't want this committee to leave with the impression that
somehow multi-tenant cloud computing is not tested, it is new,
it is not to be trusted, because I think the marketplace has
already ruled on that and the marketplace is moving in a major
way toward this new platform.
Mr. Bradshaw. I also would like to point out I think
something like FISMA provides a great way of evaluating the
current systems we have against this new technology right now,
so we can take a look at what we are facing with the current
environment and put it right next to what we get, what benefits
we get from it. FISMA has independent audits in there, we have
that third-party audit, so it gives you a great way of looking
and comparing this system to what is available to you right
now.
Mr. Combs. Why do we have these risks? There is no doubt
that our adversaries can penetrate our networks and gain access
to the resources that we have.
Chairwoman Watson, you brought the Chinese up in your
opening statement. It is absolutely proven time and time again
that we cannot stop our adversaries from getting into systems
that are available on the open Internet.
This is why I say that moving information into the public
cloud should be limited to the information that is public-
facing information. The internal information, the engineering,
the intellectual property, the sensitive information that
exists in our Government needs to be protected behind
appropriate security measures to prevent us from getting into
big trouble.
Ms. Watson. Thank you.
Mr. Issa, you will have the last comment and question, and
then after that we will be adjourning; we have two votes or
three votes, as I understand, at 2.
Mr. Issa. And I will be brief.
Mr. Combs, in a compartmented world, the term compartmented
exists for a reason. Would you briefly, in light of a multi-
tenant environment, if, hypothetically, all of Government was
all in the cloud and, because of government-to-government
requirements, interlaced, what would happen to the historic
compartmenting that we rely on in the intelligence world today?
Mr. Combs. Mr. Issa, there are ways to bring cloud
computing into those environments. The consolidated data
centers that are going on within the Directorate of National
Intelligence today, these are similar security requirements
across the intelligence community.
We can develop and deploy private cloud environments in a
multi-tenant environment that will allow the security controls
to be protected in that environment. Across NASA, NASA is going
through a 110 data center consolidation right now. Much of
their engineering processes today are similar, yet they have
110 separate data centers.
Mr. Issa. I think you have answered the question. I want to
be brief for the Chairlady.
Mr. Bradshaw, responsible disclosure, when companies
discover flaws in each other's software, does your company have
a stated policy for how that is to be done?
Mr. Bradshaw. We do make security and privacy statements.
We definitely try to be as transparent as we possibly can.
Mr. Issa. No, that wasn't the question, sir. All of the
software companies that interact get access to various portions
of each other's source code and interface with it for purposes
of porting software, going back and forth through data bases
and so forth.
Does Google have a responsible disclosure policy as to
discoveries of opportunistic or whatever security failures? How
do you inform Sun or somebody else that you found something
that would be a vulnerability to the outside world if it were
discovered? You have teams of software producers, as does
Microsoft, as does Salesforce. What is your stated policy or do
you have a stated policy if a software engineer discovers a
vulnerability in somebody else's software?
Mr. Bradshaw. I can't personally state the policy, but I
will be glad to get that back to you.
Mr. Issa. If you would respond to that for the record.
Actually, if all of your companies would. It is an area of deep
concern to me, mostly because I understand the Chinese are out
there trying to penetrate us. I find it interesting that
sometimes the penetrations end up in blogs and they really come
from software engineers employed by competitors.
And as long as we are buying from all of the companies, the
one thing we don't want is a vulnerability created at our
expense in a competitive environment. So if each of you would
respond to the extent it is appropriate to your company.
Ms. Watson. Let me ask that each of you will respond in
writing. We have all framed the question, if that is all right
with you.
Mr. Issa. That would be great.
Ms. Watson. Because that is a vote.
Mr. Issa. OK, and I have one closing one only for the
record, and it is for Google. The Presidential Records Act
requires that we capture all emails of the President and their
entire Office of the President. Could you respond for the
record of how you are capturing Gemails that are being used in
and around the White House by White House personnel?
Mr. Bradshaw. I am in a group, again, that sells a product
to the Federal Government, but it is not the Gmail system, the
personal Gmail system. In our group, in our organization, we
have a tool that allows you to do e-discovery as well as
archiving for our mail product.
Mr. Issa. And I was talking about specific examples of what
is going on relative to use of the public Gmail. So if you
could respond for the record. Thank you.
Ms. Watson. All right, thank you so much for your
questions, Mr. Issa.
I want to thank the witnesses for your testimony, the time
that you have spent here. We are sorry for the interruptions,
but this is the Congress and we do have to go to vote.
Thank you, audience, for hanging in here with us. The
meeting is now adjourned and we will put our comments and
questions in writing to you. Thank you.
[Whereupon, at 2:07 p.m., the committee and subcommittee
was adjourned.]
[The prepared statement of Hon. Gerald E. Connolly and
additional information submitted for the hearing record
follow:]
[GRAPHIC] [TIFF OMITTED] 58350.100
[GRAPHIC] [TIFF OMITTED] 58350.101
[GRAPHIC] [TIFF OMITTED] 58350.102
[GRAPHIC] [TIFF OMITTED] 58350.103
[GRAPHIC] [TIFF OMITTED] 58350.104
[GRAPHIC] [TIFF OMITTED] 58350.105
[GRAPHIC] [TIFF OMITTED] 58350.106
[GRAPHIC] [TIFF OMITTED] 58350.107
[GRAPHIC] [TIFF OMITTED] 58350.108
[GRAPHIC] [TIFF OMITTED] 58350.109
[GRAPHIC] [TIFF OMITTED] 58350.110
[GRAPHIC] [TIFF OMITTED] 58350.111
[GRAPHIC] [TIFF OMITTED] 58350.112
[GRAPHIC] [TIFF OMITTED] 58350.113
[GRAPHIC] [TIFF OMITTED] 58350.114
[GRAPHIC] [TIFF OMITTED] 58350.115
[GRAPHIC] [TIFF OMITTED] 58350.116
[GRAPHIC] [TIFF OMITTED] 58350.117
[GRAPHIC] [TIFF OMITTED] 58350.118
�