CIA trusts cloud security, but only in private clouds

It turns out the CIA is interested in cloud computing, but not cloud services for security reasons.

The agency’s deputy CIO says it won’t embrace the type of cloud computing advocated by the nation’s CIO because it prefers to keep the data it entrusts to a cloud architecture within the CIA’s firewalls.

There, cloud computing makes for stronger security because applications and operating systems are centralized where patches and other fixes can be made more efficiently than with traditional hardware servers. The agency relies on Web applications and thin clients, which centralizes the applications, and the virtual environment of the cloud creates a common base and standards.

Security for the CIA cloud can be designed and then deployed consistently because of the common underpinnings of the cloud network. The agency’s cloud relies on segmentation and encryption as well as audits to insure and monitor security.
The lesson for businesses is that there are security benefits to be reaped from adopting cloud architectures in addition to the cost savings and flexibility they can offer.

The CIA is the extreme case for needing security, so its shunning of public cloud services is understandable, but not necessarily transferrable to business needs. Some business resources can certainly be entrusted to the cloud. What exactly that should be is a decision to be made carefully.

And there is also the argument that cloud providers, with better resources than many businesses, may be able to provide better security than a private enterprise could afford itself.

Tim Greene is senior editor at Network World.