Posted by Scott Charney Corporate Vice President, Trustworthy Computing
Today I’m testifying at a hearing of the House Committee on Oversight and Government Reform. The hearing is on the benefits and risks of the federal government’s adoption of cloud computing.
Cloud computing in its many forms creates tremendous new opportunities for cost savings, flexibility, scalability and improved computing performance for government, enterprises and citizens. At the same time, it presents new security, privacy and reliability challenges, which raise questions about functional responsibility (who must maintain controls) and legal accountability (who is legally accountable if those controls fail). Customers, including the government, need to make informed decisions about adoption of the cloud and its various service models because the model that is embraced will entail different allocations of responsibility between the customer and the cloud provider(s).
This shifting responsibility requires that both cloud providers and governments take seriously their distinct and shared responsibilities for addressing the security, privacy and reliability of cloud services. Both customers and cloud providers must understand their respective roles. Customers must be able to communicate their compliance requirements, and cloud providers must be transparent about the controls in place to meet those requirements:
In addition to speaking about security, privacy, and reliability, I raised one other issue worthy of note. The mechanisms to provide identity, authentication and attribution in cyberspace do not yet meet the needs of citizens, enterprises or governments in traditional computing environments or for the cloud. This inability to manage online identities well puts computer users at risk and reduces their trust in the IT ecosystem.
The cloud only amplifies the need for more robust identity management to help solve some of the fundamental security and privacy problems inherent in current Internet systems. As people move more and more of their data to the cloud, and share resources across cloud platforms, their credentials are the key to accessing that data. The draft National Strategy for Trusted Identities in Cyberspace, recently released by the White House, represents significant progress to help improve the ability to identify and authenticate the organizations, individuals and underlying infrastructure involved in an online transaction. Government and industry must continue to work together on this initiative, as well as on advancing standards and formats on both a national as well as a global basis, to enable a robust identity ecosystem.
Microsoft is committed to helping the federal government as it looks to adopt cloud computing services. As part of this effort, we recently encouraged industry and policymakers to take action to build confidence in cloud computing, and proposed the Cloud Computing Advancement Act to promote innovation, protect consumers and provide government with new tools to address the critical issues of data privacy and security. In a recent interview on C-SPAN, Microsoft’s general counsel Brad Smith talked about the need for new rules to protect business and consumer information.
I thank Chairman Towns, Ranking Member Issa, Chairwoman Watson, Ranking Member Bilbray and members of the House Committee on Oversight and Government reform for their leadership on this important issue. I look forward to continuing to work with them, other Members of Congress, the Obama Administration and others in the industry on advancing government adoption of cloud computing. You can read my full testimony here.