There have been a huge number of articles in the last few months talking about the President's tacit acknowledgment of the future of cloud computing by pushing a federal budget that relies heavily on the cloud as part of the datacenter consolidation that is being required by the plan to control governmental IT costs. Now I realize that a President's actual contribution to the design of the federal budget likely amounts to little more than accepting what they are told by their advisors, but one really has to wonder why those advisors are so readily drinking the cloud Kool-Aid.
Or perhaps those advisors aren't but are instead pandering to a vague public perception that "the cloud is the solution." Every time I write about the cloud, I get a flood of public and private responses that have a very common theme; how can you trust the security of a solution that you cannot control end to end? Even the cloud-positive responses often focus on a specific set of security or data control issues which the writer feels their business has properly addressed.
The National Institute of Standards and Technology, in light of the "cloud-first" directive from US government CIO Vivek Kundra, has issued two NIST Special Publications; SP 800-144, Guidelines on Security and Privacy in Public Cloud and SP 800-145, The NIST Definition of Cloud Computing. The main problem with the security document it is that it really presents nothing new; the guidelines presented are pretty much the same as the recommendations that any competent IT security professional would give their employer or client. The issues that cloud security will present as the technology matures and becomes more prevalent, which also means that more bad guys will be looking for cracks, isn't really discussed.
The fact that NIST is basically recommending that agencies take their own responsibility for security and not just trust the cloud vendor falls in that same category of common sense advice. The problem is that given the widely reported security problems with existing governmental and military networks, with failures in preventing unrestricted unauthorized physical access and a raft of malware, Trojan and virus attacks by foreign governments, including the recent successful Anonymous attack on HBGary, what makes anyone think that there will be a simple, or even near-term, solution to securing the potential petabytes of governmental data that will be migrated to the cloud?
The reality is that any cloud service provider with a contract with a US government agency will become a lightning rod for external attacks from everyone from bored script kiddies to inimical foreign agents. And the cloud just isn't ready for that.