Administration backs cloud computing while agencies weigh risks

The Obama administration believes cloud computing could be the key to closing the technology gap between the private and public sectors, but having to depend on private companies to store federal data and applications has its own risks, according to congressional testimony on Thursday.

The House Committee on Oversight and Government Reform held a hearing on the potential risks and benefits of cloud computing, where users remotely access data and applications stored on private servers.

Cloud technology is increasingly used in both the public and private sectors; Web-based services like Google Mail and Google Apps are popular with the public, while the federal government's official portal USA.gov has been hosted in the cloud since last year.

"Quite simply, it is the way computing services are delivered that is revolutionary," said David McClure, associate administrator in the General Services Administration's Office of Citizen Services and Innovative Technologies. "Cloud computing allows users to provision computing capabilities rapidly and as needed; that is, to scale out and scale back as required, and to pay only for services used."

The Obama administration has been a strong advocate of cloud computing, arguing that allowing private companies to house and maintain servers, software and applications reduces costs and makes networks more reliable.

Federal Chief Information Officer Vivek Kundra said the government spends a quarter of its $80 billion annual IT budget on basic infrastructure such as hardware, software, electricity and personnel. He said shifting to the cloud could significantly lower those costs.

But Greg Wilshusen, director of information security issues at the Government Accountability Office, said agencies are concerned about relying on a private firm to house all their data. He said shifting applications to the cloud could create information security risks and leave agencies dependent on their cloud provider's security practices.

Wilshusen raised the possibility a cloud provider could fail to adequately delete data once their services are complete. The government could also lose control of its data if the company goes out of business or suffers a major security breach. He said agencies have expressed concerns about those scenarios and that risk could vary depending on the type of cloud network being deployed.

"The adoption of cloud computing has the potential to provide benefits to federal agencies; however it can also create numerous information security risks," Wilshusen said, adding that many agencies have taken steps to address the risks but have failed to develop corresponding guidance.

In particular, he said the Office of Management and Budget has not developed a security strategy and GSA has yet to develop an authorization process for buying cloud computing systems.

McClure said the agency is working on a pilot project on cloud computing procurement called FedRAMP that should end in October. He said he expects a similar, government-wide program to be launched shortly thereafter.