Capital Area Cloud Computing User Group

As a director of PwC’s Washington Federal Practice you would not initially think that Mr. Dupier would be focused on the challenges of providing security assurance within cloud computing. Although PwC’s primary focus has been traditionally with audit and assurance, tax and advisory services they are also supporting their customers in protected their data and systems in the cloud. In November I had the opportunity to sit and talk with Mr. Dupier for a short time to hear his perspective and outlook of cloud, cloud security and how they will affect the government.

Have you read the book “The Big Switch”, by Nicholas Carr? Do you agree with Mr. Carr’s assessment that IT is becoming a utility?


I started off our discussion to garner some insight on Mr. Dupier’s thoughts and perspective of the utility of IT as described in Mr. Carr’s book “The Big Switch.” Carr’s book draws a comparison between the electricity industry at the turn of the 20th century to that of today’s IT industry. Carr’s ultimate point in all of this is that inevitably IT will become a utility provided by a few entities and not generated by every corporation or agency in their own internal data center. Mr. Dupier not only agreed with Carr’s vision of IT computing, but also stated that there is a misconception that the federal government is lagging in the area of cloud computing. He argues that the government has been early adopter utilizing IT as a utility through their use of consolidated computing, networking, and storage resources. Mr. Dupier pointed a few dissimilarities between his outlook and those of Carr’s: 1) Electricity is generally pushed one way, while data is both pushed and pulled by consumers; 2) IT data must be protected, and 3) the scaling of IT demand is much harder to estimate versus electricity demands.

What deployment model will most government agencies adopt?

Many government entities transitioning into the cloud must decide on a cloud deployment model based on their specific business/mission, technical, regulatory, and security requirements. Mr. Dupier spent some time talking through some of the deployment models and identified possible government use cases for each: Public Cloud (basic enterprise functions and common productivity tools), Community Cloud (HR, CRM, ERP, etc.), and Private Cloud (mission critical/sensitive systems). As Mr. Dupier discussed each deployment model he pointed out that as you move from public to private the data sensitivity and risk tolerance of these systems changes and thus your cloud deployment model must also adjust accordingly to meet the customer’s requirements.

What are the biggest security obstacles to the acceptance of cloud computing in the federal sector?

When you start a discussion around cloud computing with a typical security professional, many but not all get really nervous about the topic. At different levels cloud could mean shared infrastructure, compute, networking and storage which equal a loss of control over those assets. In some cases those resources may no longer reside in customer/client controlled data centers which make some individuals very uneasy, especially the ones that feel secure in the fact that they can simply drive to their data center to see the blinky lights on their equipment behind a locked cage validating its security and safety (not necessarily reality.)

During our discussion Mr. Dupier talked through many of the common concerns or obstacles to cloud computing such as: object/data level security, location of the data (US soil versus foreign soil), data persistence, data aggregation/inference, and commingling of systems and data with unknown tenants. But the most interesting risk that I do not typically hear a lot about is how do organizations, agencies, and cloud providers prove and validate security. So in the end it all comes down to this simple statement, “If you cannot prove it, you are not secure.”

Where are the biggest investments being made in cloud security?

The last question led really well into our next topic of where the big investments are being made in cloud security. Mr. Dupier first hit the major threats of secure virtualization and object/data level security. Basically the concept is if you secure the compute and data resources from internal or external threats organizations will feel safe in the cloud. Mr. Dupier and his firm PwC feel that the next big wave investments will come in the form of auditing and compliance checks of cloud systems and applications. Organizations and government agencies must prove that these new cloud systems and applications are truly secure. A recent report from Gartner agrees with Mr. Dupier’s outlook. Gartner states by 2016 40 percent of enterprises will make proof of independent security testing a precondition for using any type of cloud service.

As government agencies move towards the cloud what lessons learned would you provide to them that is often overlooked from a security perspective?

The goals of cloud computing is to drive out further efficiencies in your IT environment while allowing an organization to direct more focus on their mission or business objectives. The goal of the Cloud Security Alliance and companies like PwC is to support secure operations in cloud environments. Here are several lessons learned from our discussion that we all can learn and reflect on as we continue this transition to the cloud.
• Execution of security is the responsibility of the vendor, but this does not abdicate the customer’s role in security
• If you are new to cloud computing or just need the support an IV&V vendor plays a valuable role in looking out for your interests
• Security is not one size fits all utilize a risk based security model to protect your systems and assets appropriately, over-costing and overcomplicating security hinders the utility of your systems
• Lastly implement a sound audit and compliance function, remember “If you cannot prove it, you are not secure”
I want to thank Mr. Dupier for his time and sharing his outlook on cloud computing.

by Tony Witherspoon (Capital Area Cloud Computing Use Group), Director of Research