Within the federal government, the shift toward virtualization and cloud computing is already well underway, but agency and industry officials warn that those migrations invite new security considerations, particularly in the form of insider threats.
Eric Chiu, president of the cloud and virtualization security firm HyTrust, notes the familiar list of arguments in favor of virtualizing servers and systems lower costs and increased agility and efficiency chief among them but points out that there are dangers associated with that transition.
"Virtualization also concentrates risk ... You're taking what used to be lots of separate physical systems that had their own configurations, their own separate management consoles, their own separate group of experts that managed them, and you're collapsing all that functionality onto a single software layer," Chiu said during a panel discussion hosted by Federal News Radio.
"Any virtualization admin can access any VM, could copy any VM, could delete or destroy any VM," he adds. "If you look at today's threat, it's really coming from the inside."
Federal IT Leaders Must Be Vigilant as Network Perimeter Widens
Officials stress that vendors have an important role to play in facilitating the shift to the cloud and virtualized servers and systems within the government, particularly as agencies mull the implementation of service models at the software and platform levels.
For agencies, that puts a premium on working with service providers in the vendor community to hammer out security protocols through the contracting process. At the same time, government organizations have been deploying the continuous diagnostics and mitigation (CDM) program that the Department of Homeland Security has been developing to provide for real-time network monitoring and threat detection.
State Department CISO Bill Lay points out that when the network-level operations are turned over to a third-party provider, government IT workers often won't be able to conduct the same security checks as they once could when all the systems were managed in-house. That means federal IT managers must work with their vendors to ensure that the personnel with access to the network are properly vetted and satisfactory security controls are in place.
"It all comes down to how you negotiate and write your contract," Lay says.
John Skudlarek, deputy CIO at the Federal Communications Commission (FCC), agrees, noting that his agency is looking to partner with forward-looking, innovative vendors but, at the same time, remains cautious about teaming up with young startups.
"One of the key aspects is ensuring that you pick the right provider, that they've got appropriate security controls in place, that you're able to negotiate those good SLAs," Skudlarek says. "I would probably want to be somewhere near leading-edge, but not necessarily bleeding-edge, because you'd like somebody that's got a track record."
Sign up for Computerworld eNewsletters.