Trump Administration Calls For Government IT To Adopt Cloud Services (reuters.com) 208
According to Reuters, The White House said Wednesday the U.S. government needs a major overhaul of information technology systems and should take steps to better protect data and accelerate efforts to use cloud-based technology. The report outlined a timeline over the next year for IT reforms and a detailed implementation plan. One unnamed cloud-based email provider has agreed to assist in keeping track of government spending on cloud-based email migration. From the report: The report said the federal government must eliminate barriers to using commercial cloud-based technology. "Federal agencies must consolidate their IT investments and place more trust in services and infrastructure operated by others," the report found. Government agencies often pay dramatically different prices for the same IT item, the report said, sometimes three or four times as much. A 2016 U.S. Government Accountability Office report estimated the U.S. government spends more than $80 billion on IT annually but said spending has fallen by $7.3 billion since 2010. In 2015, there were at least 7,000 separate IT investments by the U.S. government. The $80 billion figure does not include Defense Department classified IT systems and 58 independent executive branch agencies, including the Central Intelligence Agency. The GAO report found some agencies are using systems that have components that are at least 50 years old.
Not a surprise. (Score:5, Insightful)
I'm not surprised that this administration has fallen for the shiny veneer of cloud services. However, the idea that this will improve security is laughable. I agree that we need to a technological overhaul using the latest protection but cloud services are not the solution and far from the panacea they claim to be.
Re: Not a surprise. (Score:3, Interesting)
Why leak data when you can let it flow like Niagara Falls? =)
Popcorn anyone? Anyone??
Re: (Score:2)
Re: (Score:2)
But, if it is in the cloud, at least you can count on some security expertise, vs the wife of a middle-east technical school graduate that Wasserman-Schultz had running the DNC's computers.
Re:Not a surprise. (Score:4, Interesting)
I think you're being too cynical. AWS GovCloud is pretty damn nice:
http://docs.aws.amazon.com/govcloud-us/latest/UserGuide/whatis.html [amazon.com]
Helped a friend move two web apps used by the state of Washington from their Windows 2000 servers with firewalls that hadn't been touched in over a decade to it. It's most certainly more secure now with revisited firewall (Security Groups in AWS-speak) and ELB (elastic load balancer) in front of the server with no direct access to the Windows servers.
Re: (Score:2)
Trump is involved, so they'll be using AWS GoyCloud instead.
Re: (Score:2)
The "security" of many of them is little more than a sad joke.
Re: (Score:2)
You do realize you can go cloud without shared virtualization. You can ensure only your assets on are the hosts. Hell you can even go cloud with bare metal servers. It's nearly impossible to come up with a design AWS will not support. (although costs...)
Re: Not a surprise. (Score:2)
Re: (Score:2)
I started looking into that a little last week. Some higher-ups frequently flirt with the idea of going cloud at my workplace (not federal but still gov't), which given the nature of our work, gives most of us the willies - especially me since I'm the storage admin. Even if Amazon really has a new, more secure system (what's that say about their main cloud storage?), the fact remains that your data is no longer really in your hands, and will likely never be under your control again. OTOH, we constantly str
Re: (Score:2)
Even if Amazon really has a new, more secure system (what's that say about their main cloud storage?),
As you should know, when it come to the government, "secure", means "passes audits". Even if it's the same system, the gov cloud passes the needed audits and thus is "more secure".
Then there's this. [theatlantic.com] You can bet it's more secure - in terms of physical security if nothing else.
the fact remains that your data is no longer really in your hands, and will likely never be under your control again
If you're outsourcing your IT, that's already true.
Re: (Score:2)
If you're outsourcing your IT, that's already true.
Good point. We don't outsource much, but I can't say we don't do it at all; we have vendors manage only a couple of many systems, but they're critical ones.
Re:Not a surprise. (Score:5, Insightful)
Forgive me for slightly playing Devil's Advocate here. I'm also a bit wary of the rush to cloud services, but...
Haven't most of the worst security disasters we've heard of in the past few years come from companies or government departments losing control of their own in-house systems and data? So, what do you think is more risky... apparently incompetent IT management / staff who don't know how to keep things patched (e.g. Equifax, previous government SNAFUs), or the risk of turning over sensitive information to someone else, who one presumes has more expertise in keeping stuff secure.
For all the potential risks of cloud services, I haven't heard of too many major breaches of Amazon, Google, Intel, or Microsoft services, even though those have got to be very significant targets. Most "breaches" I've heard of involving AWS, for instance, are due to misconfiguration, not necessarily the fault of the platform.
If you read the article, you see a lot of compelling reasons for at least modernizing and consolidating many of those very expensive and often obsolete systems. Naturally, each federal agency has their own completely unique-as-a-snowflake system, and often pays many times what a more modern commercial system should typically cost. This is apparently an effort to get some runaway costs under control, and if it can be done safely, that's a big win. Whether this should be done with commercial cloud services rather than trying to consolidate internally is certainly a valid point of debate.
The worst of both worlds, of course, would be contracting with a cloud vendor who ALSO has incompetent management / IT staff. If the "unnamed cloud-based e-mail vendor" mentioned in the article turns out to be Yahoo, I'm going to sit in a corner and cry.
Re: (Score:2)
Re: (Score:2)
Haven't most of the worst security disasters we've heard of in the past few years come from companies or government departments losing control of their own in-house systems and data? So, what do you think is more risky... apparently incompetent IT management / staff who don't know how to keep things patched (e.g. Equifax, previous government SNAFUs), or the risk of turning over sensitive information to someone else, who one presumes has more expertise in keeping stuff secure.
I think it's impossible to even bother contemplating what the benefit or harm is without knowing details.
Simply moving servers to VM's in someone else's data center changes nothing. You still have the same people and things accessing the systems same as before. You have the exact same management overhead. If anything you've increased security threats because now there is a chance of external VM compromise and more access over Internet links vs what would have previously been more localized.
If on the othe
Re: (Score:2)
The problem is that when Amazon or Google does eventually get hacked it's going to expose vast amounts of highly sensitive data.
That's fine if the data is properly encrypted. That's a big if though.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Amazon is one of the few companies out there that gives a shit about security. That attitude doesn't guarantee security, of course, but the (shockingly common) attitude of security as a cost to be minimized guarantees lack of security.
Not sure about Google, as I only know a couple people who work there, but their lack of a major incident thus far (AFAIK) is a good sign.
Re:Not a surprise. (Score:5, Insightful)
The breaches on AWS have been, for the most part, the failure of users to actually configure the security correctly, if at all. Plenty of stories of failure to secure S3 buckets full of sensitive documents [cyberscoop.com]. More troubling, was the hazard of using systems that you don't control, as evidenced by the AWS East-1 outage in March of this year [theregister.co.uk]. . . .
Re: (Score:2)
More troubling, was the hazard of using systems that you don't control, as evidenced by the AWS East-1 outage
Wherever your servers are, there is risk. What matters is the relative competence of the AWS guys vs the local IT department, which is going to vary considerably. If you've outsourced IT to the lowest bidder, chances are the AWS guys are the better bet.
Re: (Score:2)
The important question, is how did the classified data get onto an unclassified system to begin with. SENSITIVE data, I can believe, but not everything sensitive is classified. If someone placed classified on an unclassified system . . . .that, technically, is a felony. Which is sporadically enforced, based on who did it. . .
Re:Not a surprise. (Score:5, Informative)
I have mod points but I prefer to post on this.
I understand your point but you haven't shown how not patching on bare metal is less secure than not patching on the cloud. Unless you are saying to completely outsource all your IT to the cloud service providers including your business logic and getting rid of your IT department.
The other thing you haven't mentioned is why it would be more secure to host an OS which is hosted on a OS which is hosted on bare metal. The added layer of complexity adds potential avenues of attack.
The assumption that someone else can better manage your needs perplexes me. I use cloud services and bare metal. What I found is that cloud services tend to be less expensive as a point of entry but 3 to 4 times more expensive than bare metal when considering the whole investment. There is an assumption that the cloud service provider will take the same care as you would in preparing the network. While I can't vouch for every provider or judge them all. I found that in most cases, if you care about your business, you will take the time to ensure that all is in place but there is no way you can ensure that the cloud provider did.
With all that being said my last 5 outages were due to my cloud provider while my bare metal problems didn't result in any outages. Now I am not sure what caused their outages. Is it equipment failure? Was it a miss-configuration? Was it a security breach? I was told that it was always equipment failures but I thought and was sold the solution that the cloud can mitigate such issues better than bare metal.
My point in all this is that when you pass control to someone who you can't completely evaluate, it may come to bite you in the ass if you don't have a backup up plan. The other thing is, I am sure that Apple, Microsoft, Google, Amazon et al don't disclose all their security breaches that affect their clients and that is speaking from past experiences.
But your mileage may vary. I am just speaking from my anecdotal experience.
Re: (Score:2)
I understand your point but you haven't shown how not patching on bare metal is less secure than not patching on the cloud.
That's not his argument. His argument is, your internal IT probably sucks and isn't patching. And more than patching, they might have introduced a bunch of other attack vectors because they don't really know what they're doing, whereas major cloud providers have security experts on staff.
The other thing you haven't mentioned is why it would be more secure to host an OS which is hosted on a OS which is hosted on bare metal.
I also don't think that was the argument. Though honestly, it generally makes sense to virtualize your servers rather than install on bare-metal, even if you're not putting those VMs "in the cloud". Yes, it does have th
Re: (Score:2)
Re: (Score:2)
Will the administrator who doesn't care about securing the server properly really care about setting up the permissions to access the data on the cloud?
Re: (Score:2)
Ah, good point. That was a bad choice of words. I think perhaps "unnecessary expenses" would be better, given this quote:
Government agencies often pay dramatically different prices for the same IT item, the report said, sometimes three or four times as much.
I suppose we're all sort of used to that thing by now, but it's still annoying that it's just accepted as the way it is.
One could also argue that perhaps not enough funding is going to the right places, instead, letting security standards lapse because it it's easier to leave the old technology in place, vulnerabilities and all.
Re: (Score:3)
My local bank has a higher attack surface than my house but I feel less likely to lose my money to a bank robbery than a home burglary.
Re: (Score:2)
I'm not surprised that this administration has fallen for the shiny veneer of cloud services. However, the idea that this will improve security is laughable. I agree that we need to a technological overhaul using the latest protection but cloud services are not the solution and far from the panacea they claim to be.
When I read stuff like this I feel like I've fallen back into 2008. 'Cloud' doesn't mean just give all your stuff to someone else and stop thinking about it, it means stop trying to own everything and adopt a service-centric model.
In case this scares you think of things like electricity, you don't bother generating your own electricity, why not? Or a Public bus or train, people rely on them, why not buy your own train? A bank etc.
With IT, nerds seem to adopt the approach of I can do it all myself without
Re: (Score:2)
Pick One. (Score:2)
Cloud Services or better data security. Ain't gonna get both in the same package.
Re: (Score:2)
Re: (Score:2)
However, the idea that this will improve security is laughable.
Why? The thing about using someone else's computer is that this other person is likely a lot better at managing that computer than I will be. Extrapolating to corporations: How many direct attacks on cloud vendors have resulted in a large breach of critical information? Compare those figures to breaches on people privately controlling their own infrastructure.
I probably could repair my own car as well, but I chose to pay an expert to do it.
Re: Not a surprise. (Score:4, Insightful)
Re: (Score:3)
However, the idea that this will improve security is laughable.
It depends on how well their in-house services are maintained. I wouldn't be so sure that all of the government agencies have great, or even competent, IT staff, or even a sensible person deciding the budget. And I don't even say that as a slam against the government. In my experience, very few companies have a competent IT staff.
But if you have some crappy old unpatched and unmaintained IT infrastructure, then moving it to a cloud provider where the infrastructure is managed and maintained by experts c
Re: (Score:2)
I'm not surprised that this administration has fallen for the shiny veneer of cloud services. However, the idea that this will improve security is laughable. I agree that we need to a technological overhaul using the latest protection but cloud services are not the solution and far from the panacea they claim to be.
Someone's got a plan to make him and his buddies a lot of money off mandatory cloud storage.
At least it will some particular folks more concentrated targets.
It's got nothing to do with shiny (Score:2)
Re: (Score:2)
This is an astonishingly stupid idea even for the Trump administration. We're demonstrating on a daily basis that securing information and providing reliable services on the cloud is extremely difficult and quite possibly simply can't be done. Given that the government is run by folks dedicated to further annoying existing foreign enemies and alienating as many current friends as possible, why would making the workings of government accessible to everyone on the planet seem like a good idea?
Not to mention
Management Buzzwords (Score:2)
Nothing wrong with the cloud, but as you say not only is the idea that it will improve security laughable (likely the opposite actually), but that is will solve all the governments IT problems, specifically that of costs is equally laughable.
As someone who works in the industry I get this question all the time. Why is it so expensive to do IT work in Government as opposed to private industry? Sure some of that is bureaucracy and waste, but likely little more than what exists in any very large organization i
Re: (Score:2)
Why not? (Score:3)
What could possible go wrong?
Re: (Score:3, Funny)
Your keyboard, or so it would appear.
Good idea (Score:2)
I bet Russia has a few vendors showing interest.
Re: (Score:2)
why when BGP exists...
Mutually incompatible options (Score:1)
Better security or move to the cloud: you can only pick one.
Re: (Score:2)
"Better" requires a definition and something to compare against.
Hmmmm.... (Score:5, Funny)
Sounds like a bad idea. I wonder which cloud provider wrote this directive?
who else? (Score:2)
the Central Committee of the CCP
wait, I mean Baidu Cloud
Re: (Score:2)
I wonder which cloud provider wrote this directive?
mail.ru
Goverment System = Secure Stable Durable (Score:5, Insightful)
The government should never use cloud services. They should by law be mandated to maintain, quite expensive hardened electronic data systems, backed up by manual, actual dead tree and pen and pencil systems. So that in the event of catastrophic failure which is inevitable, (major solar flare, impacts, extreme storm events, major geologic events et al). They can rebuild systems, this versus the idiotic lowest tenders, maximise this quarters profits, who gives a fuck what happens in a years time, so what if society suffers I have a bunker, moronic thinking. Oh look the orange orangutan likes cloud and his idiots council has been paid big time bribes so contract out to private for profit clouds. That way private corporations will control and access all government data for total control, well, right up until catastrophic failure and than a whole bunch of Americans die over years as the country slowly rebuilds. Stupid is as stupid does.
Re:Goverment System = Secure Stable Durable (Score:5, Interesting)
As a result of working for DOD contractors at various times my identity information — extremely detailed identity stuff, like who I went to grade school with and every place I've ever lived and every foreign country I've ever visited — has been stolen from Federal government systems three times now. We see no end of criminality in the handling of the Federal government's electronic documents and no end to the incompetence and deliberate neglect in maintaining recoverable backups.
This Federal government you imagine of competent, conscientious and moral people that don't neglect things and don't destroy incriminating things is a fiction inside your head, and no amount of billions of dollars can ever make it real; it's broken by design. I can't see how moving the bulk of it to efficiently run and competently maintained cloud environments could do any harm, and it may well improve things in a number of ways. At the very least it may stop being trivially simple for the next Paul Combetta to doctor and erase the record.
Re:Goverment System = Secure Stable Durable (Score:5, Insightful)
It's worth pointing out that the OPM breaches were on servers maintained by contractors and other breaches were from other companies that the government outsourced background checks to.
Re: (Score:2)
It's worth pointing out that the OPM breaches were on servers maintained by contractors and other breaches were from other companies that the government outsourced background checks to.
That's not worth pointing out at all. It's equivalent of Trump blaming crime on immigrants.
To counterpoint this ridiculous point: https://listverse.com/2016/01/... [listverse.com]
Re: (Score:2)
We see no end of criminality in the handling of the Federal government's electronic documents and no end to the incompetence and deliberate neglect in maintaining recoverable backups.
Malice (deliberate neglect) and incompetence are completely different problems, likely to have different solutions. I don't see how either of those is fixed by outsourcing, though.
If the problem is govt workers can't secure systems, you need to trust govt workers to source a supplier who can, and monitor them more effectively at arms length than they did when it was in-house.
If the problem is govt workers won't secure systems, you need to find/create an oversight process that works better on geographically
Re: (Score:2)
Why?
For some govt data I agree that there needs to be geographically diverse, hot redundant systems with RPO measured in seconds. But only for a small amount of it.
There really is no reason why the phone directory for the department of guinea pig racing needs to be this over engineered.
Re: (Score:2)
There's nothing about the cloud which precludes physical systems, backups, and hardening. A cloud doesn't have to be off-premises. Private clouds are a big part of any large IT strategy. They reduce hardware costs, increase asset utilization, and increase flexibility.
I'll give you an example. I work for a small open source cloud software provider, and we reduced our project footprint from over 200 servers down to 25, while increasing performance.
We added a disaster recovery strategy, which doubled as a
Re: (Score:2)
The government should never use cloud services. They should by law be mandated to maintain, quite expensive hardened electronic data systems, backed up by manual, actual dead tree and pen and pencil systems...
News for nerds, comments from the 1980's...
You can't legislate competence, or even interest (Score:2)
There are plenty of "mandate by law secure systems" already. Doesn't do much good because laws don't create competence. "Requiring" that agencies be secure doesn't even make people *want* to do a good a job - an apathetic sysasdmin indeed becomes MORE apathetic with each new regulation.
I've been required to follow federal security standards before, at a government job. The federal standards required we use MD5. We wanted to use SHA256, because it's FAR more secure. MD5 has been broken for several years. But
Re: (Score:2)
What you just said is that there should be a law requiring people to be smart. Think about that for a moment. The vast majority of security and stability issues have been the result of people doing stupid stuff, or skimping on stuff. The government ultimately is made of people, and stupid people can exist at every level (including the top).
There's no law to fix that.
As I posted earlier, I could probably fix my own car too, but rather I outsource that job to an expert.
No such thing as cloud services (Score:3)
It's just using someone else's computer.
Re: (Score:2)
It's just using someone else's computer.
Like using someone else's electricity, or storing your money in someone else's safe. Who would ever do such a thing...
Re: (Score:2)
Using someone else's electricity is completely different.
Using someone else's safe is sort of the same. You have to trust completely that the other person who has a key doesn't give it to anyone else. If they did you wouldn't know, because you can't physically guard the safe yourself.
Re: (Score:2)
wall-street has their reasons for it.
If you only run your own hardware, you need to maintain enough capacity for your absolute peak. If you're a big online retailer, that means you need yuge capacity for cyber monday and other such times.
You'll end up like Amazon, building massive data centres that sit idle for 300+ days a year. Until someone has an idea they can rent those machines out when they're not using then. AWS was born.
Not saying it's a bad thing to be like Amazon, but that cloud market is getting
Re: (Score:2)
It's just using someone else's computer.
Yeah. Someone who's probably better at maintaining that computer. A computer which is likely more redundant and better equipped to handle a wide variety of failure scenarios than mine ever will be.
There's no such thing as a car garage, it's just giving your car to someone else to maintain using someone else's tools.
Re: (Score:2)
Unless you're the largest organisation in the country - the Government.
Then you should have the resources to run your own shit. You shouldn't have to farm out your core services, with all the sensitive data that goes with it, to a third party.
Re: (Score:2)
Unless you're the largest organisation in the country - the Government.
Then you should have the resources to run your own shit. You shouldn't have to farm out your core services, with all the sensitive data that goes with it, to a third party.
Except that governments almost universally:
a) don't attract the best tallent
b) don't develop strong core competencies in any field
c) are generally inefficient due to lack of fiscal accoutnability
d) do everything as a drain on the tax payer, where this would be an opportunity to refund some tax payers
I CAN maintain my own car. Just because I can though doesn't mean it is the most sensible thing to do.
Re: (Score:2)
So why are all the major breaches private or public companies?
When was the last time someone hacked the IRS and stole everyone's social security numbers?
They didn't. Equifax gave all that data away.
Re: (Score:2)
So why are all the major breaches private or public companies?
When was the last time someone hacked the IRS and stole everyone's social security numbers?
They didn't. Equifax gave all that data away.
There are very easy answers to that despite the strawman you put up: There's far more companies dealing with far more sensitive information in the world than there are governments.
As to why this is a strawman it's because you missed the fundamental comparison I made. Specifically point b) around core competence. Equifax's core competence is not providing secure network services, and thus comparing them to a cloud service provider is like comparing my car to a intercontinental freight liner.
Re: (Score:2)
Equifax's core competence is providing network services for sensitive data. In what universe does that not imply the need for security?
There's far more valuable information kept by governments than private companies.
Imagine how much someone would pay for even a partial dump of the IRS databases, or one several years old? Personal financial information for an entire country. Enough information to find the people with the biggest bank balances and all the identifying information you'd need to convince their b
Re: (Score:2)
Equifax's core competence is providing network services for sensitive data. In what universe does that not imply the need for security?
Core competence and general requirements based around the core competence are not the same thing. This is precisely why companies hire experts.
All talk, no follow through (Score:2)
Trump is all talk, but at the end of the day he will go along with whatever he gets told. He recently signed in a new regulation without removing any, going against his own Executive Order. He can safely ignored domestically for the next 3 years. Congress are the ones to watch.
So job opening? (Score:4, Funny)
This is the exact sort of thing that I would to expect to come out of a big white building full of executive level upper management morons with big bank accounts.
I'll be damn surprised if there's not an on premise IT grunt at the White-house getting his pink slip right now.
In fact, where does one apply for the position? (asking for a friend)
Wow (Score:2)
Re: (Score:2)
It seems to me that hacking Google or Amazon might actually be significantly harder than hacking some poorly-run Government IT dept. I mean look at the whole Hillary mail server fiasco.
Re: (Score:2)
No. It got a LOT harder.
On one hand you have a cloud supplier, Amazon / Google / MS, that have people that's sole job is look after racks and racks of identical hardware running their own tuned OS. They do 1 thing and they do it very well. Encrypt at rest, encrypted backups, and serious physical access security.
Then on the other hand you have the IT team that does dev, infrastrucure, helpdesk, support, architecture all the while explaining to a non techie why they can't do X without Y$. Which of those b
Re: (Score:2)
As long as we stay friends with Australia.
Here is what I know (Score:4, Insightful)
'Cloud services' are the in thing right now, just like we went through outsourcing. Few people in management give a shit about IT, it's an expense. If they can externalize it and not have to deal with as much in house, they will.
So right now I get to bitch and moan that it's a mistake, knowing the only good it does is to let me vent. And if I'm still with the same employer 10-15 years from now, I'll be working on the project to start bringing things back in house because of all the problems cloud services cause us. And I'll get to say, "I was right but nobody listened", and exactly zero people will think anything of it except that I'm an old crank.
Re: (Score:2)
Most enterprise applications for the government have been on the "cloud" for a while now. They are typically some flavor of SharePoint and run on government owned/controlled servers, or other ERP type solutions hosted by DISA.
Is the point here that they want to host everything commercially (they do that already too, though not as much) to avoid having to have their own disaster recovery/backup solutions?
Re: (Score:2)
Actually I think in 10-15 years you will be telling the young whipper snappers that "Back in my day we had our own servers in a room over there" and they will look at you like you came from the dark ages.
Cost of compute is going to move towards cost of electricity. Network infrastructure is becoming more and more resilient every day and applications will be developed with cloud in mind.
Time-sharing (Score:5, Interesting)
You say "cloud services", I say "time-sharing".
Big system with segmented processes and storage. They were a security nightmare. The first international conference on computer security in London in 1971 was primarily driven by the time-sharing concerns. /get off my lawn
It's called VM now (Score:2)
Perhaps you've noticed how many things are served by AWS, or cloudflare
They're already on your lawn.
And, you've probably let them on.
Ummmmm... (Score:2)
"better protect data"
"use cloud-based technology" ....
Brought to you by congress (Score:2)
It literally takes an act of congress to buy almost anything.
By moving it to cloud service. It's a service contract.
What Amazon, or whoever else gets certified, does to maintain the service is their problem (expense).
Congress has painted the US government into a corner. Since the government can't buy anything, service contracts are the only way.
Regardless of my other opinions of trump, this is a reasonable business decision.
A wonderful idea (Score:3)
This is, quite simply, a stunning idea.
I support all government services being pushed to "The Cloud". Every. Last. One.
Then, let that "Cloud" provider run afoul of the lack of net neutrality laws.
Hilarity ensues.
Re: (Score:2)
"Hilarity ensues"
What does Clinton have to do with the cloud, and why is she suing???
Re: (Score:2)
*clap* *clap* *clap*
Indirect open goverment approach ? (Score:2)
May be this is their way to try to open the government up to everyone?
Most here wouldn't use cloud services for secure data and the "T-Empire of America" still wants to do for it, so may be they really want to open their data and not secure it?
This isn't Anything New (Score:2)
This is just a continuation of what has been existing federal government policy for the last six years:
Federal Cloud Computing Strategy [archives.gov]
NO! (Score:2)
"accelerate efforts to use cloud-based technology."
No, No! a thousand fucking times NO!!!.
The cloud is nothing more than someone else's computer, we DO NOT need government data or data on citizens floating around on any random service providers computer that the government decides to choose.
This is a really really horrible idea. (Score:5, Insightful)
Recently a former co-worker told me about how his employer had migrated to cloud-based email, and federated login (and some other services). It was true that their IT infrastructure was horribly outdated, and in serious need of a complete overhaul, in order to continue meeting contractual requirements with customers.
But the way this migration was performed, was a complete failure. Over 6 months, they met NONE of their goals. Software license costs ended up being more than double what was estimated. During the migration, the login servers were compromised by a new exploit. There were several complete re-installs, and on every re-install, they found the system was infected or compromised again within minutes. They went through two "big-bang" replacements, where all systems were shut down over an extended weekend, and physical servers were replaced with the spares. As operations were halted, this costs them a huge amount of money. And the extra hours of IT and vendor service were costly. (law enforcement was also involved, and, my former co-worker tells me, there will be a lawsuit by the employees whose personal information was exfiltrated). The only real gain here, was the IT staff got good experience at disaster recovery practice.
In the end, the company's yearly numbers were completely blown. They lost customers, their reputation was damaged. They ended up cutting staff. (some of us already had a feeling that things were heading in a bad direction years ago, and left).
I really really wish that I could name names here. Not just the company but the vendors. This migration plan was announced ahead of time, and so many people drank the marketing cool aid - people who should have known better. But privately, the criticisms were flying, and exactly everything that sound reasonably thinking people said would happen, did happen.
I could go further - to the beginning of the whole "Cloud Services" craze. We've all had our doubts, and pointed out the obvious flaws. And even where a service like Amazon's QuickStart setups can supposedly configure everything to be fully secure and compliant. . . this service is deceptively over-simplified, and there are so many details that are left unspoken. Moving your IT out of your own data center to the cloud may look cheaper on paper, but shipping it to some one-size-fits-all cookie-cutter cloud service is not the answer. You're still going to need a shit ton of very skilled expertise to architect and configure it, and then you're still at risk. Because your data is not in your building under your physical control. Which is really your last line of defense when shit gets real. If you need to, you can unplug.
There is no "cloud" (Score:2)
There is only OTHER PEOPLE'S SERVERS.
Besides, doesn't the government have enough security problems with things locked behind their own networks as-is?
Trump (Score:2)
What Are the Odds? (Score:2)
And what are the odds that confidential information is going to be held on commercial servers in foreign nations? How about classified data? Now, if they want their own cloud, even built be contractors, that's fine, but keep our shit out of foreign hands please. And, sweet Jesus, please don't pull the dumbass moves that OMB did. Our private data doesn't have to be available 24/7 on the web.
Easy way to stop it (Score:2)
Just tell Trump that Obama started this (running services and storing data on the cloud) and he'll make it so that not even the government meteorologists can say the word cloud.
Huh? (Score:2)
"we need more security... now move it all onto the cloud"
What's really ironic is given Trumps hatred of Jeff Bezos, he's basically demanding the government start spending billions and billions on Amazon's offerings. Perhaps no one alerted him to this?
White House level of understanding (Score:2)
"to better protect data and accelerate efforts to use cloud-based technology"
No Net Neutrality, No cloud (Score:2)
How stupid can you be? (Score:2)
A few years back, the UK gave cloud a pass, because they couldn't be guaranteed that UK government data would remain on UK soil.
And, speaking as en employee of US federal contractor and sysadmin, you're going to prove to me that a) it stays on US soil, and not, say, in datacenters in the Middle East or Russia; b) that every single person who has access to the physical servers that provide the service all have US federal security clearances?
Fat chance. But that's ok, Trump & the GOP are smarting over the
Cloud based e-mail (Score:2)
Re: (Score:3, Funny)