Charles De Sanno of the Veterans Affairs Department has a message about public-cloud security: It may, in fact, be better than many private clouds.
Larger, established cloud providers have the resources and talent to build cloud services more securely than many IT organizations, says De Sanno, the VA’s executive director of enterprise infrastructure engineering. Plus, they have a lot riding on their reputation, so they can’t afford to fail.
“It’s not to say that IT organizations don’t pay significant attention or employ due diligence on the security front, VA included,” De Sanno says. “However, the large, established cloud vendors have the ability to hire and retain industry-leading specialists in the security realm. They don’t want to have a vulnerability exploited, with hosted organizations put at risk. If so, it’s end of game for them.”
VA, which has deployed a number of applications to the cloud, is investigating a hybrid-cloud approach as it consolidates its data centers and works with the Defense Department to create a joint open-source electronic health record, he says. VA is also considering the cloud for e-mail and office productivity suites, as well as the management of mobile devices.
De Sanno says the public cloud offers attractive benefits at an affordable price. “Obtaining elasticity of infrastructure, disaster and fault tolerance, along with a controlled environment as it relates to security, provides an environment that would be cost-prohibitive for VA to architect, engineer and build,” he says.
“If you are awarding a contract to an experienced vendor in this space, they are probably in a better position than you in making significant investments in robust security controls and infrastructure, and can sometimes even enhance the level of security you already have,” he says. De Sanno offers simple advice to agencies that are considering a public cloud but are concerned about security: “Don’t fear the cloud. Leverage it intelligently.”