So, in essence, we have the same level of visibility between software as a service and infrastructure as a service. It's a shared responsibility, but I have auditing and compliance. No Social Security numbers, for example, are going to leave our organization because it gets stopped by Proofpoint. And everything goes through our NetWitness infrastructure and our McAfee Data Loss Prevention. We have categorized the RATB Cloud Hub into six critical services: 1) Governance 2) Protection 3) Access Control 4) Monitoring 5) System Management 6) Failover. Each category has components that play key roles into the delivery of the RATB Cloud Service. Proofpoint, RSA NetWitness, and McAfee Data Loss Prevention Managers are only a few of the components making up our Cloud Hub stack. Now we can put workloads anywhere and it doesn't matter.
NW: Are your federal customers generally asking you to shoulder more responsibility?
KINGSBERRY: If you look at the Federal Data Center Consolidation Initiative, roughly 70% of all federal data centers are already outsourced. So federal CIOs are already having data centers delivered as a service. From a federal standpoint, it's all about the data. The classification of the data is what defines the level of security controls required (e.g., FISMA Low, Moderate and High). I think the federal government is past the point of asking the question, "Can I get the same level of information assurance leveraging cloud services"? Federal understands you can. Securing federal data is a shared responsibility between the federal agency and the provider. Roles and responsibilities will differ between agencies as FISMA is managing risk and each agency's view of risk is different.
NW: As Sutherland mentioned earlier, a lot of this has to be baked into the contract terms. Are there best practices that addresses how?
ROTHMAN: A lot has to do with how much leverage you have with the provider. With the top two or three public cloud providers, there's not going to be a lot of negotiation. Unless you have a whole mess of agencies coming along with you, as in [Kingsberry's] case, you're just a number to these guys. When you deal with smaller, more hungry cloud providers, and this applies to SaaS as well, then you'll have the ability to negotiate some of these contract variables.
So it's a matter of understanding what the agreements specify, understanding who's going to be responsible for what. But I haven't seen a lot of folks be overly successful getting better terms or negotiating special deals or doing any of that kind of stuff because, remember, the cloud and being a cloud provider is all about leverage. So if you've got a different deal for every one of your customers there's no way to really leverage that.
Sign up for CIO Asia eNewsletters.