Perhaps old news given the NSA chief made the below comments in 2011 presenting to Congress asking for support of the projects (basically a budget justification meeting). What is interesting is how he frames the current state weaknesses versus the benefits of the future state of leveraging Cloud architectures. He is also referring to several key programs that are deployed and seeing active participation.
As this relates to information security professionals, control safeguards, and ultimately PCI DSS is for the eye of the beholder. A striking point is to fundamentally challenge your risk assumptions and the benefits of moving to the cloud. A key consideration here is the concept of redeploying, rearchitecting, and I would say restart managing access and security anew. Cloud provides an inflection point to businesses, and governments to start fresh to meet the current threats.
As I have often have CxO discussions, the framing of these technology changes provides a mechanism to reach a stability and integrity of technology supported operations (hard to find one that is not). Consider the NSA Chief points below and perhaps consider that he is speaking of highly sensitive data that has human life risks directly associated. That type of data is highest sensitivity, and if such can be secured in a collaborative, cloud, integrated, and mobile enabled environment – why not other data elements and industries.
This is in line with the OCR NIST HIPAA guidance and recent clarification (June 2012) regarding how Cloud environments are subject to the BA agreement and security elements. Clouds are permitted, but the expected controls must exist along with the proper risk management factors.
NSA Chief: “The idea is to reduce vulnerabilities inherent in the current architecture and to exploit the advantages of cloud computing and thin-client networks, moving the programs and the data that users need away from the thousands of desktops we now use — each of which has to be individually secured for just one of our three major architectures — up to a centralized configuration that will give us wider availability of applications and data combined with tighter control over accesses and vulnerabilities and more timely mitigation of the latter,” he testified before a House subcommittee in March 2011.
James DeLuccia IV