Federal agencies face a key decision when choosing cloud-based data, information, and application tools. The question of whether to go public, private, or hybrid is one that has a major impact on security and on performance.
In most cases, three factors have primarily influenced the decision:
- Costs, specifically savings projections,
- Application availability, and
- Information security.
David Bennett, the chief information officer for the U.S. Defense Information Systems Agency (DISA), has added one more factor to the decision-making table: risk tolerance. Bennett believes that risk tolerance is the single most important factor driving agency decisions.
Risk & Security
“You have to understand the risk and the data you’re dealing with,” Bennett says. “You have to ask questions like ‘What controls do I have in place?’” While Bennett conceded that his agency wants to take advantage of commercial opportunities, he also emphasized that verifying and optimizing security remains his top priority.
When it comes to data and information with reduced security requirements, agencies and organizations have a growing number of cloud-based service options available to them. When making that choice, one must analyze risk based on the sensitivity of the data and on the information being protected.
Categorizing the Data
To that end, the DISA categorizes information sensitivity across six different levels:
- Impact level 1: Unclassified public information.
- Impact level 2: Unclassified private information.
- Impact levels 3-5: Higher-risk unclassified information.
- Impact level 6: Classified information.
According to Bennett, part of the issue is the fact that cloud-based security, disaster recovery and information protection capabilities are still in their relative infancy. Thus, the choice of whether to work with a public, private, or hybrid cloud depends on the impact level of the information being protected and the degree of risk that an organization is willing to take.
DISA Joins Cloud Offerings
DISA offers a public, internally operated cloud platform that is now drawing clients from the private sector. However, Bennett opted not to endorse DISA’s platform over alternatives. Instead, he said that the decision must be made on the client’s end and that it should be arrived at after a careful audit of security needs.
In the end, Bennett says, there is not “any right answer” to what type of cloud an organization should use. Instead, it should be a conscious decision that suits the company itself.