The US government wants in on the public cloud, but needs more transparency

'Trust me' security doesn't work for national security data

FBI CISO Arlette Hart
Arlette Hart, chief information security officer for the FBI, speaks at the Structure conference in San Francisco on Nov. 18, 2015 Credit: James Niccolai

The U.S. federal government is trying to move more into the cloud, but service providers' lack of transparency is harming adoption, according to Arlette Hart, the FBI's chief information security officer. 

"There's a big piece of cloud that's the 'trust me' model of cloud computing," she said during an on-stage interview at the Structure conference in San Francisco Wednesday. 

That's a tough sell for organizations like the federal government that have to worry about protecting important data. While Hart said that the federal government wants to get at the "enormous value" in public cloud infrastructure, its interest in moving to public cloud infrastructure is also tied to a need for greater security. 

While major providers like Amazon and Microsoft offer tools that meet the U.S. government's regulations, not every cloud provider is set up along those lines. In Hart's view, cloud providers need to be more transparent about what they do with security so the government and other customers can verify that their practices are sufficient for protecting data. 

Companies that experience security breaches in the cloud may be most concerned about monetary losses as the result of a breach, but Hart pointed out that the federal government isn't as much concerned about money as it is about securing data that can literally be a matter of national security. 

That has proved to be somewhat of a challenge as the government tries to shift from an on-premises infrastructure to more cloud workloads. While it's possible to move workloads from a private data center to a public cloud, doing so means changing some expectations of what the data's security perimeter looks like and what an agency like the FBI has control over. 

When it comes to other companies' security, Hart has another tip. She suggests that businesses go meet with their local FBI agents as part of their incident response planning. That may seem like overkill, but having a relationship with the FBI before a problem arises should help when something goes wrong.