We are sometimes our own worst enemies! We want something, but at the same time put up barriers to obtain what we want. A perfect example was at an Industry Day I recently attended. The customer had put out a request for information (RFI) and was holding a day to present what was going on with the program to the potential contractors. No procurement was discussed, only information about how they wanted to implement model-based systems engineering (MBSE). In particular they wanted to know what kind of contacting language should be used to provide better requests for proposals (RFP). However, they also said that we could not have one-on-one technical conversations with the government technical personnel. I call that a “self-inflicted denial of service attack.”
Cloud computing is the most common self-inflicted denial of service we encounter. We are all familiar now with DNS (Domain Name System) attacks. They seem to be a frequent occurrence and it’s frustrating when we can’t get on our favorite website because a troll has attacked it.
Because of these trolls and all their attack vectors, many in government have resisted adopting cloud computing. They think: “clouds are dangerous … I don’t have control over my data … someone might steal it.” All the while, their corporate networks have been hacked by every major player in the world. If someone hacks into your corporate network, everything they get is related to your organization and what it does. In other words, everything they get is gold. But isn’t cloud computing, as provided by large providers like Amazon, Google, and Microsoft, more secure than your corporate networks?
Let’s take Google for example. First, they don’t tell anyone the location of their data centers. They provide complete physical security. They build all their own servers from scratch and destroy them when they have finished their useful life. They have all the firewalls and software detection capabilities needed and more. They encrypt the data at rest (and you should be sending encrypted data via HTTP, at least). They randomize the filenames, so you need a map to find anything. The meet and exceed the FedRAMP requirements.
Does your corporate (or government) network do all that? Probably not. An Amazon Web Services’ representative explained to me, “FedRAMP requires over 200 security controls, we have over 2,000 of them.” The last thing anyone from these major “public” cloud providers want is some hacker successfully penetrating their network and capturing critical user data. They could (and would) be sued.
I was talking to a gentleman from the government about cloud computing the other day and he told me, “No one has ever told me how they can clean up a spill on the cloud.” [For those not in the know, a “spill” is when you accidentally put information somewhere it doesn’t belong.] I did not have the presence of mind at the time, but I should have asked “what do you do now with your enterprise e-mail system?” I can guarantee they do not go around tracking down backup and destroying hard drives. Deleting the data results in it being written over hundreds of times in a matter of minutes.
So, it’s time to stop committing denial of service attacks on ourselves. It’s time to embrace the cloud computing revolution and get on-board. The commercial world already did this for the most part half a decade ago. If we want to speed up and improve government, they need to figure out how to use the cloud now.