The number of alternatives how to implement cloud services has at least 36 different major variations. The number of possible evaluations options, each requiring analytical investments, is therefore very large.
For instance, the Cloud Security Alliance (CSA) has published 192 cloud evaluation guidelines. The criteria include: Cloud Computing Architecture; Governance; Risk Management; Legal Matters; Compliance and Audit; Lifecycle Management; Portability and Interoperability; Operations; Business Continuity; Disaster Recovery; Incident Response; Remediation; Encryption; Key Management and Access Management. **
The European Network and Information Security Agency (ENISA) has listed 53 vulnerabilities that impact 23 information assets in 35 risk categories. ENISA details 7 Policy and Organizational Risks; 12 Technical Risks; 4 Legal Risks and 20 Risks Not Specific to the Cloud. These risk classes are further subdivided into an elaborate taxonomy that covers topics such as: Personnel security; Supply-chain assurance; Operational security; Software assurance; Patch management; Network architecture; Host architecture; Resource provisioning; Authorization; Identity provisioning; Key management; Encryption; Data and Services Portability; Business Continuity Management; Incident management; Physical security and Environmental controls. ***
Any evaluation of cloud computing should consider acquisition options from qualified cloud firms such as Amazon; AT&T; T Synaptic Hosting; BlueLock Virtual Cloud Computing; Enomaly; GoGrid; Google; Hosting.com; Microsoft Azure; NetSuite; Logica; Rackspace Cloud; RightScale; Salesforce.com; Terremark vCloud Express and Unisys Secure Cloud. Each of these offers combinations of many of features and functions that offer various degree of "lock-in" into their offerings. Of these the technical role of hypervisors will warrant special attention.
SUMMARY
For DoD to launch into cloud services will require a major effort to define exactly what services DISA will offer, what will be the costs and what provisions will be made to answer questions that have been raised by CSA and ENISA.
DISA will have to announce exactly what will be their offering in order to gain a large share of IT data center services estimated to be worth at least $10 billion/year, now largely operated by contractors.
* http://www.nextgov.com/nextgov/ng_20110103_7911.php?oref=topstory
** Cloud Security Alliance, Security Guidance for Critical Areas of Focus in Cloud Computing V2.1, December 2009. http://www.cloudsecurityalliance.org/
*** ENISA, Benefits, Risks and Recommendations for Information Security (125 pages), and Cloud Computing Information Assurance Network (24 pages), November 2009, http://www.enisa.europa.eu/