Microsoft has begun giving a select group of federal customers the chance to put Microsoft's new government-only cloud service through a series of private tests. "The processes, people, technology, and infrastructure are all in place. We want real-world test loads," for a shakedown cruise, said Greg Myers, VP of federal sales, in announcing the news Tuesday at Microsoft's US Public Sector Federal Executive Forum in Washington.
Although Microsoft's commercial Azure cloud offering has received authority to operate under the FedRAMP program for cloud services, the new government platform -- announced last fall and called Azure for Government -- has not yet been certified.
[Who's seeking FedRAMP approval? Check the Web portal. Read FedRAMP Cloud Security Approval: Look Who Applied.]
The government-only offering is housed in two specially constructed datacenters located in the United States and isolated physically and logically from the public cloud. All personnel will be US citizens screened for moderate public trust clearance and the servers will house only data from federal, state, and local government customers. The new platform, although operational, is not finished and will keep evolving to provide enhanced security, said Myers.
"We see this as a dynamic environment," he said. "It is very labor intensive, very capital intensive. It's not an environment for the weak."
A dynamic system is necessary to provide adequate security, because defense in modern, complex systems requires the ability to respond and adapt, said David Aucsmith, senior director of Microsoft's Institute for Advanced Technology for Governments.
Aucsmith, an author of the Defense Department's 1985 Orange Book, Trusted Computer System Evaluation Criteria, said at the federal forum that after 30 years of trying, "I do not believe you can create a secure computer system."
The complexity of IT systems makes it impossible to understand them fully, and this complexity makes it impossible to specify conditions and requirements with enough granularity to ensure security, he said. Testing and built-in processes are necessary but not sufficient to ensure security.
Because "we don't know what we don't know," any static system will become vulnerable to an adversary, Aucsmith added. The only effective defense requires the ability to recognize and respond to threats, which includes keeping systems fully patched and up-to-date.
Because patching and updating IT systems in a large enterprise is complex and time consuming, cloud platforms can provide enhanced security because dedicated staff can handle these jobs for multiple customers, and usually deploy them more quickly, he said. Patches represent a healthy way to combat adversaries. But if enterprises don't apply the patches quickly -- within about five days of release -- hackers can get the upper hand by exploiting the vulnerabilities revealed by patches.
"Hackers today are better organized, certainly better financed, and outcome driven," said forum guest speaker Tom Ridge, the former Pennsylvania governor who helped lead the creation of the Homeland Security Department. "There's still some people in the private sector that see a (cyber threats) as an IT problem instead of a business risk."
Azure for Government initially will host workloads with higher security clearances than usual and will not take the place of the commercial Azure offering, which still will be available to government customers. But Myers said that eventually the new platform would become the default for all government customers.
There is no timeline for general availability of the new offering, but the next step in the rollout, a public preview, is expected in late spring.
Find out how a government program is putting cloud computing on the fast track to better security. Also in the Cloud Security issue of InformationWeek Government: Defense CIO Teri Takai on why FedRAMP helps everyone.