that need to be done and in some respects it is required that agencies have the capability to have automated tools in place which they can gather this information and feed it on a regular real time basis. many of the agencies so far don't have those capabilities over all of their assets. it is also important to know that good continuous monitoring fears that automated aspect of it but still a need for testing and evaluation of the effectiveness to insure the information that is being provided through these automated tools is accurate and reliable. >> one of the key risks of the gao report identifies the dependency on vendor. it was mentioned by dr. mcclure

in the first round questions about the scenario in which you terminate a contract or a vendor ceases operation. any thoughts on how you protect against the vulnerability there? what do you have to build in to protect the government's the essential need at that point? >> that is a key risk to federal agency. when we did our report last may all 24 of 24 agencies cited loss of information as a key risk should the cloud service be terminated. in terms of being able to mitigate those risks it is imperative for agencies to established comprehensive service level agreement and specify clearly up front what the roles and responsibilities of the cloud service provider is as well as what the customer is

with regard to providing information should they go out of business. it is also imperative that interoperable liddy and portability standards be developed and implemented so that agencies have the capability to take their information that is being processed by a cloud service provider and use it internally or to another provider should the need arise. >> is there anything technologically unique about cloud computers that cause more difficulty with this particular concern? that is termination of services? >> not on the technical side but i would echo that one of the big concerns about moving to the public cloud is exactly that and we want to be able to assure continuity of service to our customers and all of that so we have to work those scenarios and

to what happened in the unlikely event that the cloud service provider can no longer offer that service so they have capabilities having standards set. this is something fist is working on for cloud interoperable is so we can quickly shift to another cloud service provider if necessary. >> clout and interoperable leawood presume that you would have equal security measures. >> that goes back to the idea of having provisional authorization in place for hopefully many providers so that that makes it much easier for us to have a choice and be able to move our service. going to my competition point, little so gives us a more

competitive playing field which will drive down cost over time and provide better service. >> before i yield to the ranking member, ranking member brought up the question about a contract with the firm that is a u.s.-based firm and canadian firm and we are close to canada but it is another country as i recall. i think congressman thompson was bringing up the question -- are don't know the visuals of that or how we tell the american people we are going to have -- the government will use vendors that have cloud computing with all of the assets and liabilities we talked about and it will be at company that

answers to people in this country. we -- do you understand at least the question some people might have? >> certainly the department of homeland security within my office, we would be -- want to always make sure our data is protected, for any sensitive data as we move forward we would want u.s. citizens to only have access to that data for sensitive information that we would only have that data and data centers that are on american soil. that is a given. we follow the regulations. we did and open competition within the providers that were

available to us and based on the evaluation criteria this firm won that task. >> thank you very much. the ranking member is recognized. >> thank you very much and let me thank our panel for your patience. we need clones around here. let me say that in the brief moments i had in the hearing i am not as concerned about our capability to your the cloud. i say that simply because we had enough to invent it. our knowledge, our capability, our skills will enable us to protect it. so i will be more affirmative and when i think about young people today and their level of

curiosity, there innovativeness, i know that somewhere in some classroom is the person that will come forward to enable us to do what we need to do to move forward with the innovation we have as a civil society. i am coming that this not as a scary person but someone ready for the adventure. having said that i would like to ask this question of miss wilshusen. did you look at federal agencies in using public cloud for undertaking this effort? what lessons did you learn and how did you apply them? what about private sector experiences? >> we certainly have within our

strategy had numerous discussions with other federal government agencies, nasa, veterans administration, both of which have been aggressive in looking at cloud capabilities. we talked to a number of c r os within private sector firms as well as my staff who was involved in reaching out and and was well as advisory services that work in the it industry and serve that industry. a few lessons learned and we are still learning a lot of these lessons, one of our biggest issues beyond security which is the biggest issue, the next one is fundamentally a different business model. it changes, we are buying a service level agreement, we are not purchasing hardware or licensing software or integrating together. it is fundamentally how we

procure this is very different. we have been working across the federal government and as commander of fact a couple weeks the federal cio kilns' land acquisition tell will be meeting to talk about the issue. how do we work out procurement issues and business model issues so we put ourselves in the best position to leverage this capability from a business perspective? that is where a lot of these are. we are feeling our way to what the right business model is. >> we conducted a review last year over cloud computing security. we went to a couple different agencies and looked at the cases that were underway. we went to dod and the rapid access computing environment and also nasa's nebula, environment. the lessons learned that they

experienced had to do with assuring that they were having to re-engineering business processes to accommodate the use of cloud computing. they found one of the challenges was clearly specifying and delineating the responsibilities for security of the client personnel at nasa and the cloud provider. in both cases each of their implementations were private cloud implementations. they decided in each case to take a slow cautious approach before jumping in and going to a public cloud. in both cases the private cloud implementation which generally will have a lower threat exposure than public cloud. >> are there any agency applications for services that should never move to the cloud

where everything an agency does in either case, why would it be the case? >> i will take an initial stab at that. there is probably implementation on information's those sensitive, classified information that needs to be particularly protected that should not be placed into a cloud environment particularly a public cloud environment given security capabilities. classified information should not be in public cloud environment. >> do you say never or do you foresee in the future that capability will exist? my question was never. >> i was taught from an early age never to say never. i think i will keep that now. >> i think i have essentially

the same answer. in the itco alert never to say never because things change so much but i would agree wholeheartedly with greg. it will be quite a while before we have any comfort in putting classified information into a public cloud environment. it will be quite a few years before we look to do that. >> the only thing i would add is it goes back to what the agency said as its requirements for what it is trying to do with its data and service delivery. if the data demands protection levels that are beyond capabilities of in-house or out house providers you have to address that. the term public cloud is used pretty loose. there are instances where you will see federal agencies

claiming they have things in public cloud but it is not what you would find in consumer such as ourselves doing for our own homes. we have security requirements and management requirements and all these other requirements that these providers have to show they can provide even though they may be called a public cloud solution. >> thank you very much, mr. chairman. >> with the new technologies i think there is a possibility of increased risk of infringement of copyright holders rights because of the nature of this. it is faster, cheaper and easier to engage with unauthorized reproduction and distribution of public performance of the types of copyrighted work. to what extent can increased reliance on data storage through cloud computing services contribute to this kind of

copyright infringement? do you see an issue? >> i will throw it open to the whole panel. >> i think it goes back to any environment regardless you have basic security and privacy standards that have to be mad. access control come to mind. who have access to information in these cloud environments is a huge issue. if i don't define that, put the controls in place then you are subject to losing information no matter what cloud environment. >> i would just add one of the things we're looking at is strengthening our identity and access management capability to pick on what dr. mcclure said. we foresee in the future having a much stronger authentication

model to protect against these things whether it is copyright infringement or we are concerned about privacy and civil liberties and access to the data that we store. that transcends whether we are in a cloud environment or the more traditional it system and database but these are the things we are working on. the safeguard side yet still enable the right kind of information sharing to protect the homeland. >> i would like to add the authorization and identification and verification -- one additional wrinkle, not to poke a hole or anything is the responsibility for assuring the authorization is correct and the identity of the user is verified may no longer reside with the federal government or the government agency or the clout service provider so the effectiveness of the cloud

service provider access controls come into place as well. >> just one other -- a bit tangential but in terms of government security and security government debt, the flash drive type product as well. is there any advantage differentiation being made when you have that kind of product? in using a hard drive versus software authentication. do you get anything more from a secure basis out of the hardware authentication for that type of product than just the software itself? where do you see it going? do you need both? is its software? do you think there's a need for that going forward for secure

data? >> i will take the initials that. the hardware authentication and security can protect information particularly with flashing drives and some drives it is the key risk because the devices can contain large volumes of information and are extremely portable. some agencies like the department of defense have banned their use on their systems because they can be used to carry malicious software. >> i yield back my time. >> i want to thank this first panel for not only testifying but understanding we have -- i understand the portion of your day, we appreciate you being here and thank you for your testimony and members of the committee might have additional

questions for you. we ask that you respond to those in writing. with that i am happy to dismiss you and we will move on to the second panel. a member of the subcommittee can sit for this second panel and have the privilege of introducing someone from his estate when we get there so thank you to the first panel. of the second panel will come. mr. sheaffer, mr. brown, mr. bottum and mr curran.

>> we have the opportunity to hear from a distinguished second panel on the question of cloud computing. what are the security implications? we have mr. james sheaffer, president of computer science corp. north american public sector. he served as vice president of c s c as well as general manager and the partnership with the irs. important business modernization program. prior to joining c s c mr. sheaffer spent 70 years in the american management systems working on telecommunication in north america and europe. mr timothy brown is vice president and chief architect of security management of c a inc.. he has been involved in many areas of security including fred

research vulnerability management, consumer and enterprise identity, access management, network security and encryption compliance and security services john curran is president and ceo of american registry for internet number that serves as chief technology officer and chief operating officer for chief technology office and bb n g t internet working. he has been an active participant in internet engineering task force and it is my privilege to allow mr. duncan to introduce the next gentleman who has i understand had something to do with perdue university. i would like you to introduce him. >> thank you, mr. chairman. thanks for giving me the opportunity. it is my distinct pleasure to introduce one of my constituents and someone from my alma mater,

clemson university. jim bottum is vice provost for information technology at clemson university. he leads efforts focusing on high-performance computing and communication as well as collaborating with state and national government entities. under his leadership, they appear at no. 60 in the world's top 500 computing sites alongside clemson's computational center for mobility systems ranked at 100. he serves on the advisory committee for cyberinfrastructure and c r p a assessment and internet 2 board of trustees. he was the first c ip and vp for computing at perdue where he was responsible for planning and coordinating information systems across the university. he has also served on other committees and national laboratory boards providing consulting services for

universities across the united states and worked on issues of cloud computing and should provide an excellent perspective on this issue from academic research and experience. i look forward to hearing his testimony. thank you for having him here today. >> i thank the gentleman. we thank you all for being here and your indulgence. i know you had to wait as well as we went over to vote. we have the procedure here that your remarks will be made part of the record in their entirety and we ask you to limit your remarks to five minutes apiece and i would ask mr. sheaffer to go first. >> mr. chairman, mr. duncan, it is an honor to appear before you. i am jim sheaffer, president of csc north american sector with 29,000 employees who surge and support the mission of federal

agencies. also recently served as vice chair of the public sector for the commission on the leadership opportunity on u.s. deployment of the cloud. the commission issued cloud first, cloud fast and included 14 specific recommendations for federal government to accelerate these options and i respectfully request that document be entered. >> without objection. >> last year we had revenue of $16 billion. we are acknowledged as leading global provider of it services on large-scale projects public and private sector plans and provide cybersecurity to the largest companies and most sensitive u.s. government agencies. by leveraging shared computing resources higher utilization rates cloud computing is ushering in an it revolution. users pay only for what they consume. cloud computing and the delivery

model enables organizations to cut cost of computing and capacity of volumes of data and computation. a cloud is a hot topic but:the latest evolutionary step in the field. custom build computers move the mainframes to personal computers and client servers and the internet. what is different is the rate of adoption. the economics are compelling and to take up this technology is faster than the earlier technologies. the global nature of the cloud makes it a different phenomena in. today's federal budget climate offers an incentive for agencies to adopt the cloud. also raises questions of trust. trust is more than security. citizens and users must believe in the integrity and reliability of cloud computing and security. we acknowledge the challenges.

the speed of advancement requires new security policies and technologies and procedures. the internet which the foundation of the cloud was designed without security and we had to catch up. in the future it will require the design of secure architecture and insure security. the second risk is all security standards are not yet in place as we heard from the previous panel. the national institute of standards and technology and the cloud security alliance, non-profit coalition are developing support for those standards and we believe they need to be global standards. not just standards in the u.s.. cyberfrets are serious and becoming more pernicious. threats are more severe than we experienced in the past and capabilities of bad actors are evolving swiftly. the risk and challenges to cloud computing are not insurmountable.

should not be used as an excuse to shrink the adoption of the cloud. fundamentally cybersecurity with the interval to the architecture and not after the fact. we are confident prudent cloud computing adoption can meet stringent security requirements. how do these challenges be addressed? align the risk profile of data and uses with levels of protection required. 1-size-fits-all approaches provide neither affect the security or the lowest cost. each application must be evaluated to identify southern civics security requirements and inappropriate cloud confusion from hybrid clouds. it is important to gain feedback from lessons learned from the implementation of cloud computing. lessons will be shared across their agencies as the previous question indicated. it is reaching out to foster the cyberenvironment need for leadership in cloud adoption.

consolidating infrastructure for the 22 components in primary data center's, dhs is increasing productivity with capital investment and implemented a private cloud behind the firewall security systems. the department is improving cloud computing. one example of the success of this approach our systems where we are designing and implementing a private cloud where we reduce the time for new software development for month to a couple days. in conclusion cloud computing offers opportunity to improve performance. security issues can be managed. the u.s. is the leader worldwide in cloud adoption and we must maintain that position. i welcome questions. >> mr. brown. >> members of the subcommittee. i want to thank you for the opportunity to talk to you today. see a technology is one of the

leading software companies that provide software and services to enterprise governments and cloud providers. the promise of a cloud continues to accelerate but it is clear significant confusion remains what cloud computing is and the risks and benefits associated with it. security is the concern cited most. when you consider the loss of direct control these concerns are affected but must be addressed for the cloud to be successful. from a security perspective any service with access outside the enterprise direct control should be considered service like adp for check processing and a 401(k) portal are good examples that have been around a long time. cloud is not new but the current momentum and exposure of new cloud services gives us the opportunity to enhance cybersecurity. >> i think we lost your mike.

>> we will move up. the cloud is neither more secured or less secure than other it services. security fears and arguments are overblown have muddied the waters about this issue. to provide clarity i will focus on more critical areas affecting cloud security. first it is important to note the cloud will replace all other services. as organizations move to the cloud it will be one of many platforms operated and managed to gather to minimize risks of vulnerability is. we should be wary when people say the cloud will replace all technology. second the responsibility for security rests with the provider and the consumer. cloud services have different risk profile. what is important is transparency. customers and providers need to agree on security expectations

and meet those requirements. customers must have trust in cloud service providers and ability to verify their claims. cloud customers need to be vigilant in their investigation on oversight of their providers. cloud providers must approach securing customer's data with the same degree of seriousness as the owner of the data. third is strong trusted identity system that enables the right people to have the right access at the right time is vital to securing the cloud. many of the data breaches today find their root cause in week identity and access management control. the move to the cloud does not create new risks. claude consumers should ask who has access to what what can they do with the information they obtained and what did they do with that information? online banking services provide an example of transactions between different cloud services can be accomplished using strong identity management.

most of us know that online transactions have different risks and security requirements based on that risk. accessing your account balance required level of authentication while transferring funds may require a higher degree of security. if you authorize your bank to pay a bill your bank may need to access the bill payment service on your behalf. this type of transaction requires they have transparent security practices but that are audited and enforce. the adoption of standards is critical to security and operability in a cloud. see a technology contributes to organizations like oasis and collaborates -- there are two efforts on want to highlight. there's a promise that solutions are credited and used many times across federal agencies. we await the final draft. personal several questions about its scope and implementation remain. we recommend congress continue

oversight to make sure these questions are answered. the second is the national strategy for cyberspace and that enhancing trust by straining industry based identity management practices and minimizing proliferation of pass word combinations we use on line. the first budget in 2012 we recommend congress fund this effort. finally i would like to offer several additional recommendations. first because we are in the nascent stage of cloud adoption congress should look at cloud policy issues to look at outcomes rather than specific technologies. static rules are not adequately flexible and will rapidly become outdated as new technologies emerge. congress should avoid adopting policies that have country specific policy. for u.s. markets around world

leaders will this policy will enable industry to build solutions that can be delivered in multiple market and enhance competitiveness and the cloud models security to drive technical leadership in the u.s.. we recommend congress support the policy recommendations from the cloud ii commission. i appreciate the opportunity to be here and happy to answer any questions. >> mr. bottum, you are recognized for five minutes. >> i would like to thank you and members of the subcommittee for the opportunity to present this testimony. in clemson university, a nationally ranked public research university with an enrollment of 19,500 students. many definitions explain what the cloud represents. a good working definition should reflect the distinctive characteristics of cloud computing namely on demand delivery of shared services over

the internet by allowing users to share resources cloud computing enabled infrastructure to be balancing user requirements with information technology services rendered. cloud computing is efficient and economical. we must ensure our security tools, practices and policies grow in proportion to our use of this technology. clemson has been in the cloud business over 30 years provisioning medicaid applications and services to the state and citizens of south carolina. three years ago of the recession intensified we created a south carolina cloud experiment to see if several institutions could do things we could not do by ourselves or do them in a more economical fashion. today our cloud is operational and involved collaboration of educational institutions and commercial organizations.

parter institutions include public and private universities, technical colleges and historically black colleges at universities. many of these would not ordinarily have access to the resources of stand-alone institutions. 13 is working with a fortune 500 company to build a secure and comprehensive cloud computing environment. considering our diverse set of users in numerous organizations that connect into the environment it is important to properly ensure identity and access management and address concerns over data, theft or manipulation. garble is to apply policies, procedures and controls that are transparent. the benefits far outweigh the risks. a thoughtful strategy for prudently broadening adoption of cloud services can facilitate smooth transition to this dynamic platform.

the transition should be included with the security initiative to assure protection of data resources and environment that evolved. to increase security within the cloud, r&d is needed in a number of areas. six areas are highlighted here. the first area involves the use of virtual machines. cloud computing is enabled by virgil as asian. further research is needed to better understand virtual machine operation and establish safeguards to effectively protect this environment. second is authentication and accounting. current security approach leverages best practices. research is needed to counter many threats including eavesdropping and tampering, distributed denial of service, network infrastructure vulnerability and insider threat. third, r&d on security applications should focus on applications that leverage the

distributed nature of the cloud to provide a new level of security. this research would result in a more secure environment that is resistant to infection of individual and the current generation of network based attacks. another area is inscription for programs and data processing. recent work produced an encryption system allowing computers to execute encrypted programs. research on distributed denial of service detection and control is also needed. there is an attempt to make computer resource unavailable to intended users. currently there is not a good mechanism for detection and control. finally research on network technologies is important. turned protocols make it difficult to make networks available dynamically to match the elasticity in cloud. active and intelligent networking is an important area of study. is also critical we have a security conscious work force. there is a gap that exists

between what universities teach and what industry needs. universities teach theory and fundamental that industry's desire practical experience. i believe attention should be given to legal issues. contract will answer it as level agreement issues regarding physical data protection, incident response, privacy and security controls and other matters which are important aspects developing a relationship with the provider. on behalf of clemson univ. i would like to thank you for your time. >> i was just thinking cloud computing is the only thing i have not heard being argued for the breakup of the big east or the acc. i suspect we will be hearing about that. >> will the gentleman yield? go tigers against boston college. >> i have a neighbor who was a freshman at clemson so i will

say okay. mr curran. >> thank you, members of the subcommittee. you have my written testimony so i will keep my comments brief. i will focus on areas related to using the cloud over the public internet. that is truly what is new in what we are discussing. parter mcclure indicated the use of public cloud poses new areas of risk and i would like to highlight four of those that this committee should consider when looking at this issue. first is the relationship of public clouds to other initiatives in the federal government for cybersecurity needs to be carefully considered because public clouds are using vendors outside the federal government yet the federal government has several

government wide security initiative including h spv 12 for validation and authorization. this includes trusted internet connections program. when you make use of a public cloud and public defender and they may not be familiar with how to actually use those initiatives which are government wide cybersecurity initiatives. so the documentation and approach to vendors so they have everything they need when they design their public cloud to make use of government wide cybersecurity is essential or our public cloud won't be participating in the government wide initiatives. this is very important. second is the issue of the physical location of the data in the systems. the framework and physical security control profile always had an assumption of federal control of systems. it is true about 10% of our

federal inventory is outsourced to contractors but even then put the thunder agency control in the vast majority of cases. we suddenly have the idea of a profile that is ten years old to secure public clouds that may be worldwide in nature. the problem is the question is to be asked where is the data and the systems that exist in the original profile. the proposed fed ramp security profile does have enhancements that include talking about the personnel that are making use of managing this data. in the current public grounds that does not include controls for where is the data and the systems themselves? we know in many cases that the systems are managed by u.s. citizens but we don't know they are located in the u.s..

a given agency can implement as though hes to cover that if they know to do so. as gsa accredits organization they say what their systems are so federal agencies have the ability to say is that acceptable or not? the third matter is on migration. this is most important. low-profile is good at talking about recovering systems with hole contingency planning sections which handled the failure of a given server or datacenter. that was perfect when we were talking about federal agencies but the recovery provided by the profile works in the cloud. it is whether a cloud provider provides one of their data centers to another. the problem is we need contingency planning at one level higher up. you need to worry about the case of the cloud provider themselves is no longer able to provide service and you need to move not

to another of their data centers but an entirely different cloud provider. you might need to do that on rapid notice to accommodate cloud provider compromise in a non recoverable manner. the migration is not a question of cost or agencies getting their own data back. it is a security control. and inherent function that needs to be provided so if the cloud provider is compromised the ability to migrate is not a question we are all asking. it is inherent and known to move up in a short number of days or hours and move to another provider. the internet itself is not static. it is changing rapidly and there are several security protocols. the new internet protocol is coming out that need to be considered. make this part of the profile so we don't build on the internet while the internet is changing

under us. i would like to thank the committee for having me and i look forward to your questions. >> thank you and all of you for your testimony. i give myself five minutes for questions. mr sheaffer, one thing that struck me was the idea is with the internet we didn't build in security at the outset and had to play catch up. mr curran outlined a number of things that deal with building security into our advances in technology including the cloud. could you comment on the comments he made? >> certainly. i agree. we are in a position where using a technology infrastructure that

was not originally intended with the security issues in mind. and i agree there are a number of initiatives underway to address a number of those fuller abilities and issues. i think good example of this in our intelligence community and the secure side of government operations point in the direction we build architecture is that can secure data and applications adequately. some of the comments were addressed how to do that in a public environment. some comments in the earlier panel would suggest we have to be careful about what we put in the public domain. the interests of the commercial sector is as quickly as possible to get to a point where they

provide those adequate protections and the innovation going on in the commercial world will solve those in time. in the meantime we have to be aware what they are and do what we can for a standard perspective building standards and approaches that guarantee to the maximum extent that vulnerability that risk can be managed but from a technological perspective we will solve those problems. >> one of the messages from this panel is the dynamism of the it world. if we make a mistake when we take a static view of things, cloud computing is one evolutionary point in this utilization of advanced information systems. therefore we have got to try

from our standpoint to make decisions that reflect that. at the same time, there is a fundamental issue or concern reflected in constituencies and members of congress that there's something about possessing your own information. there's something about fencing off your information from everything else which is perversely at odds with using the internet. and yet people seek both the ease of access and the multiplication of recipients of their information that the internet offers with a heightened sense of privacy.

so i think one of the great concerns we have to deal with, both legitimate aspect and high-tech aspects, are as you surrender your possession of the system and move more to a cloud system which as i get your definitions means you are cooperating with other systems in a way that your information is not totally under your control, how do we overcome the fear that people have of loss of security and loss of possession but at the same time assure them we do have technology fixes so long as we understand that requires sufficiency of information that the users have had a persistence in the use of what i will call generally good

cyberhygiene. >> one thing we have to understand is from an economic standpoint cloud is coming. the reason why is in cloud computing we can put together more software that is better more quickly. we can test it in one environment and have higher quality software out of our building and into the hands of the consumers quicker. if we don't as vendors embrace cloud we will be out of business. >> that is pretty strong. >> we don't embrace cloud we will be out of business. the same goes for government in the same way. if you want to keep up and move quickly embracing the cloud for the same efficiency reason needs to occur. any time we have these types of

changes we have opportunities to become better or worse and we believe cloud gives us an opportunity to become more secure. the things that need to happen is you need trust in the providers and to verify it so you need to have things that allow you to monitor those providers and make sure they are not only doing what the contract says but doing what they say. you need to be able to be cautious as you enter these environments to make sure in some cases we are going to see huge expansion of cloud providers and only a portion of them will survive. we need contingency plans to move from one provider to another. it is not a question of if it is going to happen. it is going to happen. it is a question of how to effectively move forward. trust ends up being

transparency, acceptance that this is what a cloud provider will do and the ability to monitor what they are doing to in short they are doing what they say they need to do. >> i have a bunch of other questions. i will yield for five minute. >> thank you. i want to thank the panelists for their expertise in this discussion. my first question is many potential agency users of the cloud believe it is not secure enough to be a need. from your perspective are they right? >> i am a provision her. i say amen to everything mr. brown said and it is a question of building trust. with the relationships we have that is essentially how we got

there. for building the trust of the end user and the community we are provisioning for. first denied it at clemson was consolidate 43 it department into one. that is building a cloud for 43 people for departments that use to do their own computing. over time you need to build that trust and true performance. directly answering your question is it secure enough? we get tested in a number of ways. the engine -- engineers need to verify and we run the medicaid system through south carolina. we get planned visits, audits and and planned visits and audits. you have to be ready at all

times. it is a matter of communication, policy, people working together. to me the cloud -- we call it something different every decade. it was time sharing in the 80s. we did a project with notre dame, northwest indiana computational grid. basically that is what it is, people working together and creating a trusted environment. >> picking up on comments from the earlier panel. whether it is secure enough, the agency's determination. what we need to do is make sure the mechanisms we put in place give the ceo enough information

to make that determination. the fed ramp program is the start of a profile of controls that will make public clouds useful to ceos. right now there are a number of pieces the ceo has to fill in. if you want your data within the u.s. that is not in the profile. if you are worried about migration that is not in the profile. the answer is is it suitable today for an ambitious high energy agency that decides to take this on? they fill in those pieces. can we make a fed ramp program where those functions are provided for? already clearly documented? that doesn't mean all the data needs to be in the u.s.. an agency whose workers are doing a might want datacenter as for performance reasons. someone doing sensitive work

might want to know the cloud he is using has said the servers are located in the continental u.s.. is making sure information in the profile and documentation so the agency ceo has to work -- the information he needs to answer that question. i think it could be much easier used with work. >> one of the important points is there will be specialized cloud services for special purposes. if there is enough money to produce a cloud service that is all fromat secure -- secure and resilience someone will produce that cloud service as long as the economic model fit. you will see other economic models with less security and less brazilian. in all of those models, as long

as they transparently tell you what their model are and what they can provide. >> let me thank you for your answers. the many questions come to mind. it is a totally new space with a lot of pressure on the ceo and you start thinking about does this become an issue for litigation as we begin to build those areas of trust and does that become another practice within the legal field and understanding of the world that we created. my time is up and i want to thank you once again for raising the consciousness of what we need to do. >> there are so many questions but you have been good about it.

let me ask one general question. when we look at the positives of cloud computing and define it as a new evolutionary point, is a canard to suggest with cloud computing you do create some more target rich environments? if i could go after a larger bit of information or a larger universe of data points involving a number of different players it might be worthwhile to put more capital investment time to go after it? >> same idea as fort knox. can we protect the gold? that is the question. can we have safeguards to protect that information. if you look at what systems have done your data isn't stored in

one location but pieces of your data stored in the servers all over the world. they can't be reconstituted into one piece. because the data is stored in a cloud it takes advantage of technology that makes it harder to compromise one data center and won't help you compromise the system. there are technology advantages to moving to the cloud but you are right about a target. it is more of a target but one of the things you can centrally protect. >> i want to thank all four of you for testifying. this is an issue we are scratching the surface of. there's a lot of confusion about it. even fear just because this is a new notion to the larger public, cloud computing. one of our obligations is not only to clear up that confusion

but to understand the reality as best we can and what you suggest is to make shore all the moving parts are related so if we do something on the government side where we think we have certain protections that is not only communicated with but operational with public clouds as we work with them and we anticipate these things instead of doing patchwork approaches later on. i want to thank you for your valuable testimony. members of the committee may have additional questions. please respond to those in writing. the hearing record will be open for ten days and the subcommittee stands adjourned.