I was pleased to attend the AFFIRM luncheon yesterday on Cloud Computing. This was the first Association For Federal Information Resources Management (AFFIRM) event I have attended. Interesting speakers all the way around and they have all had some success with cloud computing.
The one thing I expected to hear but didn't was some discussion concerning the relationship of Enterprise Architecture and Cloud Computing. My theory is that the cloud provides an opportunity to operationalize EA for applications and data centers. My justification for this is that you can write very specific rules about what technology is to be used in the cloud and what is not permitted. For example if an agency targets Oracle 10 as the database for the enterprise, you can write into the SLAs that the provider cannot use SQL Server, Informix, Sybase or any other database. As such there is a new, more meaningful way to implement a target architecture than was previously possible. Essentially you have your cloud and you know that 100% of what is in the cloud is compliant with the target. Everything not in the cloud is suspect and deserves more oversight to report compliance.
I also didn't hear any discussion about the Certification and Accreditation which is somewhat surprising. C&A should be about 50% easier than it is without a cloud-type of system. For example all controls that are physical, sanitation and platform related should be established for the cloud. Then each application would be responsible for the application-level controls like roles and least privilege.
Overall, I think the AFFIRM group provides a reasonable opportunity to dive into some depth on a given topic. The one is somewhat squishy still, but I liked the format. The one thing I didn't like was the overly hard sell by a couple people. Don't push so hard, entice me.
Addendum - FCW posted a link to this meeting, you can read all about it in their article, Adapting to the Cloud.
No comments:
Post a Comment