Clemson CIO testifies before U.S. House subcommittee on cybersecurity

WASHINGTON, DC – October 6, 2011 – Clemson University Chief Information Officer James Bottum told a U.S. House of Representatives subcommittee Thursday that cloud computing is efficient and economical and the benefits far outweigh the risks, however, it is important to ensure that security tools, practices and policies grow in proportion to the use of this evolving technology.

Third District Rep. Jeff Duncan, R-S.C. requested Bottum, who has served on the National Science Foundation’s Advisory Committee on Cyberinfrastructure and the Internet2 board of trustees, address the U.S. House Committee on Homeland Security subcommittee on Cybersecurity, Infrastructure Protection, & Security Technologies about the security implications of cloud computing.

Cloud computing is on-demand delivery of shared services over the Internet. By allowing users to share resources, cloud computing enables infrastructure to be right-sized, balancing user requirements with information technology services.

Bottum has been Clemson’s chief information officer since 2006. During his tenure, Clemson has transformed its network, storage and computational infrastructure into a state-of-the-art set of services benefitting research, education and public service.

During his testimony on Capitol Hill, the CIO said Clemson has, in some sense, been in the “cloud business” for more than 30 years. Three years ago, as the recession intensified, the university created a South Carolina Cloud Experiment to see if several institutions could do things it could not do by itself or do them more economically.

“Today our cloud is operational and involves a collaboration of educational institutions and commercial organizations, many of which would not ordinarily have access to these resources as a stand-alone institution,” Bottum said. “Our team is working with a Fortune 500 company to build out a secure and comprehensive cloud computing environment.

“Considering our diverse users and numerous organizations that connect into the environment, it is important to properly ensure identity and access and address concerns over data theft or manipulation and vulnerabilities. It is also critical to have a security conscious work force.

Bottum said research and development is needed in six areas to increase security within the cloud:

•     use of virtual machines (VMs). Cloud computing is enabled by virtualization.
•     authentication, authorization and accounting. Research is needed to counter the threats of eavesdropping and tampering, distributed denial of services, network infrastructure vulnerabilities and insider threats.
•     security applications and tools should focus on creating applications that leverage the distributed nature of the cloud to provide a new level of security. This would result in a more secure environment that is resistant to both infections of individual hosts and the current generation of network-based attacks. 
•     encryption for programs and data processing.
•     distributed denial of service detection and control. A DDoS attack is an attempt to make a computer resource unavailable to its intended users. Currently there is not a good mechanism for DDoS detection and control.
•     network technologies. Adaptive and intelligent networking research is an important area of study

Additional testimony was given by Richard Spires of Department of Homeland Security; David McClure of the Office of Citizen Services and Innovative Technologies, General Services Administration; Greg Wilshusen of the Government Accountability Office; Timothy Brown of CA Technologies; and James W. Sheaffer of the North American Public Sector, Computer Sciences Corp.