In a Statement by Dr. David McClure, Associate Administrator, Office of Citizen Services and Innovative Technology, at an April 2011 Senate Subcommittee Hearing, McClure stated one of the biggest challenges federal agencies face in migrating government IT solutions to the cloud is the security of cloud computing.
McClure is far from alone in citing concerns regarding the security of cloud computing as a challenge, with 94% of respondents citing it as a cloud risk in a Lockheed Martin study.
Recent hacker attacks, the rise of groups like Anonymous, and the sensitivity of government data and personally identifiable information are each major factors leading to security concerns. Other major concerns listed in other studies that have been conducted include potential data loss or leakage, robust identity authentication and credential management, service and traffic hijacking and secure and timely identity provisioning.
For many organizations, security of information is one of the most critical business risks. This is why many of the examples of cloud computing in the federal government that we have covered in this series have opted for the “private cloud deployment model. The security risks associated with the billions of documents that are archived by the federal government may be driven by a need to protect intellectual property, trade secrets, personally identifiable information, or other sensitive information. Making sensitive information available on the Internet requires a significant investment of time and attention in security controls and monitoring of access to the content and the pathways to the information.
Experts agree that a major factor attributing to the level of confidence felt by agencies in the continuing push for federal agencies to migrate to the cloud is establishing trust in the security of cloud computing options. Yet, they also agree that any measure must be countered with effective efforts to ease cloud computing challenges. As with everything in life, the key to smooth transitions lies in:
– Clear and definite guidelines provided to lead the way
– An understanding of the unique security needs
The most important standards for federal cloud computing security are in the Federal Risk and Authorization Management Programn (FedRAMP). FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. These standards ensure that services which are shared among various agencies have equal, if not better, security implications than what the GSA would implement themselves.
Other efforts that have been made to try to increase security of cloud computing include the National Cyber Security Education Initiative, which aims to improve the effectiveness of the cyber security force, and the Cloud Security Alliance, a nonprofit organization made up of industry-leading cloud vendors to promote best practices for providing security assurance for cloud computing. These are a few of the several deliberate efforts made ensuring the federal government’s move to the cloud fully considers advantages and risks associated with cloud technologies through clearly discussing standards and security requirements.
As far as providing a clear understanding to the unique needs associated with the security of cloud computing, agencies and contractors must first understand the characteristics of that particular agency’s workload, such as the privacy requirements in the healthcare and finance realms, to be able to understand what they need from a trust perspective.
Defining the security challenge in a confined way is multifold. It is important that agencies take measures to ensure that security boundaries are clearly defined, with SLAs on security, response plans and continuous monitoring programs, in addition to complying fully with the requirements of the Federal Information Security Management Act (FISMA). NIST also recommends intense vetting of cloud service providers, comparing its security precautions with current levels of security in on-premise implementations to ensure that the provider is achieving security levels that are equal to or better than ones already in practice.
Some other best practices that are mutually understood across the various guiding agencies are as follows:
- Include procedures to audit a cloud provider’s secure coding practices
- Define and enforce strong password policies
- Consider user-centric authentication to the cloud service (systems where users, rather than service providers, control their identity credentials
- Require cloud computing partners to conduct risk assessment and vulnerability analysis
- Ensure cloud providers can map policy and procedures to any security mandate or security-driven contractual obligation
- Assign specific physical security obligations to specific personnel who are appropriately placed within a cloud providers organization
- Ensure that the CSP is compliant with global security standards like ISO 27001 ISMS or other international industry standards
- A disaster recovery team and communication plan should be in place at all times.
In recent months, overall levels of concern around the security implications of cloud computing have eased due to several new initiatives and practices that are in place. FedRAMP and The Cloud Security Alliance are just a few of the steps that the federal government has taken to ensure that the cloud computing initiative will not compromise security of government data or the private information of its people.
Even as concerns for the security of cloud computing continue to ease, both because of the measures being taken and because of more educated customers, experts strongly recommend following best practices diligently.
The concerns mentioned in this blog series were attained from a quote given by Dr. David McClure, Associate Administrator, Office of Citizen Services and Innovative Technology, at an April 2011 Senate Subcommittee Hearing,
To learn about the different cloud deployment models, view part one of this blog series HERE