In today’s technology landscape, migration to the Cloud is compelling not just for the cost and time savings over standing up your own infrastructure, but many other important reasons including on-demand spare capacity for seasonal or peak traffic loads, as well as quick and easy access to specific hardware and software environments requiring deep technical skillsets for support, i.e. Big Data. In addition, the abundance of Cloud providers who advertise FISMA compliant Cloud services make it tempting for Federal agencies to jump on the FISMA Cloud bandwagon as well. However, one word of caution is in order when considering migrating your information system to a FISMA Cloud. There is an old saying popular in the compliance community, “you can outsource your technology, but you can’t outsource your risk”. As the Federal Agency stakeholder, you are still ultimately responsible for the total overall FISMA compliance of your information system, even when outsourced to Cloud providers.
Many FISMA Cloud vendors offer various levels of FISMA compliance to federal agencies, but only offer one or two layers of the overall information system solution. As a result, you may only be getting partial compliance coverage from your provider. Remember, the National Institute of Standards and Technology (“NIST”) Special Publication 800-53 maps out controls that span several layers of your information system’s tech stack, from physical environment, infrastructure, network, operating systems, middleware, applications, data, people and processes. Cloud providers that only offer you infrastructure or a middleware platform may only offer you compliance on the narrow range of controls specific to infrastructure or the application, but there may still be cracks in the overall coverage for several of the other controls to fall through.
For instance, your Cloud provider may provide hardware with the latest OS version and maintain the patch levels, but who reviews the server logs on a regular basis to make sure you have not been exposed to repeated failed logins or any other potential attack or attempted security breach? And who approves, manages and maintains the privileged user accounts on these servers and ensures they are only accessed through two-factor authentication? These are just two examples of the many other process related controls wrapped around the hardware or software that need to be specifically owned in this distributed responsibility compliance landscape that may not be being addressed by your provider.
In addition, many middleware and application software vendors offer their services from the Cloud but they in turn use a third party provider for their infrastructure such as Amazon’s EC2. And they themselves may also use other third party providers for monitoring or management or other information system services. And inevitably additional software components like a new app server or database will be required that may be supported from still another vendor. This creates a cascading liability chain that grows exponentially with each new party or package that is added to the solution. The agency stakeholder now has to collect, compile, aggregate and cross-check compliance coverage from all these various parties before he can have any confidence in signing-off on an Authorization to Operate (“ATO”).
Another point to keep in mind is how the Cloud providers validate their FISMA compliance. When assessing compliance against a documented standard such as NIST 800-53, it is important to differentiate how the assessment was performed. The two primary methods for assessing compliance is through an internal assessment or by engaging an independent third-party with experience in the NIST 800-53 controls. An internal assessment performed by the Cloud provider’s employees or those that are responsible for the assessed infrastructure does not provide a high degree of assurance regarding the Cloud provider’s compliance. An independent assessment provides the agency greater comfort and assurance that the controls are actually documented, implemented and operating as required. An independent assessment also provides the agency comfort that proper testing procedures and assessment methodologies were utilized during the assessment, and that their agency stakeholder can in turn also sign off on an ATO with confidence.
When weighing the decision of which Cloud solution to pursue it is important to understand the benefits a full-stack Cloud provider that provide hardware and software from within their own environments can offer. The primary benefits include a compliance sign-off on all layers of the information system, as well as the data and the supporting people and processes supported by an independent assessment of the control environment. This yields a single ATO rollup responsibility on a single vendor that can be much more easily managed and is immensely more reliable.
Stay tuned for more information about the Armedia Content Cloud….