Can the cloud really keep a (government) secret?

 

Connecting state and local government leaders

National security and emergency preparedness can be shifted safely to the cloud, experts say, provided agencies pay proper attention to details.

FedRAMP authorization represents only a snapshot of the security status of a cloud environment, and agencies will have to maintain a process for monitoring conditions and activities within the cloud to ensure that security is maintained at the required level. This will require technology to monitor and log activities and transparency on the part of the provider to enable the agency to use this data.

The federal government has adopted a policy of moving as many agencies' IT activities as practical into the cloud, a policy that the National Security Telecommunications Advisory Committee -- at the risk of stating the obvious -- calls a paradigm shift.

"As with any technology paradigm shift, issues such as how the new technologies are used, security, policy, and oversight must be considered when weighing the benefits of adopting the new paradigm," NSTAC wrote in its recent Report to the President on Cloud Computing. 

The central question addressed in the report, released in May, is can critical national security and emergency preparedness (NS/EP) processes be migrated safely to the cloud? The answer is yes, but with caveats.


Related coverage:

In the cloud, security is easy, perfection is impossible

NIST guide tackles security challenges of public cloud computing


"Conceivably any NS/EP process, including the most sensitive matters, could be moved to ‘some kind of' cloud, given proper attention to architectural and security decisions," the committee concluded.

That does not mean that every process should be moved to the cloud, of course. Agencies must decide what to move and what security controls they will need to have in place. The Federal Cloud Computing Strategy released in 2011 estimated that one quarter of federal IT spending, about $20 billion, could be migrated to the cloud.

Security tag cloud

The NSTAC report helps identify likely candidates for cloud migration by ranking and prioritizing various mission-critical functions based on the relative benefits of the migration. Ultimately, each agency will have to decide its own comfort level in this migration, said Douglas Greise, a principal at the Veris Group, which has been accredited to assess the security of cloud service providers.

Whatever is being moved to the cloud, it will require additional effort and attention from the agency.

"The goal is to reduce complexity and expense and to shut down where possible," Ken Ammon, chief strategy officer for Xceedium, said of the cloud initiative. But any major shift in operations will require testing and time for transitioning before legacy systems can be retired. So in the short run while things are in transition, the shift could mean increased complexity.

That leaves the question of what constitutes adequate security controls? At one level, the answer is simple. Both NSTAC and service providers agree that the cloud requires the same safeguards as agencies are providing on their own systems.

"The expectations of your cloud vendor shouldn't be any different from what you were hosting in your basement," said Francis Trentley, senior service line director for Akamai Public Sector and former CIO for White House Communications.

At a practical level, determining appropriate security becomes much more complex. At the core of cloud security requirements for government are the Federal Risk and Authorization Management Program (FedRAMP) and the Federal Information Security Management Act (FISMA).

FedRAMP is an effort to help both agencies and vendors by establishing a blanket certification and accreditation program that will ensure that cloud service providers meet the basic requirements of FISMA. With the potentially large number of operations that could be moved to the cloud, the certification and accreditation process could quickly become bogged down in unmanageable expense and complexity if done on an agency-by-agency, vendor-by-vendor basis.

NSTAC has published a separate 240-page appendix of security controls that agencies should consider when making cloud decisions.

Few service providers can now meet the entire laundry list of requirements, but NSTAC is confident that they are achievable. "While not in place today, the needed ‘comparable' NS/EP-support regime of policy, legal, security and other considerations can be both defined and implemented," the authors wrote.

Even though FedRAMP requirements provide only a baseline of security controls for cloud service providers, passing muster is not necessarily an easy task. It will demand significant time and resources for companies seeking authorization to provide government services.

"The biggest hurdle is that it's a new program and expectations are not real clear," said Dave Svec, a principal at Veris Group. "There will have to be a lot of learning up front."

Veris is among the first generation of companies accredited by the General Services Administration as a third-party assessment organization, or 3PAO, that will be certifying service providers for FedRAMP. It will interview company officials, examine documentation of security programs and controls, and perform onsite and remote testing of those controls.

"It's an assessment of the current security status at one point in time," Veris Group's Greise said.

As of this writing no providers have been certified. The FedRAMP program has achieved initial operating capability and still is in the process of ramping up.

The degree of difficulty in becoming certified will depend in part on how familiar companies are with the FISMA requirements underlying FedRAMP. If a company has experience in the government market, it is more likely to have a mature security model. "If they have been a strictly commercial business, they might not have a good understanding of FISMA requirements," Greise said and added that FedRAMP certification might be more difficult.

Several service providers have begun the certification process, and although Veris warns that it could be a daunting challenge for small and even for mid- and large-size companies, it is expected that the first class of two to four providers will be certified by the end of the year.

"We are going to be one of the first ones through the FedRAMP certification," Akamai's Trentley predicted.

Akamai is a content delivery company that moves customers' public content to a global network of servers, bringing content closer to end users and removing much of the customer enterprise from the delivery process. It is in the certification process now and is taking advantage of the fact that it already is doing business with government.

"They all use us," Trentley said referring to cabinet-level agencies. The company is leveraging the certifications and accreditations it already has received from individual agencies to pass FedRAMP. "We're going through it one more time for everybody," he said.

From Akamai's point of view, the logical first candidates to be moved to the cloud are public content and services. As online delivery of services grows, these functions are important to agency missions. At the same time the information they contain, although it might sometimes be sensitive, is rarely classified and not critical to operations.

"Moving public targets to a public cloud makes sense," Trentley said. "Public-facing apps can live easily in the cloud with proper controls and management."

Relying on a content delivery service can provide improved reliability and resiliency by putting content in a distributed system that can handle spikes in demand; also, it's more difficult to target with a denial of service attack and can help improve security for the rest of the enterprise by separating public from internal operations, Trentley said.

"I can get the public off your infrastructure," he said. "That's a huge space you've made on your plate," freeing up resources for other security issues.

Ensuring ongoing security puts a premium on identity and access management to make it clear who is doing what on the system, and controlling what resources each person can access. For agencies, this should mean that systems support the Personal Identity Verification (PIV) card for civilian agencies and the Common Access Card (CAC) for Defense Department employees and contractors.

"Passwords aren't going anywhere any time soon," said Xceedium's Ammon, the PIV and CAC cards should provide the required second authentication factor.

Privileged control tools, such as those offered by Xceedium and other vendors, can help enable transparent access to a virtual environment for administrators and other managers while controlling access and logging activity.

"That is a challenge for the cloud environment," Ammon said, referring to the need to continuously discover and monitor resources in a large number of virtual machines. Managing and tying credentials at the front end to a constantly changing virtual environment offers one more new element of complexity in the cloud.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.