FAQ: How to pick a secure cloud provider
Whatever an agency decides to put in the cloud, it will have to make decisions about the level of security and the types of controls it requires. Although the Federal Risk and Authorization Management Program is intended to ensure a minimum level of security as measured at one point in time, one size will not fit all.
"I don't think all (cloud service providers) will be equal just because they get FedRAMP approval," said Dave Svec, a principal at Veris Group. Agencies will have to do due diligence when selecting from among certified providers.
There are a handful of basic questions that should be considered in selecting a provider:
What is the level of security required for the services being moved to the cloud? Publicly available websites and services generally do not require the same level of security as mission critical applications and data. But they still can contain sensitive personal information and data from transactions, and depending on how they are being used could be used as gateways to other enterprise activities. Knowing what activities will be hosted in the cloud and the required level of security provides a starting point for assessing potential service providers.
What kind of cloud do you want? It could be a public cloud provided by a third party, it could be a private cloud provided by the agency for itself and other agencies, or some type of hybrid where hosting and management are shared by provider and tenant and in which tenancy can be restricted. A public cloud can offer greater savings by eliminating many upfront costs, but private or hybrid clouds can offer greater control and closer management in exchange for the capital expense of the necessary hardware and software.
Most cloud service providers today are focusing first on customized government-specific environments for their government customers, with less attention to mixed-use environments for government and private sector customers, said Veris Group principal Douglas Greise.
An evolving service model is what Greise calls a community cloud, in which a primary service provider can acquire platform, infrastructure and software services from other providers. This can give an added level of economy, but also adds a layer of complexity for the tenant. "I don't know that this is very well-defined yet," he said.
Where does the cloud begin and end? Understanding the boundaries of the cloud are important, but they can be less clear than in a data center you run for yourself. "You have to have a clear inventory of systems that are within the boundary," and know what services are being shared, Greise said.
What's the physical environment? This covers a number of very basic questions. Where is the data stored within the data center? Where is the data center located and who is operating it? How much of the environment is shared? Is there physical separation of networks? Is there redundancy for resiliency, load balancing and recovery?
What kind of security architecture is used? This includes a host of issues that can go beyond FedRAMP baselines, depending on the level of security required for your operations. FedRAMP requires two-factor authentication for access control, but what those factors are and who will provide the tokens, certificates or other factors have not yet been worked out. Processes for assigning and managing roles and access privileges also must be considered.
What's the status of the security operations center? The SOC can provide an overview of security operations and controls, and could be managed by the service provider for its entire cloud resources and tenants, or it could be managed by the tenant for monitoring only its own activities and resources.
What configuration and update process is followed? Vulnerability and configuration management also are important security elements. The service provider should have in place a mature process for testing and rolling out patches and security updates, and for managing configuration and changes according to NIST and other baselines.