Security must come before the cloud, GAO says
Comprehensive framework remains fragmented and incomplete
- By William Jackson
- Jul 01, 2010
Cloud computing offers the promise of greater efficiency, flexibility and even security, but agencies will not adopt the technology on a large scale until issues of securing cloud infrastructure and services are addressed systematically, the Government Accountability Office said in a recent report
The report, entitled “Federal Guidance Needed to Address Control Issues with Implementing Cloud Computing,” laid out the pros and cons of cloud computing. Potential benefits include faster deployment of patches, economies of scale and more efficient disaster recovery. Risks include increased dependence on a vendor and the sharing of resources. Agencies have begun addressing these issues individually, but efforts to develop comprehensive security guidance for cloud computing have been fragmented between agencies and so far incomplete.
House panel questions cloud computing assumptions
“Until specific guidance and processes are developed to guide agencies in planning for and establishing information security for cloud computing, they may not have effective information security controls in place for cloud computing programs,” the report said.
GAO recommended that the Office of Management and Budget:
- Establish milestones for completing a strategy for implementing the federal cloud computing initiative.
- Ensure the strategy addresses the information security challenges of cloud computing, including agency-specific guidance, the appropriate standards for assessing cloud computing service providers, the division of security responsibilities between customer and provider, the shared assessment and authorization process, and the possibility for precertification of cloud computing service providers.
- Direct the Chief Information Officers Council's Cloud Computing Executive Steering Committee to develop a plan, including milestones, for completing a governmentwide security assessment and authorization process for cloud services.
Federal CIO Vivek Kundra agreed with the recommendations and said that that OMB is working with other agencies and with the private sector to develop and identify best practices for securing the cloud as the sector matures.
Security washes out cloud savings
Cloud security: Feds on cusp of change
“OMB feels it would be appropriate to develop, over the next six months, a federal cloud strategy that covers a planning horizon of five to 10 years and is based on lessons learned in the near term,” Kundra wrote in his response to GAO. “The strategy and related milestones may need to evolve over time, as cloud computing technologies establish market strongholds.”
Kundra said that the National Institute of Standards and Technology is heading a Cloud Computing Security Workgroup to help develop governmentwide plans for assessment and authorization.
Martha Johnson, administrator of the General Services Administration, said in response to the report that the Federal Risk and Authorization Management Program addresses the need for security assessment and authorization planning for cloud services. FedRAMP is a governmentwide program to provide joint authorization and continuous security monitoring services for agencies, with an initial focus on cloud computing.
The administration has included in the 2011 budget plans to deploy several cloud computing pilot projects. But agencies have identified a number of challenges in implementing existing federal information security guidance in cloud computing, GAO said, including processes for assessing vendor compliance with government requirements. Although OMB, GSA and NIST have undertaken development of security standards and requirements for the cloud, these have not been completed or integrated.
About half of the 24 agencies are using various models of cloud computing and many others are interested in using it, GAO said, but comprehensive guidance still is lacking. “Until federal guidance and processes that specifically address information security for cloud computing are developed, agencies may be hesitant to implement cloud computing, and those programs that have been implemented may not have effective information security controls in place,” the GAO report concluded.
William Jackson is freelance writer and the author of the CyberEye blog.