Governmentwide security certification could bolster cloud, report says
Federal information managers seek security guidelines for cloud computing
A governmentwide certification and accreditation process for securing cloud computing infrastructures could accelerate adoption of the computing model among agencies, but barriers include management and oversight issues, according to a report from Symantec on security and the cloud.
Eight-three percent of the 202 federal information technology decision-makers surveyed for the report “Symantec 2010 Break in the Cloud,” said it will take three or more years for the government to implement such a comprehensive C&A process. A survey of the federal IT managers and systems integrators was conducted by O’Keeffe and Company at the 2010 Symantec Government Symposium in June.
About 22 percent of the respondents are tracking government efforts in this area. Forty-six percent of those tracking government initiatives are closely monitoring the Federal Risk and Authorization Management Program (FedRAMP). However, many respondents were unaware of FedRAMP, which means that the Office of Management and Budget should increase efforts to educate agencies, the report states.
Announced in May, FedRAMP is an interagency effort whose aim is to reduce duplicate efforts and security compliance expenditures, as well as encourage rapid acquisition timeframes, security oversight, and consistent integration with Federal governmentwide security efforts. FedRAMP, which is still in the development stage, also will provide security authorizations and continuous monitoring of shared systems.
Industry group offers certification for cloud computing security
Forty-eight percent of the respondents said agencies could successfully implement and manage a governmentwide C&A process for cloud security. The barriers though include, identifying resources such as who can focus on the effort, managing compliance, establishing technology standards, and the costs associated with implementation.
Cloud computing provides on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.
Agencies are looking to the cloud to save money, improve continuity of operations and reduce energy consumption, the reports states. Nearly one quarter of the agency managers have implemented cloud applications, and 35 percent are in the planning stages.
Almost half of those who have implemented cloud applications – 42 percent – do not know if they have experienced a breach or attempted breach. Forty-nine percent said they had not experienced a breach. Five percent said they had experienced a breach but no data was stolen. Four percent said they experienced a breach that resulted in loss or stolen data, the Symantec report states.
Meanwhile, a survey of security professional conducted by RSA Conference indicates the that security risks associated with cloud computing pose more of a clear and present danger than attacks involving mobile devices and Facebook, as reported by Matthew Schwartz with InformationWeek.
The respondents agree that allowing employees to connect their own mobile devices to the corporate network posed a security threat. But only two percent report their organization having experienced a serious incident as a result of an employee's mobile device usage. Likewise, only about two percent reported experiencing a serious security incident as a result of a social networking attack or leak, according to the InformationWeek article.
Still, 83 percent of respondents said their organization will move more business processes into the cloud in the next 12 months, typically through software-as-a-service applications, rather than infrastructure or platform services.
Top security concerns with the move to the cloud include controlling access to data, followed by maintaining regulatory compliance, data integrity, and seeing corporate data be co-mingled on shared servers, according to the RSA survey.