In the cloud, security is easy, perfection is impossible
- By William Jackson
- Jun 22, 2011
Requirements for assessing the security of cloud service providers and authorizing their use are expected to be released soon, but government and industry officials said June 22 that security concerns could be the simplest issue to be solved in the federal adoption of cloud computing.
“Security is the most soluble problem that the cloud has,” up to moderate risk levels, said Bill Perlowitz, vice president of advanced technology at Apptis, a government integrator.
A lack of expertise in cloud security, management and administration, particularly in government, could slow the move to the cloud if agencies become overly cautious, officials warned.
What's missing from cloud security
NIST guide tackles security challenges of public cloud computing
The greatest threat to government cloud computing today is “the perfect being the enemy of the good,” said Greg Elin, chief data officer for the Federal Communications Commission.
Cloud computing is a pay-as-you-go service model in which a third party provides computing capacity as a service, allowing the rapid addition of resources as needed without a capital investment in infrastructure for the customer.
The Obama administration has made moving to the cloud a priority for executive branch agencies, and the General Services Administration is leading the effort. The Federal Risk and Authorization Management Program, FedRAMP, is intended to provide a standard, cross-agency approach to providing the security assessment and authorization for agencies to use the services required under the Federal Information Security Management Act.
FISMA requires that the security of IT systems used by agencies be assessed and receive an authorization to operate, and this applies to systems operated by cloud service providers. GSA already has provided Authorization to Operate for a dozen cloud service providers with GSA contracts, but their use by other agencies requires the agencies to accept GSA’s decision. FedRAMP is intended to provide a centralized scheme that uses consensus requirements that can be accepted across government. The requirements are aligned with security controls specified by the National Institute of Standards and Technology for FISMA compliance.
A draft of FedRAMP requirements was released for comment in October 2010, and the final release of first version was expected by December. But the comment period was extended through January 2011 and the release delayed.
Sanjeev Bhagowalia, deputy associate administrator in GSA’s Office of Citizen Services and Innovative Technologies, said at a conference held in Washington by the local chapter of the Cloud Security Alliance that the final review now is under way and a release is expected soon.
The goal of FedRAMP is not perfect security, which is impossible.
FedRAMP will produce only a set of agreed-upon standards that agencies will be able to accept or not, said Kellie Lewin, director of GSA's cloud computing program. "FedRAMP is trying to put the risk back into security management."
Accepting that some risk is inevitable in moving to the cloud and having a system to manage that risk is necessary Elin said. “Data is going to be spilled,” he said. “This is not about pretending we can stop it from happening.”
Managing risk becomes a greater challenge because of the shortage of qualified government technical workers with expertise in cloud computing. Because of this, moving data and services into the cloud will have to be done cautiously, with the least critical and sensitive applications going first.
“Not everything will go to the cloud,” Lewin said. It is being estimated that about a quarter of the government’s $80 billion annual IT budget could be shifted to the cloud. One early candidate is public facing websites, Lewin said. “That’s a no-brainer.” GSA also is in the process of rolling out e-mail service from Google.
Bhagowalia said that the goal of GSA’s cloud computing program is not an elegant finished solution, but a practical, mission-oriented program that can begin providing savings and greater flexibility in the short term.
Given the shortage of experience and the number of technical, political and policy questions yet to be resolved, missteps are inevitable, Perlowitz said. “But if we wait until its perfect, we will never deploy.”
William Jackson is freelance writer and the author of the CyberEye blog.