In the cloud, security is easy, perfection is impossible

Requirements for assessing the security of cloud service providers and authorizing their use are expected to be released soon, but government and industry officials said June 22 that security concerns could be the simplest issue to be solved in the federal adoption of cloud computing.

“Security is the most soluble problem that the cloud has,” up to moderate risk levels, said Bill Perlowitz, vice president of advanced technology at Apptis, a government integrator.

A lack of expertise in cloud security, management and administration, particularly in government, could slow the move to the cloud if agencies become overly cautious, officials warned.


Related stories:

What's missing from cloud security

NIST guide tackles security challenges of public cloud computing


The greatest threat to government cloud computing today is “the perfect being the enemy of the good,” said Greg Elin, chief data officer for the Federal Communications Commission.

Cloud computing is a pay-as-you-go service model in which a third party provides computing capacity as a service, allowing the rapid addition of resources as needed without a capital investment in infrastructure for the customer.

The Obama administration has made moving to the cloud a priority for executive branch agencies, and the General Services Administration is leading the effort. The Federal Risk and Authorization Management Program, FedRAMP, is intended to provide a standard, cross-agency approach to providing the security assessment and authorization for agencies to use the services required under the Federal Information Security Management Act.

FISMA requires that the security of IT systems used by agencies be assessed and receive an authorization to operate, and this applies to systems operated by cloud service providers. GSA already has provided Authorization to Operate for a dozen cloud service providers with GSA contracts, but their use by other agencies requires the agencies to accept GSA’s decision. FedRAMP is intended to provide a centralized scheme that uses consensus requirements that can be accepted across government. The requirements are aligned with security controls specified by the National Institute of Standards and Technology for FISMA compliance.

A draft of FedRAMP requirements was released for comment in October 2010, and the final release of first version was expected by December. But the comment period was extended through January 2011 and the release delayed.

Sanjeev Bhagowalia, deputy associate administrator in GSA’s Office of Citizen Services and Innovative Technologies, said at a conference held in Washington by the local chapter of the Cloud Security Alliance that the final review now is under way and a release is expected soon.

The goal of FedRAMP is not perfect security, which is impossible.

FedRAMP will produce only a set of agreed-upon standards that agencies will be able to accept or not, said Kellie Lewin, director of GSA's cloud computing program. "FedRAMP is trying to put the risk back into security management."

Accepting that some risk is inevitable in moving to the cloud and having a system to manage that risk is necessary Elin said. “Data is going to be spilled,” he said. “This is not about pretending we can stop it from happening.”

Managing risk becomes a greater challenge because of the shortage of qualified government technical workers with expertise in cloud computing. Because of this, moving data and services into the cloud will have to be done cautiously, with the least critical and sensitive applications going first.

“Not everything will go to the cloud,” Lewin said. It is being estimated that about a quarter of the government’s $80 billion annual IT budget could be shifted to the cloud. One early candidate is public facing websites, Lewin said. “That’s a no-brainer.” GSA also is in the process of rolling out e-mail service from Google.

Bhagowalia said that the goal of GSA’s cloud computing program is not an elegant finished solution, but a practical, mission-oriented program that can begin providing savings and greater flexibility in the short term.

Given the shortage of experience and the number of technical, political and policy questions yet to be resolved, missteps are inevitable, Perlowitz said. “But if we wait until its perfect, we will never deploy.”

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Fri, Jun 24, 2011 W Va

Yes and morons are the enemy of buffoons. So should moron be our new success criteria? Because something is worse than something else, doesn’t mean that this is what we should shoot for in our lives. Hey, we’ll look less sucky if we aim lower… I’ve been in IT security for over a decade now and I can tell you that the ongoing security posture of a system is tied closely the security architecture when it is first deployed. If not built with SOLID security integrated from the onset, the solution will have a difficult time integrating new and emerging security requirements and that posture will degrade over time relative to the threat. If we do not have great and comprehensive requirements and implementation during cloud synthesis activities, we will not likely see a public cloud secure for anything more sensitive than a lunch menu website. FedRAMP is a standardized version of the 800-53 controls. This is NOT an appropriate way to approach the system’s engineering aspect of building a cloud. Sure those controls will be significant components of requirements, but one must have a complete understanding of the threat environment and operational components. With each new component added to a particular cloud, that threat environment will evolve. A solid risk management process will solve this problem (800-39) but who is going to do comprehensive risk management of the “cloud” every time a new application is introduced. Certainly not the vendor; risk management costs real money and adds liability… The government is going to have develop a community cloud for all government agencies to use. And guess what, they are going to have to a GREAT job if they want it to be successful. Good isn’t good enough with security. Great is probably isn’t either, but it’s where we have to start, and we better start soon!

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above