3 elements for success for the FISMA High cloud
- By Nick Evans
- Sep 17, 2014
As federal agencies continue to consider public or commercial cloud services as a way to cut costs and improve IT service delivery, security concerns remain a major deterrent, especially when it comes to migrating mission-critical workloads.
Recent industry studies show that a majority of organizations (51 percent) still consider their effectiveness in securing data and applications in the cloud to be “low,” with only 26 percent rating their effectiveness as “high.”
To address these concerns, agencies must ensure cloud services meet the requirements of the Federal Information Security Management Act of 2002,better known as FISMA. FISMA accreditation is based on three primary security objectives: the confidentiality, integrity and availability of systems and data.
FISMA accreditation, however, is not a one-size-fits-all proposition. There are three levels: Low, Moderate and High. The majority (roughly 65 percent) of accredited systems in the government today are FISMA Moderate. About another 15 percent are FISMA Low, and the remaining 20 percent are FISMA High.
FISMA High systems are those of critical importance to an agency. A breach of the confidentiality, integrity and availability of such systems and data would result in a severe degradation of an agency’s ability to perform its primary mission function, a financial loss to individuals, or a loss of significant intellectual property.
However, despite recent innovations in cloud security, fears persist that a move to the public cloud requires a sacrifice of security and control over an organization’s infrastructure. As agencies continue to focus on FISMA Moderate systems in the public cloud, they appear reluctant to move FISMA High workloads due to concerns about data sensitivity, availability or overall protection.
Those concerns may have been valid in the early days of cloud computing, before service providers had the geographically-dispersed data centers and high-availability capabilities they do today. But leading service providers now offer the redundancy and resiliency suited to even the most critical data.
Furthermore, technology innovations over the last couple of years have resulted in cloud infrastructure offerings and products that further enhance the security of public cloud environments.
Today, when government agencies combine solutions from leading cloud providers with third-party, off-the-shelf products, they can implement monitoring capabilities and access controls to provide the same level of data integrity they would expect from their own internal systems.
Consequently, government agencies no longer need to fear moving their FISMA High work to the public cloud. By combining the following three key elements into their implementation, agencies can successfully migrate even their most critical systems to the public cloud. Those elements are:
A cloud service provider with a very strong security policy: The reputation of a cloud service provider is based on the security of their infrastructure. If their infrastructure is breached because of a lack of built-in security, they may find themselves out of business. For that reason, major service providers have substantially beefed up their security capabilities and now have some of the most secure IT infrastructures and facilities in the world.
Strong third-party products: Cloud providers are responsible for basic security of their infrastructures, providing products that secure network endpoints, operating systems and the application data hosted in the cloud environment. These products can cloak network endpoints and hide them from unauthorized users while controlling who can access data.
An experienced integrator to enable cloud infrastructure: Government agencies should take advantage of the constantly evolving expertise of systems integrators who understand the implications of different levels of FISMA requirements as well as the requirements of traditional data center environments. An experienced integrator knows how to migrate government organizations to the cloud and what it takes to do that securely.
Not all cloud providers are equal. But with the correct partnerships and capabilities in place, government agencies can now more fully embrace the savings, efficiencies and security of the public cloud. The old concerns about security, resiliency and control are no longer relevant if the cloud environment is enabled for FISMA High.
Nick Evans is vice president and general manager within the Office of the Chief Technology Officer at Unisys.