8 best practices for evaluating cloud risk
- By Marty Heinrich
- Nov 06, 2014
The Office of Management and Budget’s 2011 cloud-first initiative, unveiled by then-federal government CIO Vivek Kundra, was intended to modernize federal IT systems by enabling agencies to acquire IT services when they needed them, at lower cost and with the flexibility to redirect scarce resources to critical efforts underway.
But four years later, the government’s migration to the cloud is actually going slower than expected.
According to a recent Accenture Federal Services and Government Business Council report that polled 286 federal executives, only 10 percent of agencies have migrated more than half of their IT portfolios to the cloud. Only 30 percent are implementing cloud strategies and 58 percent were not aware of any cloud strategy underway at their agencies.
Agencies have concerns about risks associated with storing critical and often sensitive information -- including records and personal information -- in the cloud. Likewise, the Government Accountability Office has identified key challenges with the implementation of the cloud-first policy, including concerns about meeting federal security requirements and certifying vendors’ solutions and platforms.
Chief issues with the use of cloud storage include vulnerability to hacking and theft, privacy and ownership of information outside of agency firewalls, lack of portability standards, weak records management capability, inside threats and insufficient due diligence before jumping into the cloud.
Best practices reduce risk for cloud migration
Agencies can take measures to minimize risks to their information in the cloud, including establishing risk-based evaluation criteria when selecting cloud-based solutions by following these best practices:
1. Define and document the organization’s information and security requirements for a cloud-based solution, including records management functions, compliance with standards from the Federal Information Security Management Act (FISMA) and the National Archives and Records Administration (NARA).
Include the agency records officer in planning and deploying cloud solutions to ensure that records management, e-discovery, retention, legal and FOIA requirements are addressed.
2. Evaluate the cloud architecture needs. For example, a private cloud (versus a public cloud) model allows an agency to enforce its own information security controls and may be a consideration for storage of highly sensitive information.
3. Perform due diligence when picking a cloud service provider (CSP), including checking references, participating in site visits and verifying required security certifications and standards compliance.
4. Negotiate contractual arrangements with cloud providers to manage known risks, including corporate stability, storage location and ownership, service level agreements, audits and multi-factor authentication.
5. Define continuous monitoring activities for your CSP, as well as standard incident response processes.
6. Define measures to ensure privacy protection and compliance with the Privacy Act of 1974. This should include privacy impact assessments, privacy training and standardized responses to privacy data breaches.
7. Ensure that the cloud solution provides necessary record-keeping functions, including the ability to destroy records in accordance with mandated records schedules, and NARA transfers for permanent records.
8. Ensure compliance with FISMA standards, specifically the Federal Risk and Authorization Management Program (FedRAMP) cloud security program that governs security authorization for cloud providers.
Cloud vendors are working actively to address security concerns. For example, Microsoft’s government community cloud addresses security requirements for data location and data access by hosting all services and information in the continental United States, managed by U.S. personnel with government background investigations.
Vendors are also providing cloud-based solutions that comply with government records management requirements, including the Federal Records Act, NARA regulations and the DOD 5015.2 standard for electronic records management applications.
Many agencies still believe that their information, particularly classified and national security data, may be too sensitive to move to the cloud. In response to these concerns, private clouds and hybrid clouds are taking preference over public clouds because they provide greater security controls. This concern is resulting in the implementation of agency-only or federal-only cloud models, hybrid clouds that work as private and public systems.
As agencies and vendors address their cloud security concerns by delivering cloud architecture options, improved security controls as well as records management, expect an accelerated migration of applications and information to the cloud and the full realization of the government’s cloud-first objectives.