Cloud security remains a legitimate, though overhyped, concern
Security considerations are key
Although the cloud provides many benefits for government, it also exposes data and systems to risk. Before any federal government agency moves to the cloud, it must be 110 percent sure that every possible security precaution is taken.
Agencies are serious about cloud security. According to The Download on Cloud Computing in Government, a December 2010 survey by the 1105 Government Information Group, the most critical cloud computing security worries are potential data loss or leakage, robust identity authentication and credential management, and secure and timely identity provisioning. Other concerns include effective data encryption; physical security; insecure application programming interfaces; and account, service and traffic hijacking.
The Download survey found that 55 percent of the 460 government respondents don’t think cloud solutions are secure enough, and 59 percent agreed that security risks associated with cloud computing implementation are greater than those for on-premise IT implementations. Roughly half of the respondents work for a civilian agency, while the other half worked for military agencies. And roughly half had non-IT titles but substantial roles in technology decision making, while the other half had IT titles.
The Cyber Security Alliance also posted dire numbers. According to an April 2010 survey of federal agencies on collaborative cloud computing and cybersecurity, 70 percent of government technology decision-makers are concerned about data security, privacy and integrity in the cloud.
Although some of these concerns are valid, some may be due to a simple lack of knowledge, said Melvin Greer, senior fellow and chief strategist for cloud computing at Lockheed Martin.
“In a survey we did in 2010 focusing on cybersecurity in the cloud, we found that the more people are aware of the cloud, the less concerned they are about security, and the less aware they are, the more they are concerned about security,” he said.
Indeed, other surveys beginning in 2009 have shown that the percentage of respondents extremely concerned about security of cloud implementations has been steadily declining as more information and experience provides reassurance.
Taking the right steps
Although the level of concern may have declined, it is not going away. The federal government has taken significant steps to ensure that cloud computing will not compromise security of government data or the private information of its people. Enough progress has been made during the past few years to prompt Federal CIO Vivek Kundra to say at a House committee meeting last summer:
“As we move to the cloud, we must be vigilant in our efforts to ensure the security of government information, protect the privacy of our citizens, and safeguard our national security interests. The American people must be confident that their information is safe in the cloud. Therefore, we are being deliberate in making sure the federal government's journey to the cloud fully considers the advantages and risks associated with cloud technologies, by defining standards and security requirements.”
The security process started in earnest in November 2009, when the General Services Administration's cloud office established working groups on security and standards. In February 2010, GSA launched a governmentwide security certification and accreditation process for cloud computing solutions, culminating in the development of the interagency Federal Risk and Authorization Management Program. FedRAMP, spearheaded by the National Institute of Standards and Technology and backed by GSA and the Office of Management and Budget, is a program to develop a common security and continuous assessment model for clouds across government.
The momentum continued in 2010. In October, GSA announced that it had chosen 11 vendors to offer cloud-based infrastructure-as-a-service to federal, state and local governments receiving federal funds but required those vendors’ products to pass a federal information security test. That test, administered by NIST, involves a six-step risk management process that includes identifying and implementing security controls.
Other cloud security efforts include the National Cybersecurity Education Initiative, which aims to improve the effectiveness of the cybersecurity force, and the Cloud Security Alliance, a nonprofit organization made up of industry-leading cloud vendors to promote best practices for providing security assurance for cloud computing.
Meanwhile, the December 2010 survey found that typically only 15 percent of the respondents were familiar with any of the half-dozen major organizations focused on cloud security. However, survey respondents from organizations that had fully adopted cloud computing for at least one application were more aware of the various security initiatives.
Some agencies act as if security issues are well in hand. Khawaja Shams, a senior solution architect at NASA's Jet Propulsion Laboratory, last year said security issues are surmountable. He said that instead of avoiding the cloud, JPL is working with its office of the CIO and IT security teams to make sure it can leverage the benefits of the cloud without compromising security.
Likewise, the Defense Information Systems Agency allows military users to run applications in production mode in its private cloud computing platform, the Rapid Access Computing Environment. Henry Sienkiewicz, DISA CIO, said last year that RACE is more secure than commercial cloud services. He said his team applies the same information assurance process to its cloud-based applications as it does to applications that run on traditional computing platforms.
Watching your step
Even as security concerns for cloud computing continue to ease, both because of the measures being taken and because of more educated customers, experts recommend following best practices diligently. The Cloud Security Alliance recommends defining and enforcing strong password policies, considering federated authentication to delegate authentication to the organization using the cloud service and implementing user-centric authentication (systems where users, rather than service providers, control their identity credentials).
NIST recommends intense vetting of your cloud provider, comparing its security precautions with current levels of security in your on-premise implementation to ensure that the provider is achieving as good or better security levels. The agency also recommends requiring cloud computing partners to conduct risk assessments for a cloud implementation of a solution to an agency mission, ensuring that a cloud provider can map policy and procedures to any security mandate or security-driven contractual obligation you face. In addition, agencies should include procedures to audit a cloud provider’s secure coding practices.