Will FedRAMP improve the outlook for cloud computing?
Cloud adoption raises IT managers' security concerns
There exists a real dilemma for most agencies when it comes to cloud computing. They are under a mandate from the Obama administration to use a cloud-first strategy in planning their IT portfolios and are required to move various services to the cloud. At the same time, they see the cloud as inherently insecure.
Cloud adoption has so far — apart from relatively low-level services such as e-mail and collaboration — been slow, primarily because of fears over security. In an April 2012 survey of federal CIOs and IT managers by MeriTalk, some 85 percent of respondents named it as the top obstacle for them.
And yet, it’s becoming increasingly obvious that the digital future is reliant on the cloud. In government, a need to drastically improve the productivity and performance of agency IT at a time of increasing downward pressure on budgets means the pay-as-you-go model of the cloud and the decreased operating and maintenance costs that go along with it are becoming too attractive to say no.
The Federal Risk and Authorization Management Program (FedRAMP) is the government’s attempt to get cloud computing over the security hump. Introduced in December 2011, it’s intended to provide a standard approach to authorizing products and services from cloud service providers (CSPs) as compliant with federal government security needs.
Basically, CSPs will go through a vetting procedure and at the end of it receive a FedRAMP stamp of approval. Agencies can then buy cloud services from them knowing they meet a certain baseline of security controls. Agency-specific controls can be added as part of the service-level agreement they make with the CSP.
FedRAMP opened up to vendor applications for certification on June 6, and officials said they expected that three CSPs would likely earn approval from the FedRAMP Joint Authorization Board by December 2012. The program is expected to be fully operational early in 2013.
Whether it ends up being the stimulus for cloud adoption to the extent that the administration hopes is uncertain, however.
“Until there’s a way for taking a database and sharing it across numerous sources and not having the availability of a trusted third party that can become complicit with this insider activity, then going to the public cloud for an agency is going to be a risky proposition,” said Daniel Nowak, lead security architect at Iron Bow Technologies.
As it stands now, he said, FedRAMP gives agencies an idea of what can happen with the cloud and ensures them a certain level of confidence, in the same way that an organization can look at Amazon and its cloud services and say it has certain things in place and that certain things are done well.
“The question an agency has to ask is if it can trust that the external CSP is acting in good faith and that the agency can trust it to execute whatever agreements it has with it,” he said.
When it comes to matters of national security, that kind of trust doesn’t play very well, he said, “which is what makes this such an interesting discussion.”
It will be interesting to see what the reaction is from users to FedRAMP and how much confidence it injects into cloud adoption. So far, private clouds that operate behind agency firewalls have seen the most deployment, and at that level, the use of the cloud is becoming broadly accepted.
However, according to a January 2012 survey of some 300 government officials by 1105 Government Information Group, agencies who had already adopted cloud computing were rushing away from the public cloud. Just 10 percent said they were using it for infrastructure as a service in 2011, compared to 23 percent in the previous year. Only 8 percent used the public cloud for platform as a service, down from 17 percent.
Survey participants said the public cloud was the least secure of any of the cloud computing models.
It could also depend on how quickly the CSPs take up the FedRAMP program, said John Slye, a senior principal research analyst at Deltek. Each CSP has to pay for its own assessment, and depending on size, that can get expensive. That raises the bar of entry, he said, and after getting certified, the CSP still has to win the task order.
Nevertheless, he said, there will be more providers that put themselves forward for certification because FedRAMP “is a necessary license to play in the federal cloud market.”
Likewise, he thinks agencies will also get on board with the cloud once the “hype cycle” declines and as people get used to the idea and security concerns are ironed out.
“It’s not a question of if but of when and how fast,” he said.