Research Report: The Virtual Public Sector

Cloud security concerns give agencies pause

Government officials continue to be concerned about cloud-based systems becoming a weak link in the security of their information technology enterprises, a new survey shows.

Security has been a concern since the Obama administration first began pushing agencies to migrate applications to the cloud in 2009. During the past four years, government and industry organizations have been working arduously to develop strategies to address those concerns.

Meanwhile, some security experts now argue that cloud computing could improve security. As they see it, the shift to the cloud could result in much simpler IT architectures – and the simpler the architecture, the easier it is to secure.

Yet concerns linger.

A survey of federal, state and local IT professions found that 73 percent of respondents believe that cloud computing introduces new cybersecurity vulnerabilities. Only 19 percent say it could improve security, while 8 percent see no impact at all. (See chart.)

Figure 1


Forrester Research, an IT market research and consulting firm, has found similar results in its own studies.

“In Forrester’s Forrsights research program, we interview over 2,000 security decision-makers on a variety of security issues and topics,” Edward Ferrara, a principal analyst at Forrester, wrote in a recent blog post. “Cloud security tops the list of concerns regarding cloud deployments.”

However, Ferrara believes that the Federal Risk and Authorization Management Program (FedRAMP) could address some of those concerns in the federal space by providing a standardized approach for security assessment, authorization and continuous monitoring.

“This is a major step forward in the legitimization of cloud as a secure and capable application deployment platform,” Ferarra wrote.

The National Institute of Standards and Technology also is trying to address cloud-related security concerns. In June, NIST published a draft version of its forthcoming Cloud Computing Security Reference Architecture, which supplements the NIST Cloud Computing Reference Architecture published in 2011.

"The document's objective is to demystify the process of selecting cloud-based services that best address an agency's requirements in the most secure and efficient manner," Michaela Iorga, NIST Cloud Computing Security Working Group chairman, said in a statement.

Meanwhile, the commercial market is likely to invest more resources in addressing security concerns as the demand for cloud services increases, according to a January study by Gartner, an IT market research and consulting firm.

In time, public cloud services will come to be seen as critical infrastructure, compelling the development of better security solutions.

“Providers that lack the ability to offer compliant security controls to address critical infrastructure protection mandates will likely face sales difficulties in cloud environments and may be filtered from shortlists based on emerging critical infrastructure protection requirements,” said Lawrence Pingree, research director at Gartner, in a January press release.

In any case, some experts expect to see more organizations opting to play it safe and outsource cloud-related security services, rather than rely on their own experts.

“The increasing complexity of both IT and physical security requirements for commercial and government organizations will drive a shift towards outsourcing security to managed security service providers,” according to a report by Frost and Sullivan, an IT market research and consulting firm.

Methodology and survey demographics

Between May 28 and June 6, 2013, 186 subscribers of FCW, GCN and other 1105 Government Information Group publications responded to an e-mail survey about cybersecurity trends in government agencies. Survey respondents were comprised of those with insight into their agencies selection of cybersecurity strategies. Beacon Technology Partners developed the methodology, fielded the survey and compiled the results.

Approximately three out of four respondents were technology decision-makers (CIOs or other IT managers or professionals), while 24 percent were senior managers, program managers or other business decision-makers. Approximately 67 percent came from the federal government (33 percent civilian, 34 percent defense) and 33 percent from state or local government agencies.

About this Report

This report was commissioned by the Content Solutions unit, an independent editorial arm of 1105 Government Information Group. Specific topics are chosen in response to interest from the vendor community; however, sponsors are not guaranteed content contribution or review of content before publication. For more information about 1105 Government Information Group Content Solutions, please email us at [email protected]

Cybersecurity Research Report: Agencies Battle Cyber Threats, Budget Cuts

View this on-demand webcast presentation to get an in-depth look on everything related to cybersecurity and how to stay ahead of the curve.