Research Report: The Virtual Public Sector

Cloud security initiatives gains momentum

Security is consistently cited by agencies as one of the obstacles to cloud computing. But that could soon change, as various federal efforts to improve security in the cloud are beginning to gel and move in the same direction.

Perhaps the most important push came from the National Institute of Standards and Technology, which has taken the lead on cloud security for the federal government.

In June 2013, NIST published a draft of its Cloud Computing Security Reference Architecture (NIST Special Publication 500-292). The architecture is intended to “demystify the process of selecting cloud-based services that best address an agency's requirements in the most secure and efficient manner,” according to Michaela Iorga, chair of NIST’s Cloud Computing Security Working Group.

Then in March of this year, the Defense Department signaled a change in security compliance requirements. DOD CIO Teri Takai issued a memo formally dropping the need for systems and service providers to comply with the DOD Information Assurance Certification and Accreditation Process (DIACAP), adopting instead NIST’s risk-based approach to security.

In practical terms, this means that government cloud providers will no longer have to qualify under two sets of security requirements, since the Federal Risk and Authorization Management Program (FedRAMP) uses the NIST standards, though Takai said they’ll likely still have to meet additional DOD requirements.

Risk-based security: A safe bet

The idea of a risk-based approach to security has widespread support across the public and private sectors. The general sense is that the compliance-based approach, which is often characterized as checklist-driven, played an important role in helping agencies focus on security essentials, but that a more nuanced, adaptive approach was needed.

That was the concern with the original vision of the Federal Information Security Management Act. FISMA did help improve government security. But over time, many agencies simply took to ticking off the list of FISMA requirements in order to comply with the act’s mandates, and didn’t follow up. That ended up with agencies being very secure at any one time, but with degrading security in the interval between FISMA checks.

A risk-based approach is the next logical step, experts say. That includes members of SafeGov.org, an IT industry group led by former Office of Management and Budget e-government administrator Karen Evans. In a January report on cloud security, SafeGov.org urged agencies to move away from a compliance-based cybersecurity model to one that is risk-based “and focusing on how to most effectively secure their implementation of cloud services.”

In its report, titled “Staying Safe in Cyberspace: Cloud Security on the Horizon,” the group proposed a series of measures, devised after consultation with government officials, that it hopes will serve as a guide to agency CIOs “to reap the benefits of cloud technologies while keeping with today’s cybersecurity requirements.”

The risk-based approach to security that is the core of NIST’s reference architecture is equally applicable to public, private, community and hybrid clouds, according to NIST officials. Specifically, for each instance of what NIST calls a cloud ecosystem, the security components involved with that are analyzed in order to identify the level of involvements of each cloud “actor” that is involved in building that ecosystem —consumer, provider, broker, carrier and auditor.

The ultimate objective, NIST says, is to help the cloud consumers to determine which cloud service best addresses their needs in supporting their business and mission critical processes, in the most secure and efficient manner.

Such thinking is critical to cloud security, experts say.

“Secure clouds do exist today, and as with all things, there needs to be a larger discussion about what level of security is required for a specific application being hosted in the cloud,” said Jon Greaves, Chief Scientist and Chief Information Security Officer at Carpathia Inc. VMware is offering its vCloud Government Service through Carpathia.

Additionally, as Takai made clear, security is something that must be built into a system from the start and not “bolted on” after the fact.

But some experts also say that the NIST architecture is best seen as a starting point, not a full solution.

The main issue is that “NIST covers everything from soup to nuts and doesn’t have any prioritization,” according to John Pescatore, director of emerging security trends at the SANS Institute. Applying the NIST approach, and relying on such things as FedRAMP accreditation, may be fine for relatively standard cloud services such as email, but each agency will have its own security needs for other services, so NIST and FedRAMP should be understood as setting the baseline, not providing the total package.

Outside of these government specific actions, there are more general industry developments that also promise to bolster cloud security. The Cloud Security Alliance is proposing a new standard for general network security called the software-defined perimeter (SDP), which the group said would be ideal for the cloud.

SDP, too, would incorporate NIST and DOD security standards, and would replace the notion that security must rely on fixed network perimeters and the use of firewalls and other devices to prevent attacks.

According to CSA, the perimeter-centric approach is rapidly becoming obsolete because the location of the perimeter is constantly changing because of such trends as bring-your-own-device policies and infrastructure- and software-as-a-service. Additionally, agencies are seeing an increasing occurrence of phishing attacks, which provide untrusted access inside the perimeter.

SDP would allow applications owners to deploy perimeter functionality wherever it’s needed, CSA said, replacing physical appliances with logical components and allowing device access to an application infrastructure only after device attestation and verification of identity. Its software overlay nature also means it could be easily integrated into public, private or hybrid clouds.