Risk and reward in the cloud: How to attack security concerns.

Richard Moulds is vice president of product management and strategy at Thales e-Security.

The Obama administration’s cloud-first strategy is designed to lower IT costs and consolidate federal data centers through the adoption of cloud-based applications. The new policy requires agencies to identify three IT services that can be migrated to cloud computing applications.

However, many government organizations are rightfully concerned about the security of sensitive data, and creating a protected cloud environment is not easy. Generally, the adoption of a data-centric approach to security provides a strong starting point. Here are some strategies for applying data security and maintaining control.

1. Rely on cryptography to secure data in the cloud. Over time, cryptography has been proven to maintain confidentiality by rendering data unreadable to anyone unable to convert it back to its original state. That means if a data breach occurs, the data is useless to the attacker. The stolen data is only readable with the correct “key,” the string of bits used for decryption.

When assessing cloud providers’ security claims, it is crucial to remember the data classifications that will be sent and, therefore, the appropriate security criteria. The definition of what “secure” really means comes down to a number of factors, but at the top of the list will be the data’s value, the impact its loss would have and the risk of it being attacked.

2. Determine who is responsible for protecting cloud data. Either the cloud provider has control over security or it doesn’t. If the cloud provider does not take responsibility, then the government agency must encrypt the data internally, minimizing the impact of an attack by ensuring that only already-encrypted data is stored in the cloud. Because it can be difficult to manage encrypted data, that approach limits the operations that are performed in the cloud.

3. Take a proactive approach to key management. Central to the overall encryption security model is the question of who has key control and who has key access. For network-level or basic storage-level encryption, the keys may be owned and controlled by the cloud provider.

Keys will span multiple tenants, each of whom will have no control. A multilayer approach is a reliable level of protection but delivers nothing in terms of segregated protection. The only way to achieve isolation between tenants is to have keys dedicated to each while accounting for the fact that even these keys will probably be controlled or at least accessible to the cloud provider. That constitutes a potential insider threat, which is an unacceptable risk for many.

Some government users of cloud services might have no choice but to manage the keys within their own environment. That is important, because at the end of the day, it is the government that is held accountable for that protection.

4. Add another level of trustworthiness. Wherever encryption is deployed and whoever is responsible for key management, it is important to assess the trustworthiness of the systems. Although encryption algorithms are unbreakable, they are worthless if the keys can easily be stolen or misused. Government agencies have known this for years. To deliver necessary levels of assurance in the cloud, agencies must deploy tamper-resistant systems, such as hardware security models.

The cloud opens opportunities for government organizations to address seemingly conflicting goals — increased flexibility, capacity and responsiveness — while simultaneously lowering costs. Government agencies must evaluate their data security requirements and then identify the best security level. Strong cryptography provides protection for data and delivers strong segregation, and the wise use of key management provides the means to ensure control.

About the Author

Richard Moulds is vice president of product management and strategy at Thales e-Security.

The 2015 Federal 100

Meet 100 women and men who are doing great things in federal IT.


  • Shutterstock image (by venimo): e-learning concept image, digital content and online webinar icons.

    Can MOOCs make the grade for federal training?

    Massive open online courses can offer specialized IT instruction on a flexible schedule and on the cheap. That may not always mesh with government's preference for structure and certification, however.

  • Shutterstock image (by edel): graduation cap and diploma.

    Cybersecurity: 6 schools with the right stuff

    The federal government craves more cybersecurity professionals. These six schools are helping meet that demand.

  • Rick Holgate

    Holgate to depart ATF

    Former ACT president will take a job with Gartner, follow his spouse to Vienna, Austria.

  • Are VA techies slacking off on Yammer?

    A new IG report cites security and productivity concerns associated with employees' use of the popular online collaboration tool.

  • Shutterstock image: digital fingerprint, cyber crime.

    Exclusive: The OPM breach details you haven't seen

    An official timeline of the Office of Personnel Management breach obtained by FCW pinpoints the hackers’ calibrated extraction of data, and the government's step-by-step response.

  • Stephen Warren

    Deputy CIO Warren exits VA

    The onetime acting CIO at Veterans Affairs will be taking over CIO duties at the Office of the Comptroller of the Currency.

  • Shutterstock image: monitoring factors of healthcare.

    DOD awards massive health records contract

    Leidos, Accenture and Cerner pull off an unexpected win of the multi-billion-dollar Defense Healthcare Management System Modernization contract, beating out the presumptive health-records leader.

  • Sweating the OPM data breach -- Illustration by Dragutin Cvijanovic

    Sweating the stolen data

    Millions of background-check records were compromised, OPM now says. Here's the jaw-dropping range of personal data that was exposed.

  • FCW magazine

    Let's talk about Alliant 2

    The General Services Administration is going to great lengths to gather feedback on its IT services GWAC. Will it make for a better acquisition vehicle?

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above