Government officials continue to be concerned about cloud-based systems becoming a weak link in the security of their information technology enterprises, a new survey shows.
Security has been a concern since the Obama administration first began pushing agencies to migrate applications to the cloud in 2009. During the past four years, government and industry organizations have been working arduously to develop strategies to address those concerns.
Meanwhile, some security experts now argue that cloud computing could improve security. As they see it, the shift to the cloud could result in much simpler IT architectures – and the simpler the architecture, the easier it is to secure.
Yet concerns linger.
A survey of federal, state and local IT professions found that 73 percent of respondents believe that cloud computing introduces new cybersecurity vulnerabilities. Only 19 percent say it could improve security, while 8 percent see no impact at all. (See chart.)
Forrester Research, an IT market research and consulting firm, has found similar results in its own studies.
“In Forrester’s Forrsights research program, we interview over 2,000 security decision-makers on a variety of security issues and topics,” Edward Ferrara, a principal analyst at Forrester, wrote in a recent blog post. “Cloud security tops the list of concerns regarding cloud deployments.”
However, Ferrara believes that the Federal Risk and Authorization Management Program (FedRAMP) could address some of those concerns in the federal space by providing a standardized approach for security assessment, authorization and continuous monitoring.
“This is a major step forward in the legitimization of cloud as a secure and capable application deployment platform,” Ferarra wrote.
The National Institute of Standards and Technology also is trying to address cloud-related security concerns. In June, NIST published a draft version of its forthcoming Cloud Computing Security Reference Architecture, which supplements the NIST Cloud Computing Reference Architecture published in 2011.
"The document's objective is to demystify the process of selecting cloud-based services that best address an agency's requirements in the most secure and efficient manner," Michaela Iorga, NIST Cloud Computing Security Working Group chairman, said in a statement.
Meanwhile, the commercial market is likely to invest more resources in addressing security concerns as the demand for cloud services increases, according to a January study by Gartner, an IT market research and consulting firm.
In time, public cloud services will come to be seen as critical infrastructure, compelling the development of better security solutions.
“Providers that lack the ability to offer compliant security controls to address critical infrastructure protection mandates will likely face sales difficulties in cloud environments and may be filtered from shortlists based on emerging critical infrastructure protection requirements,” said Lawrence Pingree, research director at Gartner, in a January press release.
In any case, some experts expect to see more organizations opting to play it safe and outsource cloud-related security services, rather than rely on their own experts.
“The increasing complexity of both IT and physical security requirements for commercial and government organizations will drive a shift towards outsourcing security to managed security service providers,” according to a report by Frost and Sullivan, an IT market research and consulting firm.