Cloud security may be the easiest problem to solve

Despite the talk about the security risks of cloud computing, security may actually be the simplest of cloud's problems to solve, governmentt and industry officials said June 22 that security concerns could be the simplest issue to be solved in the federal adoption of cloud computing.

“Security is the most soluble problem that the cloud has,” up to moderate risk levels, said Bill Perlowitz, vice president of advanced technology at Apptis, a government integrator.

A lack of expertise in cloud security, management and administration, particularly in government, could slow the move to the cloud if agencies become overly cautious, officials warned.

Related stories:

What's missing from cloud security

NIST guide tackles security challenges of public cloud computing

The greatest threat to government cloud computing today is “the perfect being the enemy of the good,” said Greg Elin, chief data officer for the Federal Communications Commission.

Cloud computing is a pay-as-you-go service model in which a third party provides computing capacity as a service, allowing the rapid addition of resources as needed without a capital investment in infrastructure for the customer.

The Obama administration has made moving to the cloud a priority for executive branch agencies, and the General Services Administration is leading the effort. The Federal Risk and Authorization Management Program, FedRAMP, is intended to provide a standard, cross-agency approach to providing the security assessment and authorization for agencies to use the services required under the Federal Information Security Management Act.

FISMA requires that the security of IT systems used by agencies be assessed and receive an authorization to operate, and this applies to systems operated by cloud service providers. GSA already has provided Authorization to Operate for a dozen cloud service providers with GSA contracts, but their use by other agencies requires the agencies to accept GSA’s decision. FedRAMP is intended to provide a centralized scheme that uses consensus requirements that can be accepted across government. The requirements are aligned with security controls specified by the National Institute of Standards and Technology for FISMA compliance.

A draft of FedRAMP requirements was released for comment in October 2010, and the final release of first version was expected by December. But the comment period was extended through January 2011 and the release delayed.

Sanjeev Bhagowalia, deputy associate administrator in GSA’s Office of Citizen Services and Innovative Technologies, said at a conference held in Washington by the local chapter of the Cloud Security Alliance that the final review now is under way and a release is expected soon.

The goal of FedRAMP is not perfect security, which is impossible.

“FedRAMP is not going to produce anything,” except a set of agreed-upon standards, said Kellie Lewin, director of GSA’s cloud computing program. “FedRAMP is trying to put the risk back into security management.”

Accepting that some risk is inevitable in moving to the cloud and having a system to manage that risk is necessary Elin said. “Data is going to be spilled,” he said. “This is not about pretending we can stop it from happening.”

Managing risk becomes a greater challenge because of the shortage of qualified government technical workers with expertise in cloud computing. Because of this, moving data and services into the cloud will have to be done cautiously, with the least critical and sensitive applications going first.

“Not everything will go to the cloud,” Lewin said. It is being estimated that about a quarter of the government’s $80 billion annual IT budget could be shifted to the cloud. One early candidate is public facing websites, Lewin said. “That’s a no-brainer.” GSA also is in the process of rolling out e-mail service from Google.

Bhagowalia said that the goal of GSA’s cloud computing program is not an elegant finished solution, but a practical, mission-oriented program that can begin providing savings and greater flexibility in the short term.

Given the shortage of experience and the number of technical, political and policy questions yet to be resolved, missteps are inevitable, Perlowitz said. “But if we wait until its perfect, we will never deploy.”

About the Author

William Jackson is a Maryland-based freelance writer.

Cyber. Covered.

Government Cyber Insider tracks the technologies, policies, threats and emerging solutions that shape the cybersecurity landscape.


Reader comments

Fri, Jul 8, 2011 Dennis Mobile, AL

The cloud is the ultimate in non-security, and enables total governmental and corporate surveillance of electronic media. On the positive side, this should spur activity in developing alternative stand alone operating platforms.

Tue, Jul 5, 2011 Mike

GSA has not granted ATOs to the 12 CSPs under GSA contract. GSA, on 30 Jun 11, granted the first cloud ATO to Eyak Technology. The task of determining governance, compliance and risk in federal cloud computing is not something that I would paraphase as easy.

Thu, Jun 23, 2011 RayW

The only secure system is one not available to the outside world. The most secure system is one that is in the O F F position and locked in a vault.

If you distribute your data across several computers and make it available anywhere, that only makes it easier for an intruder to find a way in via some other side program that you (as that 'cloud' formation's security guru) may not know about since it is via someone else's 'cloud' formation. How many times have we heard of an exploit in area B caused by a weakness in area A that allowed an intruder to gain access to supposedly secure information? Look at what they (Chinese in particular) are doing today and we are not even vey 'cloudy' yet.

Personally I love the 'cloud'. The way government systems have to crisscross the country just to access local data makes for a lot of reading time. I have been catching up on my recreational reading a lot lately as the government computer network bogs down for doing a simple task like accessing a database in another building. The 'cloud' concept has the potential to give even more reading time.

Yes, the 'cloud' is great for those who do not go into work, they can access their data anywhere. For those of us who were smart enough to work in a better environment and can live closer to work, it will probably be a slowdown.

It is coming. Too many companies have a lot of money invested in making the 'cloud' concept work. Microsoft has been touting this for many years (at least the 90's) since it is one of the best ways to gain more control over the use of software and get away from folks not paying to upgrade when told to but staying on software they bought years ago that works fine. Now they can force you to upgrade, collect payments on a regular basis, and have more control (yes, one of the facets of the 'cloud' I have seen discussed over the years is to have your programs on the 'cloud' and you pay a rental fee every time you accessed the editor, the spreadsheet, etc., just like back in the days of IBM and the other mainframe giants).

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group