Finding security in the cloud

Pete Nicoletti is chief information security officer at Virtustream.

(Pete Nicoletti / Virtustream)

Despite all the traction cloud computing has gained in recent years, IDC is predicting even bigger things for the future. The federal government is projected to spend $7.7 billion on private cloud solutions by 2017, a nearly $6 billion increase from the projected $1.7 billion spent in 2014.

As federal agencies show increasing interest in the cloud, IT executives must understand how to navigate compliance programs, particularly the Federal Risk and Authorization Management Program (FedRAMP) and particularly when it comes to managing security, costs and processes efficiently.

Furthermore, given the high volume of sensitive information and the myriad regulations in place for securing data and personally identifiable information — including the Federal Information Processing Standards and directives from the National Institute of Standards and Technology — agencies must be aware of the regulations they are subject to, the protections that their cloud providers offer and the differences between what they do in their managed environment and what they do in the customer environment.

It is also important to understand which aspects of an organization’s cloud strategy require complying with those regulations and which do not. For example, the IRS’ public-facing informational website does not require the same level of security as a portal that collects personally identifiable information. If the same levels of security are unnecessarily applied to an agency’s entire cloud model, it can result in increased costs and resource burdens that could otherwise be avoided.

Agencies must be aware of the regulations they are subject to and the protections that their cloud providers offer.

CIOs, chief information security officers, chief technology officers, chief financial officers and other decision-makers navigating complex infrastructure-, software- and platform-as-a-service cloud offerings have much to consider when choosing a FedRAMP-compliant provider. Decision criteria must include optimizing the management of security and other costs while maximizing efficiency.

Another critical area for consideration is encryption, which is not currently mandated. Encryption is the key to any data protection program, but FedRAMP and NIST have not kept up with the bad guys and real-world threats in this regard. Old-school approaches to protecting data during all phases of its life cycle need rethinking.

With the latest advances in database and file server encryption, there is no reason for an agency not to deploy encryption. It can even be put in place before moving to the cloud. If encryption were deployed correctly and pervasively, we would see fewer news reports of hacked companies, China grabbing agencies’ personally identifiable information, and Edward Snowden divulging state secrets.

Another important consideration is visibility into operations. IT leaders need insight into the entire data-hosting network system — locally, regionally and globally — to ensure that compliance standards are met and that the provider is operating transparently. Areas outside the continental U.S. — including Hawaii — are risky places to base hosting services and cannot be considered for U.S. agency workloads.

Geolocation and geofencing ensure that operational changes do not move computing resources or associated data into a non-compliant environment at another data center, which could unknowingly be located in another city or even country.

A perfect storm of digital opportunities, online threats, demands for accelerated system deployments and IT’s mandate to save money is creating a sense of urgency across the government. Selecting the right cloud provider is difficult enough; with the added challenge of navigating the compliance and regulation landscape, decision-makers must keep these tips in mind in order to keep their agencies operating in a secure, compliant, budget-conscious and efficient manner.

About the Author

Pete Nicoletti is chief information security officer at Virtustream.


  • FCW Perspectives
    human machine interface

    Your agency isn’t ready for AI

    To truly take advantage, government must retool both its data and its infrastructure.

  • Cybersecurity
    secure network (bluebay/

    Federal CISO floats potential for new supply chain regs

    The federal government's top IT security chief and canvassed industry for feedback on how to shape new rules of the road for federal acquisition and procurement.

  • People
    DHS Secretary Kirstjen Nielsen, shown here at her Nov. 8, 2017, confirmation hearing. DHS Photo by Jetta Disco

    DHS chief Nielsen resigns

    Kirstjen Nielsen, the first Homeland Security secretary with a background in cybersecurity, is being replaced on an acting basis by the Customs and Border Protection chief. Her last day is April 10.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.