Finding security in the cloud
- By Pete Nicoletti
- Aug 07, 2015
(Pete Nicoletti / Virtustream)
Despite all the traction cloud computing has gained in recent years, IDC is predicting even bigger things for the future. The federal government is projected to spend $7.7 billion on private cloud solutions by 2017, a nearly $6 billion increase from the projected $1.7 billion spent in 2014.
As federal agencies show increasing interest in the cloud, IT executives must understand how to navigate compliance programs, particularly the Federal Risk and Authorization Management Program (FedRAMP) and particularly when it comes to managing security, costs and processes efficiently.
Furthermore, given the high volume of sensitive information and the myriad regulations in place for securing data and personally identifiable information — including the Federal Information Processing Standards and directives from the National Institute of Standards and Technology — agencies must be aware of the regulations they are subject to, the protections that their cloud providers offer and the differences between what they do in their managed environment and what they do in the customer environment.
It is also important to understand which aspects of an organization’s cloud strategy require complying with those regulations and which do not. For example, the IRS’ public-facing informational website does not require the same level of security as a portal that collects personally identifiable information. If the same levels of security are unnecessarily applied to an agency’s entire cloud model, it can result in increased costs and resource burdens that could otherwise be avoided.
Agencies must be aware of the regulations they are subject to and the protections that their cloud providers offer.
CIOs, chief information security officers, chief technology officers, chief financial officers and other decision-makers navigating complex infrastructure-, software- and platform-as-a-service cloud offerings have much to consider when choosing a FedRAMP-compliant provider. Decision criteria must include optimizing the management of security and other costs while maximizing efficiency.
Another critical area for consideration is encryption, which is not currently mandated. Encryption is the key to any data protection program, but FedRAMP and NIST have not kept up with the bad guys and real-world threats in this regard. Old-school approaches to protecting data during all phases of its life cycle need rethinking.
With the latest advances in database and file server encryption, there is no reason for an agency not to deploy encryption. It can even be put in place before moving to the cloud. If encryption were deployed correctly and pervasively, we would see fewer news reports of hacked companies, China grabbing agencies’ personally identifiable information, and Edward Snowden divulging state secrets.
Another important consideration is visibility into operations. IT leaders need insight into the entire data-hosting network system — locally, regionally and globally — to ensure that compliance standards are met and that the provider is operating transparently. Areas outside the continental U.S. — including Hawaii — are risky places to base hosting services and cannot be considered for U.S. agency workloads.
Geolocation and geofencing ensure that operational changes do not move computing resources or associated data into a non-compliant environment at another data center, which could unknowingly be located in another city or even country.
A perfect storm of digital opportunities, online threats, demands for accelerated system deployments and IT’s mandate to save money is creating a sense of urgency across the government. Selecting the right cloud provider is difficult enough; with the added challenge of navigating the compliance and regulation landscape, decision-makers must keep these tips in mind in order to keep their agencies operating in a secure, compliant, budget-conscious and efficient manner.
Pete Nicoletti is chief information security officer at Virtustream.