Finding security in the cloud

Pete Nicoletti is chief information security officer at Virtustream.

(Pete Nicoletti / Virtustream)

Despite all the traction cloud computing has gained in recent years, IDC is predicting even bigger things for the future. The federal government is projected to spend $7.7 billion on private cloud solutions by 2017, a nearly $6 billion increase from the projected $1.7 billion spent in 2014.

As federal agencies show increasing interest in the cloud, IT executives must understand how to navigate compliance programs, particularly the Federal Risk and Authorization Management Program (FedRAMP) and particularly when it comes to managing security, costs and processes efficiently.

Furthermore, given the high volume of sensitive information and the myriad regulations in place for securing data and personally identifiable information — including the Federal Information Processing Standards and directives from the National Institute of Standards and Technology — agencies must be aware of the regulations they are subject to, the protections that their cloud providers offer and the differences between what they do in their managed environment and what they do in the customer environment.

It is also important to understand which aspects of an organization’s cloud strategy require complying with those regulations and which do not. For example, the IRS’ public-facing informational website does not require the same level of security as a portal that collects personally identifiable information. If the same levels of security are unnecessarily applied to an agency’s entire cloud model, it can result in increased costs and resource burdens that could otherwise be avoided.

Agencies must be aware of the regulations they are subject to and the protections that their cloud providers offer.

CIOs, chief information security officers, chief technology officers, chief financial officers and other decision-makers navigating complex infrastructure-, software- and platform-as-a-service cloud offerings have much to consider when choosing a FedRAMP-compliant provider. Decision criteria must include optimizing the management of security and other costs while maximizing efficiency.

Another critical area for consideration is encryption, which is not currently mandated. Encryption is the key to any data protection program, but FedRAMP and NIST have not kept up with the bad guys and real-world threats in this regard. Old-school approaches to protecting data during all phases of its life cycle need rethinking.

With the latest advances in database and file server encryption, there is no reason for an agency not to deploy encryption. It can even be put in place before moving to the cloud. If encryption were deployed correctly and pervasively, we would see fewer news reports of hacked companies, China grabbing agencies’ personally identifiable information, and Edward Snowden divulging state secrets.

Another important consideration is visibility into operations. IT leaders need insight into the entire data-hosting network system — locally, regionally and globally — to ensure that compliance standards are met and that the provider is operating transparently. Areas outside the continental U.S. — including Hawaii — are risky places to base hosting services and cannot be considered for U.S. agency workloads.

Geolocation and geofencing ensure that operational changes do not move computing resources or associated data into a non-compliant environment at another data center, which could unknowingly be located in another city or even country.

A perfect storm of digital opportunities, online threats, demands for accelerated system deployments and IT’s mandate to save money is creating a sense of urgency across the government. Selecting the right cloud provider is difficult enough; with the added challenge of navigating the compliance and regulation landscape, decision-makers must keep these tips in mind in order to keep their agencies operating in a secure, compliant, budget-conscious and efficient manner.

About the Author

Pete Nicoletti is chief information security officer at Virtustream.


  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.