Comment

Securing the government cloud

cloud security 

Cloud service deployments at the federal, state and city levels that benefit from the cloud's operational and cost efficiencies have been unprecedented. The federal government launched its Federal Risk and Authorization Management Program, or FedRAMP, to certify a consistent way for cloud service providers to offer security assessment, authorizations and continuous monitoring to government organizations. State and city governments rely on third-party contractors to assess cloud providers for them.

What many government network defenders have forgotten is that security in a cloud environment is a shared responsibility. The cloud provider secures the internet and physical infrastructure, but the cloud customer is responsible for protecting its own data. FedRAMP and third-party certifications assure that the cloud provider is doing its part. But it is ultimately up to customers to ensure they're taking steps to prevent, detect and respond to cyber adversaries during the attack lifecycle.

Technology exists today that will allow network defenders to install the same kinds of prevention controls in cloud environments that they are used to deploying in their own perimeter networks. As commercial and government organizations race to deploy services in the cloud, network defenders will do best to remember that securing cloud environments is a shared responsibility. This means that the cloud provider protects its environment, but the customer protects its own data and systems.

Let's pause for a moment and appreciate how fast government organizations have grown to accept the cloud computing model as a viable way to do business. This is not typical. Federal, state and city organizations around the world are normally at least 10 years behind the commercial sector when it comes to adopting any new kind of technology.

Small budgets and bureaucratic process are two of the key reasons for this slow adoption speed. And when cloud environments initially became available in the mid-2000s, government network defenders were even more resistant to this new technology because it meant that they must allow third parties to store and process their government data. If you told me 10 years ago that government organizations would allow non-governmental entities to store and process government data, I would have eaten my hat.

But now, judging by the vendors displaying their services and the speaker topics at the most recent RSA Conference in San Francisco, it's clear that cloud computing is not just around the bend; it is here. Commercial and government organizations are racing to the cloud to set up shop because the economic incentives are too big to ignore. What has surprised me the most, though, is how quickly government organizations have changed their minds. I believe it demonstrates how strong the economic incentives are.

FedRAMP was launched in 2012 to certify a consistent way for cloud service providers to offers security assessment, authorizations and continuous monitoring to government organizations, it does not, however, certify that the provider has a fully implemented prevention, detection and response program in place for its customers' data. That is not what the FedRAMP program is designed to do.

To get a sense of what FedRAMP does do related to customer data security, one only needs to look at its templates for certification. There are three: Low Baseline, Moderate Baseline and High Baseline. Even the High Baseline Template only outlines 17 specific security control categories that pertain to how the service provider secures its own environment, not how it protects its customers' data.

When assessing cloud service providers, think about what it would take to prevent adversaries from stealing, manipulating or destroying data. In any program worth its salt, cloud service providers must offer complete visibility of customers' data, the smallest possible attack surface, automatic prevention of known threats, continuous discovery of new threats and the quick conversion of those into preventative measures.

If the cloud provider cannot deliver these services, then it is on the data owner to provide those competencies.

Draft versions of the pending White House cybersecurity executive order have wisely indicated a preference for leveraging shared services and modernizing government IT. While this would benefit several departments and agencies lacking the in-house resources to defend antiquated networks, it also heightens the need for awareness across the federal civilian IT community that FedRAMP is an important -- albeit insufficient -- measure to ensure security of data in the cloud.

About the Author

Rick Howard is CSO for Palo Alto Networks.

The Fed 100

Read the profiles of all this year's winners.

Featured

  • Then-presidential candidate Donald Trump at a 2016 campaign event. Image: Shutterstock

    'Buy American' order puts procurement in the spotlight

    Some IT contractors are worried that the "buy American" executive order from President Trump could squeeze key innovators out of the market.

  • OMB chief Mick Mulvaney, shown here in as a member of Congress in 2013. (Photo credit Gage Skidmore/Flickr)

    White House taps old policies for new government makeover

    New guidance from OMB advises agencies to use shared services, GWACs and federal schedules for acquisition, and to leverage IT wherever possible in restructuring plans.

  • Shutterstock image (by Everett Historical): aerial of the Pentagon.

    What DOD's next CIO will have to deal with

    It could be months before the Defense Department has a new CIO, and he or she will face a host of organizational and operational challenges from Day One

  • USAF Gen. John Hyten

    General: Cyber Command needs new platform before NSA split

    U.S. Cyber Command should be elevated to a full combatant command as soon as possible, the head of Strategic Command told Congress, but it cannot be separated from the NSA until it has its own cyber platform.

  • Image from Shutterstock.

    DLA goes virtual

    The Defense Logistics Agency is in the midst of an ambitious campaign to eliminate its IT infrastructure and transition to using exclusively shared, hosted and virtual services.

  • Fed 100 logo

    The 2017 Federal 100

    The women and men who make up this year's Fed 100 are proof positive of what one person can make possibile in federal IT. Read on to learn more about each and every winner's accomplishments.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group