Comment

Securing the government cloud

cloud security 

Cloud service deployments at the federal, state and city levels that benefit from the cloud's operational and cost efficiencies have been unprecedented. The federal government launched its Federal Risk and Authorization Management Program, or FedRAMP, to certify a consistent way for cloud service providers to offer security assessment, authorizations and continuous monitoring to government organizations. State and city governments rely on third-party contractors to assess cloud providers for them.

What many government network defenders have forgotten is that security in a cloud environment is a shared responsibility. The cloud provider secures the internet and physical infrastructure, but the cloud customer is responsible for protecting its own data. FedRAMP and third-party certifications assure that the cloud provider is doing its part. But it is ultimately up to customers to ensure they're taking steps to prevent, detect and respond to cyber adversaries during the attack lifecycle.

Technology exists today that will allow network defenders to install the same kinds of prevention controls in cloud environments that they are used to deploying in their own perimeter networks. As commercial and government organizations race to deploy services in the cloud, network defenders will do best to remember that securing cloud environments is a shared responsibility. This means that the cloud provider protects its environment, but the customer protects its own data and systems.

Let's pause for a moment and appreciate how fast government organizations have grown to accept the cloud computing model as a viable way to do business. This is not typical. Federal, state and city organizations around the world are normally at least 10 years behind the commercial sector when it comes to adopting any new kind of technology.

Small budgets and bureaucratic process are two of the key reasons for this slow adoption speed. And when cloud environments initially became available in the mid-2000s, government network defenders were even more resistant to this new technology because it meant that they must allow third parties to store and process their government data. If you told me 10 years ago that government organizations would allow non-governmental entities to store and process government data, I would have eaten my hat.

But now, judging by the vendors displaying their services and the speaker topics at the most recent RSA Conference in San Francisco, it's clear that cloud computing is not just around the bend; it is here. Commercial and government organizations are racing to the cloud to set up shop because the economic incentives are too big to ignore. What has surprised me the most, though, is how quickly government organizations have changed their minds. I believe it demonstrates how strong the economic incentives are.

FedRAMP was launched in 2012 to certify a consistent way for cloud service providers to offers security assessment, authorizations and continuous monitoring to government organizations, it does not, however, certify that the provider has a fully implemented prevention, detection and response program in place for its customers' data. That is not what the FedRAMP program is designed to do.

To get a sense of what FedRAMP does do related to customer data security, one only needs to look at its templates for certification. There are three: Low Baseline, Moderate Baseline and High Baseline. Even the High Baseline Template only outlines 17 specific security control categories that pertain to how the service provider secures its own environment, not how it protects its customers' data.

When assessing cloud service providers, think about what it would take to prevent adversaries from stealing, manipulating or destroying data. In any program worth its salt, cloud service providers must offer complete visibility of customers' data, the smallest possible attack surface, automatic prevention of known threats, continuous discovery of new threats and the quick conversion of those into preventative measures.

If the cloud provider cannot deliver these services, then it is on the data owner to provide those competencies.

Draft versions of the pending White House cybersecurity executive order have wisely indicated a preference for leveraging shared services and modernizing government IT. While this would benefit several departments and agencies lacking the in-house resources to defend antiquated networks, it also heightens the need for awareness across the federal civilian IT community that FedRAMP is an important -- albeit insufficient -- measure to ensure security of data in the cloud.

About the Author

Rick Howard is CSO for Palo Alto Networks.

Rising Stars

Meet 21 early-career leaders who are doing great things in federal IT.

Featured

  • SEC Chairman Jay Clayton

    SEC owns up to 2016 breach

    A key database of financial information was breached in 2016, possibly in support of insider trading, said the Securities and Exchange Commission.

  • Image from Shutterstock.com

    DOD looks to get aggressive about cloud adoption

    Defense leaders and Congress are looking to encourage more aggressive cloud policies and prod reluctant agencies to embrace experimentation and risk-taking.

  • Shutterstock / Pictofigo

    The next big thing in IT procurement

    Steve Kelman talks to the agencies that have embraced tech demos in their acquisition efforts -- and urges others in government to give it a try.

  • broken lock

    DHS bans Kaspersky from federal systems

    The Department of Homeland Security banned the Russian cybersecurity company Kaspersky Lab’s products from federal agencies in a new binding operational directive.

  • man planning layoffs

    USDA looks to cut CIOs as part of reorg

    The Department of Agriculture is looking to cut down on the number of agency CIOs in the name of efficiency and better communication across mission areas.

  • What's next for agency cyber efforts?

    Ninety days after the Trump administration's executive order, FCW sat down with agency cyber leaders to discuss what’s changing.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group