Cloud computing: Is it secure enough?

Government officials should start now to understand the security implications and begin taking steps to protect their organizations as they adopt the cloud computing model.

Cloud computing might now officially be the hottest trend in enterprise computing, thanks in no small part to the Obama administration's public endorsements. But many federal chief information officers still lack a clear picture of the security and management challenges that come with moving data, applications and business processes into the information technology ether.

How does the cloud play with FISMA?

A team at the National Institute of Standards and Technology is preparing formal guidance scheduled for release this summer on cloud computing adoption. There will be a chapter devoted to security, but here is a preview from several government sources of how cloud computing strategies will mesh with agencies’ obligations under the Federal Information Security Management Act.

Pluses

NIST's FISMA team has determined that the existing NIST 800-53 "Recommended Security Controls for Federal Information Systems" guidance is applicable to cloud computing environments without alteration.

FISMA provides cloud computing vendors with a common set of security practices for their federal clients.

Standardized information technology infrastructures and in-house security expertise from cloud computing vendors might help agencies raise their FISMA scores.

Minuses

Cloud computing's multi-tenancy platforms and the lack of direct agency control over security could introduce new risks.

Clouds make organizational boundaries fuzzy, complicating definitions of what falls under FISMA evaluations.

FISMA snapshot audits make evaluations of cloud security difficult. However, NIST is planning to recommend that a single agency perform certifications and accreditations on behalf of other agencies and possibly the entire federal government.

The good news is that there are protections to guard against threats and mismanagement, and in some cases, the solutions rely on already familiar technologies.

Cloud computing received a major boost from President Barack Obama's fiscal 2010 budget request and a related White House report in May that called for a transformation of federal IT with the widespread adoption of the cloud delivery model.

Proponents such as federal CIO Vivek Kundra see greater efficiencies and lower costs when agencies partner with government or commercial service providers that deliver applications and IT resources through subscriptions for software, infrastructures and platforms. Yet most agencies have little experience with this new model.

The worries about cloud security aren’t entirely theoretical. Commercial cloud provider Google recently found a flaw in its Google Docs software-as-a-service application that inadvertently caused it to share user files. Elsewhere, an employee for SaaS provider Salesforce.com was duped by a phishing attack and leaked a customer list, said Chenxi Wang, principal analyst of security and risk management at Forrester Research. Both Google and Salesforce.com count numerous government agencies among their customers.

Agencies don’t need to go it alone as they try to put these early breaches into a larger security context. The National Institute of Standards and Technology is due to release formal guidance on cloud computing adoption this summer, with a chapter devoted to security.

In the meantime, as the administration and others push for clouds, agency officials and IT consultants said CIOs should start now to understand the security implications and begin taking steps to protect their organizations.

As part of the government’s new cloud computing push, the General Services Administration and the federal CIO Council are part of a working group that Kundra has charged with helping to explore the strategy’s implications.

“We in the working group believe that cloud computing offers the promise of improved security, through the sharing of a common infrastructure that lets agencies tap into a common pool of top information security experts,” said GSA CIO Casey Coleman.

But Coleman and others said clouds also experience all of the threats faced by in-house IT platforms, with two additional challenges.

Insider threats

Traditional IT security practices focus on strong outer shell defenses in the form of firewalls and intrusion detection systems. The value of that approach diminishes with cloud computing, said Peter Mell, NIST senior computer scientist and leader of the agency's cloud computing project.

“We’ve always needed a strong center, but in cloud computing, it’s become even more obvious that that’s necessary,” Mell said.

The reason is multi-tenancy, the industry term for serving various subscribers through a common pool of IT resources. Multi-tenancy differs from typical outsourcing and co-location arrangements in which clients run their applications and data on computer servers dedicated just to them. Multi-tenancy might provide data thieves with an opportunity for one-stop shopping, when, for example, a staff member from one client naively opens an e-mail attachment and lets in a virus.

“The possibility exists that if a hacker can get into one organization’s information it may then be able to move laterally and potentially get at everybody’s information,” said Jim Reavis, executive director of the Cloud Security Alliance.

Control issues

Rather than directly managing security for internal IT systems, cloud subscribers must indirectly depend on their service providers to put effective security practices in place and then maintain them. This lack of direct control might affect security in a number of ways.

For example, agencies no longer depend on privileged users, such as systems administrators with wide access rights to data and applications. Nor can they directly monitor or discipline those users to guard against missteps.

In addition, disposing of data and storage devices when they are no longer needed can be another challenge.

“How do you know the data’s really been deleted?” Reavis asked. “This brings up issues with how data is archived and how storage media is retired, to avoid a scenario where information starts showing up when those devices get recycled.”

Another concern is that because agencies aren’t responsible for storing their data, they need to identify not only the cloud provider’s main data centers but also the locations of backup and archive locations.

“Cloud providers operate on a global basis, and you can expect to run into regulatory conflicts if you don’t do your due diligence,” Reavis said.

New tactics

As formidable as these challenges may be, experts say overcoming them is not rocket science. The solutions may actually seem very familiar to agency CIOs. 

“It’s more about rethinking — not reinventing — the enterprise security model,” said David Linthicum, principal at Booz Allen Hamilton. “Most of the things we have been doing in terms of security carry over nicely to cloud computing.”

These include a range of technologies for data encryption, data segregation and identity management. For example, data encryption and user IDs based on public identity certificates and Common Access Cards are tools being used by the Defense Information Systems Agency in its SaaS initiatives.

In addition, a series of access control measures can help guard against unauthorized data becoming available to cloud users operating in a multi-tenant environment, said Henry Sienkiewicz, DISA technical program director of computer services.

“Access control down to the individual layer, as well as even down possibly to individual data elements, becomes a crucial component,” Sienkiewicz said. “You build in intrusion detection not just on the external side; you build it on the internal side. You build in access control based on roles, responsibilities and content throughout the environment.”

Although federal cloud subscribers don’t have to sweat the details of implementing those controls, they’re not completely off the hook when it comes to security. Cloud users must devote significant time and resources to evaluating cloud providers, and security consultants warn that these analyses shouldn’t be hasty, even if the cloud is managed by another federal agency.

Some cloud customers are following the advice of consultants and using the accounting industry’s SAS 70 Type II audits of internal controls or the ISO’s 27001 information security standards to assess cloud providers. Experts caution that these regimens offer only high-level security information.

“They’re good starting points because they give you a baseline of the vendor’s practices," Wang said. "However, those audits are pretty subjective."

In addition to those results, agencies should ask their own detailed questions about how the provider protects data, what happens to data once the contract ends, and what procedures are in place if agency data is ever breached.

“Ask for a service-level agreement that’s as detailed as possible about the recourse actions to cover your bases,” Wang said.

Some security experts recommended that agencies forgo traditional moment-in-time audits of a cloud’s security performance in favor of assessments that provide ongoing insights.

One choice, from a consortium that includes Center for Strategic and International Studies, is the 20 Critical Controls, which promotes automatic and continuous security performance monitoring and draws on guidance from the National Security Agency, U.S. Computer Emergency Readiness Team, Defense Department and other federal sources.

“The foundation for the 20 controls is what vulnerabilities are attackers exploiting today, what controls are effective against those attacks, and how you can validate those controls with automated means,” said John Gilligan, an IT consultant and consortium member who formerly was CIO of the Air Force and Energy Department.

Agencies should ask cloud providers to provide their scores on the 20 Critical Controls as part of the bidding process during a procurement, said Alan Paller, director of research for the SANS Institute. Agencies should also insist that vendors continuously report results as part of any service-level agreement between an agency and provider.

Even after finding a cloud provider with the right security mechanisms and oversight in place, agencies should move slowly.

“It’s about selecting the right applications to move to a cloud-based service,” said Mark Nicolett, vice president and research director at Gartner. For most agencies it will be an application-by-application decision, with the lower-risk applications moving into a cloud environment first.

GSA’s Coleman said many of those decisions will go beyond weighing general security concerns related to clouds to considering what kinds of clouds are appropriate for individual applications.

“One of the key discussions will be private cloud vs. public cloud,” she said. “Cloud computing isn’t a one-size-fits-all solution. Depending on the problem you’re trying to solve, it may not be the right solution in every case."

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.