Securing the government cloud

Cloud service deployments at the federal, state and city levels that benefit from the cloud's operational and cost efficiencies have been unprecedented. The federal government launched its Federal Risk and Authorization Management Program, or FedRAMP, to certify a consistent way for cloud service providers to offer security assessment, authorizations and continuous monitoring to government organizations. State and city governments rely on third-party contractors to assess cloud providers for them.

What many government network defenders have forgotten is that security in a cloud environment is a shared responsibility. The cloud provider secures the internet and physical infrastructure, but the cloud customer is responsible for protecting its own data. FedRAMP and third-party certifications assure that the cloud provider is doing its part. But it is ultimately up to customers to ensure they're taking steps to prevent, detect and respond to cyber adversaries during the attack lifecycle.

Technology exists today that will allow network defenders to install the same kinds of prevention controls in cloud environments that they are used to deploying in their own perimeter networks. As commercial and government organizations race to deploy services in the cloud, network defenders will do best to remember that securing cloud environments is a shared responsibility. This means that the cloud provider protects its environment, but the customer protects its own data and systems.

Let's pause for a moment and appreciate how fast government organizations have grown to accept the cloud computing model as a viable way to do business. This is not typical. Federal, state and city organizations around the world are normally at least 10 years behind the commercial sector when it comes to adopting any new kind of technology.

Small budgets and bureaucratic process are two of the key reasons for this slow adoption speed. And when cloud environments initially became available in the mid-2000s, government network defenders were even more resistant to this new technology because it meant that they must allow third parties to store and process their government data. If you told me 10 years ago that government organizations would allow non-governmental entities to store and process government data, I would have eaten my hat.

But now, judging by the vendors displaying their services and the speaker topics at the most recent RSA Conference in San Francisco, it's clear that cloud computing is not just around the bend; it is here. Commercial and government organizations are racing to the cloud to set up shop because the economic incentives are too big to ignore. What has surprised me the most, though, is how quickly government organizations have changed their minds. I believe it demonstrates how strong the economic incentives are.

FedRAMP was launched in 2012 to certify a consistent way for cloud service providers to offers security assessment, authorizations and continuous monitoring to government organizations, it does not, however, certify that the provider has a fully implemented prevention, detection and response program in place for its customers' data. That is not what the FedRAMP program is designed to do.

To get a sense of what FedRAMP does do related to customer data security, one only needs to look at its templates for certification. There are three: Low Baseline, Moderate Baseline and High Baseline. Even the High Baseline Template only outlines 17 specific security control categories that pertain to how the service provider secures its own environment, not how it protects its customers' data.

When assessing cloud service providers, think about what it would take to prevent adversaries from stealing, manipulating or destroying data. In any program worth its salt, cloud service providers must offer complete visibility of customers' data, the smallest possible attack surface, automatic prevention of known threats, continuous discovery of new threats and the quick conversion of those into preventative measures.

If the cloud provider cannot deliver these services, then it is on the data owner to provide those competencies.

Draft versions of the pending White House cybersecurity executive order have wisely indicated a preference for leveraging shared services and modernizing government IT. While this would benefit several departments and agencies lacking the in-house resources to defend antiquated networks, it also heightens the need for awareness across the federal civilian IT community that FedRAMP is an important -- albeit insufficient -- measure to ensure security of data in the cloud.