Cloud security through a FedRAMP future
Whether real or imagined, security concerns have dampened cloud’s acceptance
Security remains by far the most important issue for agencies that are thinking of using the cloud to deliver services and in particular are still leery of using the public cloud. For that reason, most agency cloud initiatives to date use private clouds, where the data resides behind the agency firewall.
The reasons are well known. Most public clouds are multi-tenant, which means that agency data at some point resides close to data from other, non-government users of the cloud, and the fear among government users is that their bits will comingle with those from others and government data could be corrupted or lost.
Added to that is the fear that agencies could never really know exactly where their data is at any given time. With the dynamic nature of the cloud, their data could be in a server that’s housed next to the government building the agency occupies, or it could be in a server halfway around the world.
That fear is somewhat overblown, some industry observers say, or at least the fear that security in the cloud is anything less than elsewhere is not warranted.
“Show me a study that says the enterprise is more secure than the cloud,” said Steve O’Keeffe, founder of MeriTalk, whose recent study “Cloudy with a Chance of Savings” confirmed that fear is still dominant. “You won’t find one.”
Tom Simmons, area vice president of the U.S. Public Sector at Citrix Systems, is a little more conciliatory. Given what agencies have to protect and the laws they have to operate under, he understands government has to be very security conscious. If there is potential comingling of data in the public cloud, then you do have to pay more attention to such things as encrypting the data packets and the transport, he said.
“That’s where industry has both the challenge and the obligation to show how the technology today will address and satisfy those security requirements, such that agencies are not going to risk anything by moving to the cloud,” he said.
The best chance for industry to do that might lie with the government’s new Federal Risk and Authorization Management Program, through which vendors will be able to get a government-recognized security authorization for a particular cloud product or service.
FedRAMP will provide a standardized way to examine cloud products and assess their security, authorization and continuous monitoring capabilities. It’s expected to be launched this June, though it could take another couple of years before it’s fully up and running.
Agencies do have their concerns about FedRAMP, one of the biggest being doubts about how it will be able to cover all their particular security concerns because individual agencies say they have security requirements that are specific to them and their missions.
“FedRAMP could help with [cloud security], but agencies are not yet sure what it will look like when it’s finally implemented,” said Deniece Peterson, senior manager of federal industry analysis at Deltek.
Simmons said the concepts behind FedRAMP are well accepted across government, but its effectiveness will have to be proved. That will come with those first critical applications and cloud services that get the FedRAMP stamp of approval and then whether they have useful and meaningful implementations in the cloud without any breaches of security.
“Personally, I believe the processes and stated objectives of FedRAMP are right on,” he said. “I think this will be the opportunity for industry to prove ourselves, to put our cloud services through the FedRAMP process and show that our solutions are, indeed, secure, that they perform and that they add value.”