Attitudes about cloud security continue to shift

The cloud, in its many forms, has been and still is a perplexing proposition for government. With its promise of enabling organizations to offload much of their IT infrastructure concerns to a managed, shared and less costly environment, it’s naturally attracted a lot of interest. But security concerns continue to dog its uptake in government.

That dynamic was visible yet again when David Bennett, chief information officer at the Defense Information Systems Agency (DISA), recently told an industry meeting in Washington, D.C., that moving some things to the cloud was very viable for agencies, but that the “crown jewels” of agency data need to stay within the defensive security perimeter.

Yet, according to the Cloud Security Alliance (CSA), cloud-related security concerns now tend to run more along the lines of general worries about security that affect all aspects of IT — data breaches, data loss, denial of service, malicious insiders— than about insecurity of the cloud itself. In a report on the threats against the cloud that people most worried about in 2013, CSA found abuse of cloud services had dropped from first in 2010 to seventh.

“This threat is more of an issue for cloud service providers than cloud consumers,” the report states, “but it does raise a number of serious implications for those providers. How will you detect people abusing your service? How will you define abuse? How will you prevent them from doing it again?”

Government solutions provider CDWG believes the persistent claim that the cloud compromises security should be laid to rest, since cloud providers now are required to use advanced best-in-class server technology and have to use internationally recognized security standards.

However, Shane Zide, a cloud client executive at CDWG, said cloud users must make sure providers prove they have the necessary security for all the various flavors of cloud services they provide, including addressing their potential points of failure, which could belong to the user.

“All cloud vendors are not created equal,” Zide said, “neither is their security design and protection from internal and outside threats.”

Vendors must also answer general questions such as specifics about how they will protect agency applications in the cloud, what kind of authentication is provided, the level of encryption used for data at rest and how agency DLP policies square with what they offer.

Government organizations have gotten some help with these issues with the development of the Federal Risk and Authorization Management Program (FedRAMP), a joint government/industry effort that certifies that cloud providers meet various government security requirements. All cloud providers that federal agencies use must now be FedRAMP-certified, though agencies are still responsible for ensuring that the security for resources moved to the cloud meets government requirements.

In 2013, NIST also published a draft of its “Cloud Computing Security Reference Architecture” (SP 500- 299), which sets out a risk-based framework for moving applications and services to the cloud.

The aim, said Michaela Iorga, chairman of NIST’s Cloud Computing Security Working Group, is to “demystify the process of selecting cloud-based services that best address an agency’s requirements in the most secure and efficient manner.”

However, while these NIST-driven approaches set a single set of cloud security standards across government, they are also necessarily a broad-brush approach. Agencies must go beyond them to make sure providers can meet all of their specific security requirements. Early in 2013, for example, the Defense Department dropped its own security accreditation process in favor of NIST’s risk-based approach, but also warned government cloud providers that they would still have to meet additional DOD needs.

Cloud security will also have to keep developing to meet future challenges, not least of which come from mobile technology, in particular BYOD. The current trend toward more targeted attacks means organizations should also expect there will be untrusted access at some point inside current security perimeters.

To grapple with these problems, and to cope with the headaches caused by such things as Infrastructure-as-a-Service, where the perimeter is constantly shifting, CSA has proposed a new standard for network security that it says would also accommodate cloud needs. Called the Software Defined Perimeter (SDP), it too incorporates NIST standards. And, at the beginning of 2014, the IT industry group also proposed its own risk-based approach to cloud security.