Homeland Security Less Worried About a Public Cloud Threat

Many government agencies including the Dept. of Homeland Security have already started the process of transitioning their services to cloud-based deployment models, pursuant to this agreement what it calls a "Cloud First" policy for assessing any new technologies it procures. However these are private clouds - in substance, pooled hardware resources that create a platform for virtualized environments. They may nevertheless be closed off, though certain services that deal with non-sensitive information - especially public-facing Web sites - do borrow resources from public cloud providers.

"During private clouds incorporate new technologies that may be challenging to secure," stated DHS CIO Richard A. Spires, "public clouds introduce additional risks that must be addressed through controls and contract provisions that ensure appropriate accountability and visibility. Although many distinctions can be drawn between public and private cloud computing, a fundamental measure of readiness is their ability to meet security requirements."

The government's official assessment

The government's official assessment and authorization policy for hardware, software, and services related to cloud deployments is called FedRAMP. Think of it as a cloud for the cloud: Since cloud deployments are often comprised of multiple, incremental buildouts of the same nodes, FedRAMP is designed to let an existing assessment for a common, probably commoditized piece of innovation apply to future purchases like a template. The policy's catch phrase is, "Approve Once, Use Often."

Spires went on: "For public clouds, there is a 'visibility gap' between the provider and customer, in which they cannot see into each other's management, operational, and technical infrastructure, and procedures. As such, the visibility gap must be reduced through a series of requirements for contractual reporting and technical auditing and continuous monitoring data feeds. The key to secure use of cloud computing is the shared understanding of the division of security responsibilities between provider and client, and the ability to verify that both are meeting their responsibilities. As DHS advances in the use of public cloud computing, we will be ensuring we have the proper visibility based on a determination of risk given the cloud service and underlying data in order to ensure the security of our information."

Cloud deployments, either public or private, assume a trust relationship between government and private vendors. However individuals working within government agencies are worried that vendors may not rise to the occasion, according to the GAO."The use of cloud computing can as well create numerous information security risks for federal agencies," reported the GAO's information issues director, Gregory Wilshusen. "In response to our survey, 22 of 24 major agencies reported that they are either concerned or very concerned about the potential information security risks associated with cloud computing. Several of these risks relate to being dependent on a vendor's security assurances and practices. Exactly, several agencies stated concerns about 1) the opportunity that ineffective or non-compliant service provider security controls could lead to vulnerabilities affecting the confidentiality, integrity, and availability of agency information; 2) the potential loss of governance and physical control over agency data and information when an agency cedes control to the provider for the performance of certain security controls and practices; and 3) potentially inadequate background security investigations for service provider employees that could lead to an increased risk of wrongful activities by malicious insiders."

"Right now, there is no standard mechanism to evaluate common services from different providers against one other," Brown told Congress. He went on to describe a new consortium for cloud service measurement that CA developed in conjunction with Carnegie Mellon, the State of Colorado, and professional services firm Accenture. CSMIC, he said, "can be used to measure and compare a business service using a common language and evaluation process. A high level representation of the characteristics and questions the CSMIC seeks to address is included as an attachment to my testimony today. In conjunction with standard recognition of cloud services authorized in accordance with the FedRAMP program, the use of a framework like SMI in government procurements will enhance the analysis of competing cloud services and lead to greater standardization of solutions. As such, CA Technologies encourages the U.S. government to investigate using the SMI to encourage data-driven decision making on cloud acquisitions."

Today, business survival depends on IT technology. Enterprise cloud computing presents CIOs with tremendous opportunities to deliver that research--by thinking like CEOs in order to play a strategic role in driving new revenue and reducing costs.