This may seem as Clintonian as it possibly gets, but the answer to whether the U.S. Government is concerned about the possible dangers of transitioning its information services to the cloud, truly depends on your definition of the word “the.”
Many government agencies including the Dept. of Homeland Security (DHS) have already started the process of transitioning their services to cloud-based deployment models, under what it calls a “Cloud First” policy for assessing any new technologies it procures. But these are private clouds – essentially, pooled hardware resources that create a platform for virtualized environments. They may still be closed off, although certain services that deal with non-sensitive information – especially public-facing Web sites – do borrow resources from public cloud providers.
There is the public cloud and the private cloud, and it isn’t clear to lawmakers where the differences lie.
The fear among members of Congress yesterday (when an election year draws near, fear becomes as valuable a resource as coffee) is that public cloud connectivity could enable unauthorized public access to a wealth of private resources. Yesterday on Capitol Hill before the House Cybersecurity Subcommittee, the CIO of DHS testified that his department is doing a better job of ironing out the differences, and is going ahead with its plan to roll out some public cloud-based services by 2013.
This while the Director of Information Issues for the Government Accountability Office testified that the General Services Administration – the agency responsible for procuring new equipment for the government – had yet to complete tasks begun a few years ago toward assessing a security strategy for cloud transitions.
The public cloud might pose a few issues
“While private clouds incorporate new technologies that may be challenging to secure,” stated DHS CIO Richard A. Spires, “public clouds introduce additional risks that must be addressed through controls and contract provisions that ensure appropriate accountability and visibility. Though many distinctions can be drawn between public and private cloud computing, a fundamental measure of readiness is their ability to meet security requirements.”
The government’s official assessment and authorization (A&A) policy for hardware, software, and services related to cloud deployments is called FedRAMP (Federal Risk and Authorization Management Program). Think of it as a cloud for the cloud: Since cloud deployments are often comprised of multiple, incremental buildouts of the same nodes (new disk arrays, new servers, new networks), FedRAMP is designed to let an existing assessment for a common, probably commoditized piece of technology apply to future purchases like a template. The policy’s catch phrase is, “Approve Once, Use Often.”
“By design, FedRAMP provides a common security risk model that supplies a consistent baseline for cloud-based services, including security accreditation designed to vet providers and services for reuse across government,” Spires continued. “Reducing risk and bolstering the security of clouds, while ensuring the delivery of the promised benefits, FedRAMP not only applies to public cloud services, but private, too. Ultimately the consumption of cloud services requires acknowledgement of a shared responsibility and governance. From the fact that accountability can never be outsourced from the Authorizing Official (AO) to the need to continue to meet government requirements, all require acknowledgement of a shared responsibility between the cloud service provider and customer.”
It’s here that Spires used leverage from FedRAMP to make this case, one which the GAO would agree with: For those assessment templates to be reusable, government has to trust vendors not to change the game in mid-stream. This means (and here comes a vital watch-word) government needs greater visibility into private vendors’ operations.
Spires went on: “For public clouds, there is a ‘visibility gap’ between the provider and customer, in which they cannot see into each other’s management, operational, and technical infrastructure, and procedures. As such, the visibility gap must be reduced through a series of requirements for contractual reporting and technical auditing and continuous monitoring data feeds. The key to secure use of cloud computing is the shared understanding of the division of security responsibilities between provider and client, and the ability to verify that both are meeting their responsibilities. As DHS advances in the use of public cloud computing, we will be ensuring we have the proper visibility based on a determination of risk given the cloud service and underlying data in order to ensure the security of our information.”
Vendors may be the weak link
Cloud deployments, either public or private, assume a trust relationship between government and private vendors. But individuals working within government agencies are worried that vendors may not rise to the occasion, according to the GAO.
“The use of cloud computing can also create numerous information security risks for federal agencies,” reported the GAO’s information issues director, Gregory Wilshusen. “In response to our survey, 22 of 24 major agencies reported that they are either concerned or very concerned about the potential information security risks associated with cloud computing. Several of these risks relate to being dependent on a vendor’s security assurances and practices. Specifically, several agencies stated concerns about 1) the possibility that ineffective or non-compliant service provider security controls could lead to vulnerabilities affecting the confidentiality, integrity, and availability of agency information; 2) the potential loss of governance and physical control over agency data and information when an agency cedes control to the provider for the performance of certain security controls and practices; and 3) potentially inadequate background security investigations for service provider employees that could lead to an increased risk of wrongful activities by malicious insiders.”
In short, the fear is that vendors could be the weakest link in the chain, with inattention to detail leading to real security vulnerabilities. Speaking on behalf of vendors, CA Technologies’ Chief Security Architect Tim Brown said that government could learn more about how vendors earn trust with institutions by examining their relationships with colleges and universities.
“Right now, there is no standard mechanism to evaluate common services from different providers against one other,” Brown told Congress. He went on to describe a new consortium for cloud service measurement (CSMIC) that CA developed in conjunction with Carnegie Mellon, the State of Colorado, and professional services firm Accenture. CSMIC, he said, “can be used to measure and compare a business service using a common language and evaluation process. A high level representation of the characteristics and questions the CSMIC seeks to address is included as an attachment to my testimony today. In conjunction with standard recognition of cloud services authorized under the FedRAMP program, the use of a framework like SMI in government procurements will enhance the analysis of competing cloud services and lead to greater standardization of solutions. As such, CA Technologies encourages the U.S. government to investigate using the SMI to encourage data-driven decision making on cloud acquisitions.”
