Four cybersecurity considerations for Federal CIOs and CISOs moving their organization to the cloud
By Colby Proffitt
Just seven years ago, the Office of Management and Budget (OMB) mandated that federal agencies default to cloud-based solutions, when available, and adopt a cloud first policy when considering new information technology purchases. This mandate is aligned with the 25 Point Implementation Plan to Reform Federal Information Technology Management, released in 2010, which focuses on terminating one-third of underperforming projects, shifting to a cloud first policy, and reducing the number of data centers.
But, making such a drastic change isn’t going to happen overnight. In fact, despite the push toward cloud technologies and the obvious advantages and benefits, many agencies are struggling with the procurement and management challenges of the cloud first policy. There are a number of benefits of moving to the cloud, but there are also several cybersecurity challenges that CIOs and CISOs must consider before making the change:
Responsibility and Accountability: Although it should always be a top priority, security can easily become an afterthought, overshadowed by the cost savings, efficiencies, and other benefits of moving to the cloud. Security is largely about responsibility and accountability, and many organizations may be inclined to think that security automatically becomes the responsibility of the cloud service provider – but it’s not. The owner of the data is the responsible party. Any organization that plans to move to the cloud needs to develop, understand, and periodically revisit their Service Level Agreement (SLA) and Terms of Service (ToS) with their cloud provider. Thomas Trappler, the Associate Director for IT Strategic Sourcing at the University of California, recommends that SLAs should:
1. Codify the specific parameters and minimum levels required for each element of the service, as well as remedies for failure to meet those requirements.
2. Affirm your institution’s ownership of its data stored on the service provider’s system, and specifies your rights to get it back.
3. Detail the system infrastructure and security standards to be maintained by the service provider, along with your rights to audit their compliance.
4. Specify your rights and cost to continue and discontinue using the service.
One way organizations can address cloud security is through the Federal Risk and Authorization Management Program (FEDRAMP). We’ll provide more detail on FEDRAMP and its benefits below.
FEDRAMP: Because incorporating cloud into the Federal IT infrastructure has proven difficult, cybersecurity and cloud experts from the General Services Administration (GSA), National Institute of Standards and Technology (NIST), Department of Homeland Security (DHS), Department of Defense (DoD), National Security Agency (NSA), Office of Management and Budget (OMB), the Federal Chief Information Officer (CIO) Council, and private industry have collaborated to develop FEDRAMP. In short, FEDRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
At a very basic level, federal agencies leverage the FEDRAMP process to select a cloud service provider (CSP), which must meet all FEDRAMP requirements prior to implementation. Then, third party assessment organizations (3PAOs) perform an initial and periodic assessments to ensure CSP compliance with FEDRAMP requirements.
FEDRAMP provides a standard process with baselined requirements for government agencies to use when selecting a CSP. Instead of every agency developing their own criteria in a vacuum, FEDRAMP provides consistent guidance for CSP selection, while also holding CSPs accountable beyond initial selection.
What’s important to note about the FEDRAMP process is the “do once, use many times” framework – once a CSP is approved for one agency, that CSP is approved for all agencies.
While FEDRAMP provides a way for federal agencies to select pre-approved CSPs, it’s important to realize, however, that using a FEDRAMP-certified provider does not mean that the agencies data will automatically be secured in the cloud. While the CSP may have the infrastructure to support security, most CSPs don’t provide encryption, security, or segregation/separation of duties by default – it’s often considered an additional service and an additional cost.
Public Cloud vs. Private Cloud: Moving to the cloud is complex and requires careful evaluation of cloud options and strategic decisions. Organizations or agencies must determine whether to move to a public cloud, where a commercial service provider makes resources, such as applications and storage, available to the general public over the Internet, or a hosted private cloud, which is similar to a public cloud but is dedicated to a single organization. There are many factors that can influence a CIO’s decision to choose private instead of public, or vice versa – budgetary limitations, staff and resource requirements, available physical space, capacity and workloads, to name a few. Two of most important considerations, however, should be data security and resiliency.
With public cloud, most CSPs typically offer environment isolation in a multitenant hosting situation. Although your organization’s data may be heavily firewalled from outside attack and isolated from other tenant’s data, there’s still a possibility that your data might become vulnerable. In fact, many IT professionals would argue that the risk of a breach goes up with public cloud. Think of it as a vault door to a bank. It might take a robber a long time to crack the combination, but once in, he has access to everything in the vault. Major CSPs may have more tenured and technically trained cyber cloud experts, more monitoring and cyber defense tools, and greater security guarantees, but they are also a bigger target than many smaller organizations. The size of the organization, how publicly known the organization is, the value of the data, and the likelihood of being targeted by cyber adversaries are all factors that organizations should consider when choosing between private and public cloud.
Private cloud can be a better choice for some companies, provided they have the funding to support it in the long-term. Public CSPs are big enough that they can update their hardware at any time – they can afford to stay on the bleeding edge of technology. Some organizations may be able to afford the initial purchase of the hardware needed for a hosted private cloud, but the hardware refresh costs, the costs of physical security, and the costs of either hiring or retraining staff may limit organizations with smaller cloud budgets to a public cloud offering.
Security Authorization: One of the biggest challenges for agencies using cloud-based solutions is understanding what it means to conduct Assessment & Authorization (A&A), formerly known as Certification and Accreditation (C&A), on a system where the system boundaries and assets are not static because they are in the cloud. Because of the complexities of a cloud environment, agencies should consider leveraging automation as a means of maintaining compliance as a Service (CaaS). Transitioning to a heavily automated model is no small task. The benefits of additional automation include significant reduction in error, but automating compliance takes significant investment. It’s best to automate smaller tasks, such as security alert systems, then move on to other areas that will benefit from automation.
Authorization is really about ensuring that every user with access to your network has access to the data, applications, and systems that are relevant to their jobs and roles, and making sure that those who aren’t authorized to be on your network stay off of it. Because cloud resources can be accessed from anywhere with an Internet connection, there’s an increased opportunity for cyber adversaries to gain access to your data. To combat those threats and improve security in the cloud, many cloud providers will offer CaaS, but it’s important to understand exactly what that means.
First, you need to know what standards and regulatory requirements you are required to be compliant with – HIPPA, FIPS, FISMA, and DIACAP are a few of the more common ones. Once you understand the standard, you have to understand that it’s not just about having a compliant server in the cloud. With CaaS, in addition to the compliant servers you purchase from your cloud servicer provider (CSP), you’re also purchasing services like continuous monitoring, vulnerability scanning, data encryption, and reporting. Even with that added protection, however, remember that you may still be in a public cloud multi-tenant environment, so for a more complete security solution, consider also investing in segregation of duties, real-time data protection, vulnerability repair, and database access control.
Although it’s easy to get excited about the benefits of moving to the cloud, it’s important to make sure that you really understand the cloud and its cyber implications for your organization. It can be tempting for CIOs to think that someone else is responsible for their organization’s data once it’s in the cloud, but the truth is that the CIO is responsible for holding the CSP accountable for protecting that data. The good news is, there are FEDRAMP-approved CSPs who have already been vetted, and the security requirements and documentation have been templated to accelerate cloud adoption in the federal space. However, even after a FEDRAMP-approved CSP has been selected, it’s still up to the CIOs and CISOs to effectively manage the CSP to ensure ToS agreements and SLAs are met.