Although there have been significant cloud implementations in the federal government, including major projects at the National Archives and Records Administration (NARA) and the U.S. Department of the Interior, only 10 percent of agencies have migrated more than one-half of their IT portfolios to the cloud, according to a recent Accenture Federal Services and Government Business Council report assessing 286 federal executives. Only 30 percent are implementing cloud strategies, and 58 percent were not aware of any cloud strategy under way at their agencies.
Security Concerns Continue to Hamper Cloud Adoption
As the trend toward cloud-based solutions continues and vendors offer new cloud services, agencies share concerns over the risks associated with storing critical and often sensitive information, including records and personal information in the cloud. The U.S. Government Accountability Office has identified key challenges with implementation of the “cloud-first” policy, including meeting federal security requirements and certifying vendors’ solutions and platforms.Chief concerns over the use of cloud storage include vulnerability to hacking and theft, privacy and ownership of information in an environment that resides outside of agency firewalls, lack of portability standards, weak records management capability, inside threats and insufficient due diligence before jumping into the cloud.
Addressing Security Risks for Cloud-based Information Storage
But agencies can take measures to mitigate risks to their information assets. A key requirement for agencies venturing into the cloud is compliance with the National Institute of Standards and Technology's (NIST)’s Federal Information Security Management Act (FISMA) standards, specifically the Federal Risk and Authorization Management Program (FedRAMP) cloud security program that governs the security authorization process for Cloud Service Providers (CSP).FedRAMP is a governmentwide program allowing joint authorizations and continuous security monitoring services for cloud computing systems intended for multi-agency use. It requires all agencies that use, or plan to use, a cloud environment at low or moderate impact levels, to implement the FedRAMP cloud security controls. This approach is intended to provide a “do once, use many times” framework that will save an estimated 30 to 40 percent of government costs, as well as both time and staff required to conduct redundant agency security assessments. Additional authorizations may be required to meet the Department of Defense's (DoD) cloud standards, particularly at high impact levels.
Agencies should evaluate cloud service provider security risks using well defined evaluation criteria including FedRAMP authorization, storage location and personnel clearances. Cloud vendors are working proactively to address security concerns through their offerings. For example, Microsoft’s government community cloud addresses government security concerns regarding data location and data access by hosting all services and information in the continental U.S., managed by U.S. personnel with government background investigations.
Vendors are also providing cloud-based solutions that comply with government records management requirements including the Federal Records Act, NARA regulations and the DoD standard (5015.2)for electronic records management applications.
Cloud Models and Types Affect Information Security
A key security consideration in the development of cloud solutions is the cloud model and type. The cloud deployment model has a major impact on the risk of storing information in the cloud. Cloud service models -- including Infrastructure as a Service (IaaS), Platform as a Service (Paas), and Software as a Service (SaaS) -- define the boundary between the security responsibilities of service provider and customer. IaaS is the most basic level of service, leaving the most security responsibility with the consumer, with PaaS and SaaS passing increasing levels of application and security control to the solution vendor. Accordingly, IaaS has the least level of vendor-provided security controls, while SaaS has the most.Cloud security is also highly dependent on where this information is located, whether it's in a private, public, hybrid or community cloud.
- In a private cloud, the service is set up specifically for one agency, and the cloud may exist on or off the customer’s premises.
- In a government community cloud, the service is set up for multiple agencies having similar requirements. The cloud may be managed by the organizations or a third party, and may exist on or off the organization’s premises.
- A public cloud is available to the general public, and is owned and operated by the service provider.
- A hybrid cloud combines two of the above deployment models (private, community or public) that are bound together to meet agency needs, typically with sensitive or classified information being stored in the private cloud.
As agencies and vendors address cloud security concerns by delivering cloud architecture options, improved security controls and comprehensive records management capabilities, we can expect an accelerated migration of applications and information to the cloud and a realization of the government’s cloud-first objectives.
Marty Heinrich is the Director of Information and Records Management at Array Information Technologies. He is a strategist and management consultant with more than 20 years of experience planning and delivering mission-critical business solutions to government and commercial organizations.
