The US Government Accountability Office (GAO) has issued its sternest warning to date about the move to the Cloud, conceding that it will reduce IT costs, but arguing that agencies are moving data to the Cloud before the Office of Management and Budget (OMB) have put government-wide security strategies in place.
A GAO report based on the views of CIOs at 22 major US agencies, listed several security concerns: vendors using ineffective security practices, agencies not able to examine the security controls of vendors, cyber criminals targeting data-rich Clouds, and agencies losing access to their data if the relationship with a vendor ends.
The report noted: "The adoption of Cloud Computing has the potential to provide benefits to federal agencies; however, it can also create numerous information security risks. Federal agencies have taken steps to address Cloud Computing security, but many have not developed corresponding guidance. OMB has initiated a federal Cloud Computing initiative, but has not yet developed a strategy that addresses the information security issues related to Cloud Computing, and guidance from NIST to ensure information security is insufficient.
"While the Federal CIO Council is developing a shared assessment and authorisation process, which could help foster adoption of Cloud Computing, this process remains incomplete, and GSA has yet to develop plans for a shared assessment and authorisation process for its procurement of Cloud Computing infrastructure as a service offerings. Until federal guidance and processes that specifically address information security for Cloud Computing are developed, agencies may be hesitant to implement Cloud Computing, and those programs that have been implemented may not have effective information security controls in place."
Objections ahead
All of which suggests that while President Obama and US government CIO Vivek Kundra are keen to press on, there's an increasingly vocal reluctance to do so elsewhere. "The use of Cloud Computing can also create numerous information security risks," Gregory Wilshusen, director of information security issues at the GAO told the House of Representatives Oversight and Government Reform Committee. "These risks generally relate to dependence on the security assurances and practices of a service provider and the sharing of computing resources."
It's a warning that was echoed by several members of the committee. "I will be particularly interested in details as to how companies believe that they can implement guaranteed security in a Cloud environment," said Republican Representative Darrell Issa. "As all of you know, we do not guarantee security. We have breaches every week, every month, sometimes every day in government."
The GAO recommended that the Office of Management and Budget:
- Establish milestones for completing a strategy for implementing the federal Cloud Computing initiative.
- Ensure the strategy addresses the information security challenges of Cloud Computing, including agency-specific guidance, the appropriate standards for assessing Cloud Computing service providers, the division of security responsibilities between customer and provider, the shared assessment and authorisation process, and the possibility for pre-certification of Cloud Computing service providers.
- Direct the Chief Information Officers Council's Cloud Computing Executive Steering Committee to develop a plan, including milestones, for completing a government-wide security assessment and authorisation process for Cloud services.
For his part, Kundra accepts the needs for security standards. "As we move to the Cloud, we must be vigilant in our efforts to ensure the security of government information, protect the privacy of our citizens, and safeguard our national security interests," he said. "OMB feels it would be appropriate to develop, over the next six months, a federal Cloud strategy that covers a planning horizon of five to 10 years and is based on lessons learned in the near term. The strategy and related milestones may need to evolve over time, as Cloud Computing technologies establish market strongholds."
In fact there are efforts underway to create government security standards. Several agencies have joined a new effort called the Federal Risk and Authorization Management Pilot program (FedRAMP), which seeks to develop security and certification standards. Under Fedramp, an interagency group will inspect vendors' Cloud Computing solutions that federal agencies may be interested in using to ensure they meet complex IT security standards. Those standards are set by the National Institute of Standards and Technology.
The group will have members from GSA, the Defense and Homeland Security departments and the agency buying the Cloud Computing service. But while FedRAMP centralises the certification process, it doesn't ease the burden agencies that want to manage certain security controls internally face, according to GAO.
For the Cloud Computing industry, Mike Bradshaw, director of Google Federal, sought to reassure government officials that the Cloud offers no more substantial security risk than traditional on-premise computing. "The Cloud enhances security by enabling data to be stored centrally with continuous and automated network analysis and protection," he said. "When vulnerabilities are detected they can be managed more rapidly and uniformly. Cloud security is able to respond to attacks more rapidly by reducing the time it takes to install patches on thousands of individual desktops or hundreds of uniquely configured on-premise servers.
He added. "The Cloud can allow teleworkers to easily and securely access their data and work from wherever they happen to be. The Cloud saves taxpayers money."
Post new Comment