The U.S. Office of Management and Budget’s 2011 “cloud-first” initiative aimed to modernize federal IT systems by reducing the number of data centers, reducing costs, and increasing efficiency, agility and innovation in the federal government. The initiative required each agency to identify three services that could be moved to the cloud within 18 months. Four years later, we find that the march to the cloud is going slower than expected.
Although there have been significant cloud implementations in the federal government, including major projects at the National Archives and Records Administration (NARA) and the U.S. Department of the Interior, only 10 percent of agencies have migrated more than one-half of their IT portfolios to the cloud, according to a recent Accenture Federal Services and Government Business Council report assessing 286 federal executives. Only 30 percent are implementing cloud strategies, and 58 percent were not aware of any cloud strategy under way at their agencies.
As the trend toward cloud-based solutions continues and vendors offer new cloud services, agencies share concerns over the risks associated with storing critical and often sensitive information, including records and personal information in the cloud. The U.S. Government Accountability Office has identified key challenges with implementation of the “cloud-first” policy, including meeting federal security requirements and certifying vendors’ solutions and platforms.
Chief concerns over the use of cloud storage include vulnerability to hacking and theft, privacy and ownership of information in an environment that resides outside of agency firewalls, lack of portability standards, weak records management capability, inside threats and insufficient due diligence before jumping into the cloud.
But agencies can take measures to mitigate risks to their information assets. A key requirement for agencies venturing into the cloud is compliance with the National Institute of Standards and Technology's (NIST)’s Federal Information Security Management Act (FISMA) standards, specifically the Federal Risk and Authorization Management Program (FedRAMP) cloud security program that governs the security authorization process for Cloud Service Providers (CSP).
FedRAMP is a governmentwide program allowing joint authorizations and continuous security monitoring services for cloud computing systems intended for multi-agency use. It requires all agencies that use, or plan to use, a cloud environment at low or moderate impact levels, to implement the FedRAMP cloud security controls. This approach is intended to provide a “do once, use many times” framework that will save an estimated 30 to 40 percent of government costs, as well as both time and staff required to conduct redundant agency security assessments. Additional authorizations may be required to meet the Department of Defense's (DoD) cloud standards, particularly at high impact levels.
Agencies should evaluate cloud service provider security risks using well defined evaluation criteria including FedRAMP authorization, storage location and personnel clearances. Cloud vendors are working proactively to address security concerns through their offerings. For example, Microsoft’s government community cloud addresses government security concerns regarding data location and data access by hosting all services and information in the continental U.S., managed by U.S. personnel with government background investigations.
Vendors are also providing cloud-based solutions that comply with government records management requirements including the Federal Records Act, NARA regulations and the DoD standard (5015.2)for electronic records management applications.
A key security consideration in the development of cloud solutions is the cloud model and type. The cloud deployment model has a major impact on the risk of storing information in the cloud. Cloud service models -- including Infrastructure as a Service (IaaS), Platform as a Service (Paas), and Software as a Service (SaaS) -- define the boundary between the security responsibilities of service provider and customer. IaaS is the most basic level of service, leaving the most security responsibility with the consumer, with PaaS and SaaS passing increasing levels of application and security control to the solution vendor. Accordingly, IaaS has the least level of vendor-provided security controls, while SaaS has the most.
Cloud security is also highly dependent on where this information is located, whether it's in a private, public, hybrid or community cloud.
Many agencies still believe that their information, particularly classified and national security data, may be too sensitive to move to the cloud. In response to these security concerns, private clouds and hybrid clouds are preferred over public clouds. Private and hybrid clouds provide agencies greater security control over their information than public clouds. This ongoing security concern results in the the planning and implementation of agency-only or federal-only cloud models, or hybrid clouds that integrate private and public systems.
As agencies and vendors address cloud security concerns by delivering cloud architecture options, improved security controls and comprehensive records management capabilities, we can expect an accelerated migration of applications and information to the cloud and a realization of the government’s cloud-first objectives.