Security Outlook for Cloud 2015

With more and more agencies migrating to the cloud, keeping sensitive data safe is of the utmost concern for the government. This seems especially urgent in light of several high-profile security breaches that have occurred within the past year. But cloud security is no myth. In fact, it’s easily attainable if agencies take seriously the responsibility for securing their data, and go about doing so systematically.

CJ Moses, General Manager, Government Cloud Solutions at Amazon Web Services, discusses how agencies can utilize cloud services while still keeping their data safe and secure. Moses shared how security comes from the collaboration of cloud service provider and agency administration, and how this can be achieved by operating within the Shared Responsibility Model.

What do you believe to be cloud’s greatest utility when it comes to the government?

Government, like many enterprises, often spends much of its time and resources focusing on the undifferentiated, yet all-important, "heavy lifting.” This heavy lifting includes everything from building datacenters to operating and securing commercial software. We respectfully refer to this as the ‘muck.’ This is where I see the true benefit of a properly adopted cloud architecture. It allows an agency to focus on its mission, while allowing a cloud provider like AWS to focus on our mission—which is providing world-class ‘muck’ for them. If an agency can retain laser focus on their top-line mission and not be distracted, but rather enabled by the ‘muck,’ it can provide amazing results.

As budgets remain tight in FY15, how can cloud help agencies keep on track to achieve mission while remaining within budget?

Agencies that adopt cloud services can both become more focused on their mission and realize the cost benefit of the provider’s scale and expertise. One of the biggest things that agencies will realize with cloud adoption is that rather than doing large capital expenditures to build or enhance their current IT infrastructure to meet their peak usage, they can transition to a pay as you go operational expenditure model. This allows agencies to pay for only what they use—they aren’t paying for those resources sitting idle waiting for a spike of activity.

There’s so much conflicting information out there when it comes to cloud. In your experience, what are the most common misperceptions about cloud solutions for the government?

I think the biggest misperception about cloud for government is what the term ‘cloud’ means. NIST established a definition that spelled out the five main requirements to be considered cloud. These are: on-demand self-service, broad network access, resource pooling, rapid elasticity or expansion, and measured service. I would recommend that agencies evaluate potential providers against these requirements as some of the marketing out there may be taking advantage of the ‘cloud’ hype. 

In the past year, there have been several high-profile cybersecurity breaches. Agencies and citizens alike are concerned about the safety of sensitive data, much of which is now stored in the cloud. Is this anxiety warranted?

Such anxiety is only warranted for those agencies or individuals that haven’t taken the responsibility for securing their data seriously. In the AWS Cloud we provide a litany of methods to further secure customer data. These features range from default deny-all firewalls on our virtual machines—which means there is no access without the customer wittingly making an allowance for access—through many different levels and types of encryption. If an agency or individual has implemented the proper protections (or verified their provider has done so) the risk is much lower.

What would you suggest for agencies looking to improve their security outlook?

The first steps would be to ensure they understand what data they have, categorize its sensitivity and implement methods to provide adequate protection commensurate with that sensitivity. If they don’t know the various sensitivity levels of the data and are able to treat them differently, then the agency is forced to provide the highest level of security to all data, which results in unnecessary expense, inhibits mission agility and decreases overall efficiency. Cloud providers such as AWS have the proper resources to assist customers seeking to properly design and implement their cloud deployment.

What is the role of a cloud service provider when it comes to ensuring compliance with security regulations? And what role does the Shared Responsibility Model play?

It is important with any cloud migration that the agency understands who is responsible for what, especially in respect to security and compliance. At AWS we have defined this as the Shared Responsibility Model. This shared model can relieve customer operational burden as AWS operates, manages and controls the components—from the host operating system and virtualization layer down to the physical security of the facilities in which the services operate. The customer assumes responsibility and management of, but not limited to, the guest operating system (including updates and security patches) and other associated application software, as well as the configuration of the AWS provided security group firewall. Customers should carefully consider the services they choose, as their responsibilities vary depending on the services used, the integration of those services into their IT environment and the applicable laws and regulations. The nature of this shared responsibility also provides the flexibility and customer control that permit the deployment of solutions that meet specific certification requirements.

Developing a migration plan is crucial when transitioning to the cloud. What steps should agencies take to ensure that the cloud they build is ultimately one that best serves them—particularly when it comes to security?

The first step would be to familiarize themselves with the offerings and review the security overview and best practices provided in the AWS Security Center portion of our website. Once the agency has a basic understanding of our services and security model, this would be the perfect time to meet with one of our Solutions Architects (SA). AWS SAs are experts in our services and can work with an agency to establish the optimal architecture to meet not only their mission needs, but also the security and compliance requirements.

AWS recently announced that they are the first cloud service provider to achieve a U.S. Department of Defense Security Level 3-5 Authorization for their AWS GovCloud (US) region. What does this mean for government leaders?

This new authorization allows DoD customers to conduct development and integration activities that are required to secure controlled unclassified information in AWS GovCloud at levels 3-5. Built on the foundation of the FedRAMP Program, the DoD Cloud Security Model includes additional security controls specific to the DoD. The authorization sponsored by DISA will reduce the time necessary for DoD agencies to evaluate and authorize the use of AWS GovCloud. Simply put, DoD agencies can now use AWS GovCloud’s compliant infrastructure for all but level 6 (classified) workloads.

What else, in your view, should government leaders know about cloud solutions that they might not currently be aware of?

Understanding that it may be a bit daunting at first to look at cloud migration, I’d recommend looking in to AWS GovCloud (US) since it was specifically designed with their needs in mind. For example, only vetted US Persons have access to restricted areas, networks and systems for AWS administration. And there is physical hardware and logical network isolation from all other AWS regions. This makes it much easier for agencies to achieve the security that they need while realizing the benefits of cloud.

About Amazon Web Services

Amazon Web Services (AWS) Worldwide Public Sector is helping government and education customers employ cloud services to reduce costs, drive efficiencies, and increase innovation across the globe. With AWS, you only pay for what you use, with no up-front physical infrastructure expenses or long-term commitments. Over 900 public sector organizations of all sizes use AWS to build applications, host websites, harness big data, store information, conduct research, improve online access for citizens, and more.

This content is made possible by Amazon Web Services; it is not written by and does not necessarily reflect the views of Nextgov's editorial staff.