Agencies wary of handing over security management to cloud providers
Officials still want to manage certain controls internally, report finds.
Despite plans to standardize security processes associated with cloud computing, some federal agencies remain reluctant to hand over responsibility for ensuring sensitive data to vendors, according to a new Government Accountability Office report.
A study GAO conducted from September 2009 through May 2010 (GAO-10-513) showed many agencies were concerned about relying too heavily on the vendor community to ensure the security of information in the Internet's cloud. For example, 20 of the 24 agencies identified concerns about service provider compliance with and implementation of government information security requirements. Agencies also objected to limitations on their ability to conduct independent audits and assessments of security controls of cloud computing service providers.
"Until federal guidance and processes that specifically address information security for cloud computing are developed, agencies may be hesitant to implement cloud computing, and those programs that have been implemented may not have effective information security controls in place," said Gregory Wilshusen, director of information security issues at GAO during a joint hearing on Thursday of the House Oversight and Government Reform Committee and the Subcommittee on Government Management, Organization and Procurement.
At the hearing, federal Chief Information Officer Vivek Kundra and David McClure, associate administrator in the Office of Citizen Services and Innovative Technologies at the General Services Administration, made reference to the Federal Risk and Authorization Management Program, a multiagency initiative to certify that information systems used in cloud environments meet federal security guidelines.
But while FedRAMP centralizes the certification process, it doesn't ease the burden agencies that want to manage certain security controls internally face, according to GAO. For example, NASA opted to retain responsibility for 47 out of 112 defined security controls when implementing its Nebula cloud, which the agency uses to support a number of projects, including those that share images and statistics with international partners and academic institutions.
Similarly, officials managing the Defense Department's Rapid Access Computing Environment, which developers can use to test new computer applications, determined that 62 security controls were the department's responsibility and 31 were the responsibility of the cloud service provider. Officials from both NASA and Defense "commented on the challenges in analyzing and maintaining such a division of responsibilities, but noted that clear assignment of responsibilities was important for effective information security," reported GAO.
Despite agencies' concerns, few have documented how security will be managed in the cloud. According to GAO, four agencies responded they have policies limiting the type of information that can be placed in a cloud. Two said they had policies in place limiting the type of cloud deployment model used.
"For security, agencies must approach the cloud thoughtfully," said Scott Charney, vice president of Microsoft's Trustworthy Computing initiative. They "must adapt and advance their information security programs and communicate the requirements to their cloud providers so that cloud providers can demonstrate that appropriate security and other operational controls have been implemented."