Policies, Not Tools, Drive Cloud Security
The Nuclear Regulatory Commission depends on Patrick Howard’s advice when it comes to security in the cloud. As the agency’s chief information security officer, Howard says there are plenty of tools that offer continuous monitoring and visibility for public-cloud applications while maintaining 24x7 security.
“The tools aren’t the issue,” Howard says, adding that the real challenge is having the procedures and processes in place to help decide if an application should or should not be placed in the public cloud.
Howard says any highly sensitive information is off limits for a public-cloud application. However, the NRC is fine with low-priority data moving to the cloud with controls based on the Federal Risk and Authorization Management Program. FedRAMP offers a standard approach to security assessment, authorization and continuous monitoring for cloud products and services.
Rod Turk, chief information security officer at the Patent and Trademark Office, largely agrees with Howard’s approach. Turk says his organization has focused mainly on private-cloud implementations, mostly to have more control over the data and the process. But over time, more cloud deployments are inevitable, especially applications at least partially in the public cloud.
For all types of cloud implementations, Turk insists that security is as much about processes and due diligence as it is about tools. For anything the agency considers for the cloud, a team conducts a business case and full analysis to determine whether it makes sense to proceed.
“Once we decide to move forward with a cloud implementation, we make sure to use a provider and processes that we trust will reduce our risks,” he explains. “We make sure we research where it will reside, how it will be hosted, and that we have reduced the risk to the point where we find it acceptable.”
33%
The percentage of IT security executives polled who think cloud infrastructure environments are as secure as on-premises data centers
SOURCE: Ponemon Institute, October 2011
Both Howard’s and Turk’s views about what it takes to remain secure in the cloud are common among federal government security professionals, at least partially because of the strict security guidelines set by FedRAMP.
Yet for any organization with software, infrastructure or platforms in the cloud, it’s critical to identify threats and vulnerabilities in real time so they can be acted on and resolved quickly, says Renell Dixon, a managing director in the federal practice at PricewaterhouseCoopers, a global consultancy firm.
“When you’re talking about the cloud, the window of opportunity between the time a threat is located and the time you are fully protected is very small,” she says. “It’s important to put something in place that manages that process in real time by continuously monitoring and fixing problems as they occur.”