Audits Hamper Federal Cloud Migration
It can safely be said that cloud computing is taking root in government as both use and budgets continue to rise. While adoption issues remain, the results of a 2015 Meritalk survey are encouraging: Seventy-two percent of respondents say cloud security has improved over the last year, and 67 percent believe their data is safer in cloud environments than in legacy systems.
The cloud’s economical pricing, agility and service packaging clearly make it a viable consideration for agencies. Still, one issue continues to act as a drag chute: the proliferation of security standards make adoption too complicated, particularly when audit and certification requirements prevail. The government must work to reduce the number of audits and certifications required of cloud computing vendors or allow certifications to be reused to speed up the adoption of cloud technology within agencies.
Security Needs
Government users demand intense security, which is quite understandable given the relative immaturity of cloud technology’s experience in complicated business environments.
Companies serving commercial health, finance and credit payment market segments as well as the public sector are forced to comply with diverse frameworks of security controls such as HIPAA/HITRUST, PCI, ISO 27001/2, NIST 800-53, FedRAMP and AICPA.
Such an array creates a dizzying, complex and often duplicative quagmire of information assurances. Frustration levels are bubbling to a boil.
Cost Concerns
Performing cloud security audits is time consuming and expensive — particularly when similar testing is repeated for different standards. We must get serious about standard harmonization and allow the results of these audits to be reused as a replacement for similar standards.
The amount the government has saved through FedRAMP cloud certification since the program was set up at a cost of just $13 million*
SOURCE: CIO.gov, “FedRAMP Forward: 2 Year Priorities,” December 2014
Organizations such as NIST have pursued security standards mapping for years, with the goal of spurring greater reciprocity and inheritance.
There are numerous governance, risk and compliance security assessment guidelines to follow, including FedRAMP, SAS 70(2), PCI QSA/ASV, HIPAA/HITECH, HITRUST CSF, ISO 27001, SOC and NIST RMF.
On average, there is a 60 to 70 percent overlap — or more — in security controls across the standard areas. If mapping and inheritance are performed within a workable governance process, audit assessments and the associated approval times could be reduced by as much as 30 to 40 percent.
Fortunately, the GSA FedRAMP program management office has outlined activities this year that begin to address the issue. Requirements will be set for how controls within different frameworks should be mapped to provide greater apples-to-apples comparisons, with pilots planned for later this year to test harmonization.
Such focus on reuse should help to simplify and accelerate cloud computing adoption.
Finding Consensus
Moving forward, agencies and security experts must maintain focus on standards harmonization and consistent security ideals. The key to success lies in finding agreement on the underlying intent of the frameworks, grouping common principle areas and combining similarities in underlying principles.
Even as we achieve consensus on mapping and principles, we must resolve specifics — simultaneously — around accepted evidence for operational security controls testing.
Security managers and auditors should look more at best practices and come to a standards-based consensus instead of dictating standards unilaterally. The shift will bring an end to the security audit overload that today ends up costing agencies much more than necessary.
Building training and knowledge will help to bring everyone closer to meeting these goals.