Cloud

Best Practices for Securing the Federal Cloud

Encryption keys and other tools can help protect data at all times.

Mike Chapple is associate teaching professor of IT, analytics and operations at the University of Notre Dame.

Agencies continue to turn to cloud computing solutions, benefiting from increased flexibility, reliability and lower overall costs.

Security is still top of mind for federal technology leaders as they leverage the cloud to transform government computing environments. As agencies choose cloud partners, they must understand the shared responsibility model of cloud computing and how they can best protect government data through strong encryption.

Choosing a Cloud Partner

Cloud providers bring a variety of services to the table, ranging from Software as a Service (SaaS) purchasing platforms to Infrastructure as a Service (IaaS) server environments.

Agencies that implement cloud technology must first consider the security measures taken by their cloud providers. After all, the chosen partner may have a dramatic impact on the confidentiality, integrity and availability of government information and systems.

Agencies must perform due diligence to ensure the provider meets or exceeds federal security requirements, such as those mandated by the Federal Information Security Management Act (FISMA).

Fortunately, government agencies have help when it comes to investigating the security practices of cloud computing vendors. The General Services Administration recognized that many agencies performed duplicate assessments of the same cloud vendors, and the time required to complete those assessments hindered the adoption of new services.

Under a directive from the Office of Management and Budget, the GSA developed the Federal Risk and Authorization Management Program (FedRAMP) to centralize and streamline the process.

Cloud service providers may seek FedRAMP authorization to offer agencies cloud computing services for FISMA Low and FISMA Moderate activities. A qualified list of providers is maintained online.

The number of U.S. cloud computing providers that are FedRAMP compliant

SOURCE: FedRAMP.gov, May 2015

Understanding the Shared Responsibility Model

FedRAMP certification is not a cloud security panacea, something agency technology leaders must understand.

FedRAMP-authorized vendors have demonstrated that they meet basic FISMA standards, but each agency must determine the providers that are most appropriate for their situation.

Agencies should never completely abdicate responsibility for information security. Every cloud service provider operates under some form of shared responsibility model, where the provider and the customer bear some burden of security and compliance.

In an IaaS environment, vendors are responsible for the security of the underlying infrastructure, but agencies retain responsibility for building and maintaining secure systems on top of that infrastructure.

Providers must maintain strong physical security controls, manage access to the virtual environment and maintain strong separation between virtual workloads.

Sharing Is Caring

Agencies also take on certain responsibilities. For example, an agency must secure its virtual servers when reconfiguring a guest operating system. This shared responsibility model aims to give both parties a role in protection.

Things are a little easier for SaaS, where the cloud provider typically secures several layers higher in the stack. Agencies won’t come in contact with servers, firewalls or other infrastructure.

Agency staff must remain vigilant about the types of data cloud services store and process, along with the access controls surrounding that data.

Those using a cloud storage solution should ensure that employees do not upload files that exceed the service’s security authorization or put the agency’s information at risk.

Protecting Data with Encryption

Many agencies leverage encryption services on top of existing cloud services. The agencies retain encryption keys, preventing anyone without the key, including cloud provider staff, from accessing the data. Using strong encryption effectively renders the information safe from prying eyes and mitigates other security risks.

Agencies building cloud security programs should consider encrypting sensitive data both at rest and in transit. Data at rest is stored on the infrastructure of a cloud service vendor and may be susceptible to attacks where intruders gain physical access to a device or subvert the logical security controls put in place by the cloud provider. If the agency encrypts the data stored with the provider, an attacker who gains such access will retrieve encrypted data and won’t have the key necessary to decrypt it.

Agencies must also consider the security of data in transit between agency systems and the cloud service provider. Encrypting network connections between those environments prevents eavesdroppers from sniffing the network traffic and learning sensitive information. Transport Layer Security provides an easy, effective means to create encrypted connections between servers over an insecure network like the Internet.

Future of FedRAMP

Big changes are ahead for the Federal Risk Authorization Management Program, known as FedRAMP. A new two-year roadmap released in December details more than 40 initiatives aimed at accomplishing three overarching goals for the federal cloud security program: increasing stakeholder engagement, including the number of agencies implementing FedRAMP; improving program efficiencies by automating FedRAMP documentation; and adapting FedRAMP to support evolving cloud offerings and security policies, while focusing on risk management rather than compliance.

Called FedRAMP Forward, the new roadmap will also ensure that the cloud security program is implemented more consistently, and it will clear up agency misconceptions that restrict competition among cloud providers vying for federal business.

Marcin Tulajew/Thinkstock