NIST’s Michaela Iorga says the guidance her team is creating now will let agencies comparison-shop among cloud providers.

Aug 03 2015

How the Federal Government Plans to Protect Data in the Cloud

Though agencies see security advantages in adopting cloud services, DOD, NIST and FedRAMP continue efforts to further enhance cloud security.

As agencies continue to ramp up cloud use and migrate services to providers, the ability to easily compare sercurity approaches across cloud providers becomes increasingly critical, as does the need to add on additional mission-specific security features.

That’s exactly the focus of Michaela Iorga and her team of security experts at the National Institute of Standards and Technology as they work on the latest draft security guidance. NIST researchers intend to create a visual tool that will let agencies map security controls to the functional capabilities of cloud services.

The FedRAMP program, after all, provides just a baseline.

“FedRAMP provides a minimum level of security that is mandatory,” says Iorga, NIST’s senior security technical lead for cloud computing. “We provide a more comprehensive set of controls for government agencies to select from what they might need. It will help them improve their security posture.”

The ability to adjust security to mitigate unique risks within a particular agency or progam is key, says Roger Greenwell, chief of cyber­security in the the Defense Information Systems Agency’s Risk Management Office.

But ultimately, Greenwell says he has no doubt that cloud computing will improve security for agencies. He points to the enterprise email system DISA built for users across the DOD.

More than 20 Defense entities, including the Army, Air Force headquarters and the Office of the Secretary of Defense, use a single private cloud for email instead of deploying their own messaging systems.

1 in 3

The number of new applications that organizations consider delivering through the cloud

SOURCE: CDW, Cloud 401 Report, February 2015

The Enterprise Test

DISA baked security into the email service, including a strong change management process, email security gateways and 24/7 network monitoring. The agency also focused on the service’s availability as a means to improve security, Greenwell says.

DISA’s cloud architecture, through virtualization and a distributed environment designed for worldwide operations, provides the agency with the redundancy it needs to keep email running if a location fails or server maintenance is necessary.

“By eliminating email servers in local installations and using cloud-based technologies, we have greatly improved email security,” Greenwell says. “The ability to ensure continued operations based on the resiliency and capacity of the cloud is a benefit many organizations can’t afford on their own.”

Cloud security remains an issue in large organizations, but IT leaders feel it’s addressable, according to CDW’s Cloud 401 report, which surveyed more than 1,200 technology professionals, 13 percent of them from the federal government.

In fact, only 28 percent cited security as their top concern for implementing cloud services.

As cloud has become more popular, cloud vendors — both commercial service providers and government agencies offering private cloud — can likely better secure networks than a single government entity can on its own.

To further bolster security and foster adoption, the National Institute of Standards and Technology is working on two special publications that provide agencies with in-depth guidance about how to choose and secure cloud services.

Meanwhile, the General Services Administration’s Federal Risk and Authorization Management Program continues to develop its baseline security controls, which are based on NIST’s work.

The FedRAMP office updated its baseline standards last year for low- and moderate-impact cloud services to support the controls found in NIST Special Publication 800-53 Revision 4.

This year, the organization is adding a new set of baseline security controls for high-impact systems, which for the first time will let service providers offer government cloud services that house highly sensitive data and applications.

Evolving NIST Guidance

Two new draft special publications from NIST expand upon the agency’s previous cloud guidance and complement FedRAMP’s efforts, Iorga says.

The first draft, SP 800-173, takes the six steps of NIST’s Risk Management Framework and applies them to the cloud from the user’s perspective. One step, for example, details the process of selecting a cloud architecture that best fits an agency’s security requirements.

“The publication gives government agencies an understanding of all the steps of protecting the cloud and provides guidance on how to approach each of them,” Iorga says.

When acquiring more traditional IT components, agencies can purchase hardware first and design security controls later, but that does not work with cloud, she says. Instead, agencies must first identify their security requirements, assess each prospective service provider’s security and privacy controls, negotiate security service-level agreements and build trust with a provider before authorizing the services. That’s a thoroughly different process that an agency might follow for other tech deployments, she points out.

SP 800-173 also introduces the idea of “trust boundaries.” Using this concept, agencies identify which controls fall to the service provider and which fall to them, Iorga says.

Additionally, even if a cloud service is FedRAMP-compliant, agency IT security staffers need to verify that the baseline controls meet their agency’s specific requirements. For example, one agency may look at authorization documents and decide it needs a service provider to add five additional security controls, while another agency may require 10 more, Iorga says.

Roger Greenwell
Photo: John Davis

DISA’s Roger Greenwell says cloud computing reduces the viable attack surfaces in DOD data centers.

That Extra Something

The second draft publication, NIST SP 800-174, serves as a cloud overlay for SP 800-53 Revision 4, providing recommendations on additional security controls agencies may want to implement beyond what FedRAMP requires.

The cloud security team also plans to define a structured representation of the security controls. This representation, which will be aligned with FedRAMP and DOD cloud security requirements, will provide control descriptions, implementation guidance, assessment guidance and metrics.

When cloud service providers use this representation to describe their security control implementation when they submit it to FedRAMP for assessment, agencies will benefit from the representation because they will use it when submitting cloud implementations to FedRAMP for review. That will make it easier for agencies to compare offers from different FedRAMP-authorized vendors, Iorga says.

Although FedRAMP-compliant cloud providers implement against the same baseline requirements, they likely place controls in different places in the stack and offer different functionalities. The representation should peel away some of these differences, Iorga says.

She’s quick to add, however, that the additional security controls in SP 800-174 for low-, moderate- and high-impact systems are strictly recommendations — they are not mandatory. Agencies will have to weigh the need for implementing them against the risks inherent in their particular systems.

NIST is accepting comments on 800-173 with hopes of publishing later this year. As for SP 800-174, Iorga plans to post aggregated data for public comment near year’s end.

FedRAMP Director Matthew Goodrich agrees that NIST’s forthcoming cloud guidance supplements the work done by FedRAMP.

“What FedRAMP does is make sure cloud providers are doing the security for their systems appropriately, and what 800-173 and 800-174 do is help agencies understand — and put in context — what their responsibilities are,” he says.

High-Impact Systems

The FedRAMP staff will continue to craft additional guidance too. Right now, the team is developing a new security baseline for high-impact cloud services. Up to this point, cloud providers have focused on securing moderate-impact cloud offerings.

The FedRAMP team defines “high-impact” cloud services as those that deal with data that “if leaked or otherwise compromised, would have a significant impact, including personal harm, loss of life or financial ruin.”

Two things are driving FedRAMP’s efforts. First, cloud providers have approached the team saying they can protect high-impact data. Plus, the five departments that host 75 percent of the government’s high-impact systems — Defense, Health and Human Services, Homeland Security, Justice and Veterans Affairs — have expressed interest.

The five departments collaborated with FedRAMP officials to develop a draft of baseline controls. The General Services Administration released it for comment in January and expects to finalize it near the end of the year, Goodrich says.

“We have grown FedRAMP deliberately,” Goodrich says. “The first three years were focused on low- and moderate-impact services, but it’s time for the next step. These five agencies have wanted to use the cloud at the highest level but didn’t feel comfortable doing so until we had guidance in place.”

Government community clouds, not commercial cloud providers, will most likely provide future high-impact cloud services, he says. Initial uses will focus on sensitive data, such as large financial data sets, but not classified or national security data, Goodrich adds.

Doubling Down on Security

As NIST prepares its new cloud security guidelines, some agencies already require commercial cloud service providers to support additional security controls beyond FedRAMP.

In January, DOD released a cloud computing security requirements guide that demands commercial providers to meet FedRAMP guidelines as a baseline but to apply additional security requirements for sensitive data. In fact, the DISA guidance defines three classes of sensitive unclassified data. As the sensitivity increases, so do the security controls.

In the meantime, DOD will use commercial cloud providers for non-mission-critical needs so that it can increasingly focus its security efforts on mission-critical systems, DISA’s Greenwell says.

DISA put its public-facing Information Assurance Support Environment website on a commercial cloud. The website, which provides access to DOD information assurance information, including policy, technical guidance, training and Defense enterprise tools, is built on an Infrastructure as a Service platform.

The agency plans to migrate more applications and data to commercial cloud services in the future, which will improve the security posture for the agency and DOD as a whole, Greenwell says.

“We are looking to reduce the attack surfaces within DOD data centers,” he says. “By leveraging commercial clouds and allowing providers to supply security for non-mission-critical workloads, we can focus on safeguarding the mission systems and data that are most critical to us.”

James Kegley

Zero Trust–Ready?

Answer 3 questions on how your organization is implementing zero trust.