Feb 12 2016

Government Agencies Need to Engage in Cloud Security Due Diligence

Maria Horton, former CIO at the National Naval Medical Center, shares cybersecurity best practices for the cloud.

The increased adoption of cloud computing by government agencies has made cloud security a top priority for government CIOs and chief information security officers. 

Security frameworks for traditional on-premise technologies are regulated by various compliance standards, but updates of these standards do not fully address the reality of the changing cloud and Internet of Things (IoT) ecosystem and the proactive security measures that are needed to counter cloud risks. Cloud adoption and usage have, therefore, created a new imperative for government leaders and IT decision-makers to move beyond traditional critical security-control baseline compliance and Federal Information Security Modernization Act (FISMA) reporting, and to think strategically about how to establish minimal, enhanced and proactive due diligence standards that reflect the evolving nature of business and security in our clouds, in cloud services and in partners’ cloud solutions.

At present, the FedRAMP program has established cloud security standards and protocols, designed to evaluate cloud security in a more uniform manner while saving the government resources (time and costs). In addition to vetting cloud service providers (CSPs) for entry into the federal marketplace, government agencies may need to approach cloud security from a holistic perspective. At a minimum, the traditional Security and Privacy Program offices may want to evaluate the impact of cloud on governance processes, incident-response preparedness and continuous monitoring practices — especially where cloud services and solutions interact with legacy, hosted and on-premise systems.

As widespread cloud use unfolds, government programs will need to outline internal agency best practices for establishing accountability and security due diligence in the cloud. Here are a few of the recommendations.

Focus on Security-Control Handoffs

Analysis of organizational risk and procedures that mitigate identified vulnerabilities and validate compliance are the foundation of an effective security framework. With cloud, the potential issues may arise from interconnections and dependencies; thus, we encourage our customers to look at those junctures.

Managing people and roles is critical to mitigating risk during daily operations. In cloud and automated IoT environments, it is essential to determine, control and monitor who has access to sensitive data and systems changes. Effective due diligence will mean an agency has addressed and reports on performance related to security-control handoffs.

Monitor and Audit SLAs

When planning, acquiring and entering into a contract with a cloud service provider for a solution, an agency must understand all aspects of the contract, including the performance metrics of its service-level agreements (SLAs). This information provides demonstrable proof that the organization understands its accountability requirements and is taking the necessary due diligence steps to protect information and data. SLAs shouldn’t be managed in a silo by either procurement officials or security program personnel. Leaders in this space will examine SLAs and drive business, technology and security decisions. However, the language should be developed and reviewed collectively by technology decision-makers and security operators on the front lines.

SLAs should measure performance and security practices in a way that is consistent with the organization’s assets, data and mission. By monitoring and auditing SLAs, the agency ensures that cloud services comply with security standards and regulations, along with building clients’ trust.

Conduct Periodic Third-Party Cloud Risk Assessments

Agencies will be regularly reviewing the security of their cloud data and services. The plan should include the use of independent auditors, like FedRAMP Third Party Assessment Organizations (3PAOs) that have proven capabilities. Employing an objective outside entity along with any in-house Security and Privacy Program or any CSP’s continuous monitoring program establishes clear due diligence from governance leaders. Emphasis should be on the critical controls related to data-access rules, data handling and data-resilience features. To mitigate risk, business practices should be regularly reviewed and updated as part of the risk framework.

When it comes to the “cloud-first” mandate, government agencies can identify weaknesses and reduce risk and security problems by planning and implementing some or all of these cloud security practices. External assessments also demonstrate an agency’s dedication to strong security and building trust with other agencies and employees, as well as with the public.

Demonstrating due diligence is important for the accountability, government transparency and protection of agency missions and can clearly support CIOs and CISOs in accordance with the Federal Information Technology Reform Act, FISMA, and today’s security-breech and incident-response environment.