How Federal Agencies Manage Their Risk in the Cloud
More than one-third of organizations responding in “The Cybersecurity Insight Report” by CDW predict that adoption of Software as a Service, as well as the sensitive data residing in SaaS services, will have the greatest impact on their risk management strategy over the next year.
For many federal agencies, the journey to SaaS and other cloud services is proceeding more slowly than it is in the private sector, which has recognized the value — and relative security — of “on-demand” models such as SaaS or Infrastructure as a Service.
Among other reasons, SaaS applications may require agencies to relinquish control over sensitive information to third parties that may also rely on a variety of encryption protocols. While cost savings, reduced time to benefit and scalability are among the advantages, SaaS fails to offer a time-tested and standardized approach to securing data.
As agencies push their data to the cloud, how are they enhancing their risk management capabilities along the way?
Private Sector Discovers the Value of Third-Party Network Management
The 2015 discovery that Chinese hackers had infiltrated the networks of the United States Office of Personnel Management, stealing the records of more than 21 million people, triggered a new rush to secure and upgrade federal networks.
But the cyberattack brought with it some questions, as posed by Slate, “Why was the Office of Personnel Management running its own servers in the first place? Why should it be tasked with developing deep in-house expertise on data security? Why was it put in a position where it was too hard to succeed?”
The answer, it turns out, was because that was standard procedure. Even a year later, as Gartner research director Rick Holgate tells CSO, federal agencies were spending just 3 percent of their total IT budgets on cloud computing.
In fiscal year 2015, according to a Bloomberg Government report, federal agencies spent a combined $2.4 billion on cloud-based infrastructure, software and other support services. That figure was up to $4.3 billion in 2018 and is projected to top $5 billion in 2019.
The increased spending, notes Ashley Mahan, acting director of the Federal Risk and Authorization Management Program (FedRAMP), has been driven primarily by governmentwide initiatives such as the Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure and the 2018 Federal Cloud Computing Strategy. (Cloud Smart, as the latter program is known, promotes adoption of commercial cloud technologies while reducing barriers to implementation.)
Government agencies, Mahan says, are now looking to cloud technologies and services like SaaS “as a means to increase performance and productivity in delivering results across the U.S. government and to citizens.”
Another major draw associated with cloud computing involves its scalability, says Daniel Castro, director of the Center for Data Innovation. “The cloud allows agencies to be more nimble; they can pilot a product off the shelf and then scale it up in a very efficient and cost-effective manner that isn’t possible in traditional software development.”
When it comes to data security, on the other hand, the picture becomes a bit more complicated. “The main benefit with the cloud is you get enterprise-grade security for even the smallest deployment,” Castro says. “But the challenge is that you’re shifting the model, so in many cases, you’re no longer operationally in charge or fully managing the risks yourself.”
For example, he says, any contractor offering cloud services certainly relies on cloud providers themselves: “It’s this rabbit hole. The concern is not just what they’re doing to manage risk, but what’s everyone below them doing as well?”
In addition, in the cloud environment, the government isn’t the one pushing out the patches or fixing the hardware when something breaks. And a cloud provider may decide to upgrade its systems without consulting its agency customers first. “If they run into trouble and go down at a critical time, you’re kind of at their mercy,” Castro says.
MORE ON FEDTECH: How to think about cloud security in the federal government
Agencies Have Ways to Manage Risk When They’re Not in Charge
With that in mind, experts say it’s up to agencies to do their due diligence when working with cloud vendors. FedRAMP itself, Mahan notes, was created to provide a systematic approach to security assessment of cloud products and services, and maintains a list of organizations that meet its standards for cybersecurity risk management.
The program’s assessment process provides transparency around how federal information is actually protected in each provider’s cloud environment, she explains, and that “enables agencies to make informed decisions and apply the appropriate management and technical controls to reduce potential risks.”
Castro, who previously worked as an IT analyst at the Government Accountability Office, agrees that due diligence is imperative to mitigating threats to the cloud supply chain. But he also suggests taking other measures as well, whether it’s considering government-customized “private” cloud deployments that permit more hands-on control, maintaining an onsite data center as an emergency backup or relying on multiple vendors instead of one. “That way, if a provider goes down, at least there’s somewhere else they can go.”
In addition, says Anil Karmel, president of the Washington, D.C., chapter of the Cloud Security Alliance (CSA), government IT teams should keep in mind that because cloud services are so easy to procure, individual employees within any given agency may also be using cloud products on their own.
“So, that’s where a solution like a cloud access security broker would come into play,” he says.
CASBs, Karmel explains, give agencies the means to enforce their enterprise security policies “and to manage how cloud services are used and deployed.” He also suggests working with cloud providers that have adopted “zero-trust” models of cybersecurity that improve compliance and visibility and minimize the potential impact of any security breach.
Other options for boosting cloud security, Karmel says, include several on the certification front. CSA maintains a “Cloud Controls Matrix” that agencies can use to ensure that cloud providers meet the requirements of pertinent regulations and standards like those outlined by HIPAA and the National Institute of Standards and Technology. It also offers “CSA STAR” (Security Trust Assurance and Risk) certification, which indicates when cloud providers have met the organization’s own requirements around security and privacy.
In 2018, CSA and FedRAMP created a system called FedSTAR that allows cloud providers to apply for certifications from both auditing bodies at once.
Assessments and certifications aside, agencies moving to cloud-based systems should begin by looking closely at the data they have, Karmel says.
“Before you look at any kind of technology solution, it’s imperative that you understand the value of the information that you want to protect. Then you can devise the appropriate protections and controls, and secure and manage that data over time.”