I recently visited my eye doctor. When he first saw me he said, “Welcome to the new us. We are in the cloud now.” I asked him what he meant and he replied, “Well I was told to tell our customers and ask our patients if they can see us better here in the cloud. I don’t know exactly what it means.” That started concerning me a lot…That’s my personal data out there!
A lot of us can relate to the above anecdote shared by Dr. Michaela Iorga, Senior Security Technical Lead for Cloud Computing, Chair, Cloud Security Working Group, National Institute of Standards & Technology (NIST) at GovLoop’s “Innovations that Matter: What Are You Talking About? Cloud Edition” event on Wednesday, July 16th.
While many of us are familiar with the term “cloud,” some of us are also probably unsure what the cloud really is, how to implement it safely and what it can do for our government agencies.
The potentials of cloud computing are limitless, Iorga noted. She shared a quotation from cloud pioneer and author of “Cloud First,” Vivek Kundra, that captures the indeterminable future of cloud: “Cloud computing will not just be more innovative than we imagine, it will be more innovative than we can imagine.”
Clearly, it is important to understand cloud as it exists in our world today. The current “shades” of cloud can be viewed from three perspectives, Iorga explained:
- The Business View: Technology companies and marketing firms see cloud as a commercial opportunity to rake in money.
- The Cloud Vendor View: The breakthrough of cloud technologies is like finding a pot of gold of the end of a rainbow for these providers.
- The Security View: From a security standpoint, the cloud looks like a dark and ominous thunderstorm – a visible yet unavoidable threat.
Moving to the cloud is a balancing act of all three perspectives. Iorga explained that we need the business side to drive down costs and cloud vendors to maximize resources and technology. “But that is not enough,” Iorga urged. Security must be incorporated as a vital part of your agency’s cloud plan of action.
There are two primary aspects to develop a strong security protocol for your agency’s transition to the cloud. The first is to make sure everyone is speaking the same language. “Security means different things to different people,” Iorga said.
She used a metaphoric example of the armed forces: Imagine if you asked the Navy, the Army, the Marines and the Air Force to secure a building. Each division has their own ideas and distinctive security methods, which may contradict each other if not communicated properly.
The second aspect involves looking at the big picture. It is important to view the entire cloud service and your agency’s entire data infrastructure, platform and services in order to instill an effective security system. As Iorga rhetorically inquired, “If you only look at the pieces of a puzzle, do you know what the puzzle image looks like?”
Iorga suggested following a Risk Management Framework (RMF) to secure your agency’s cloud service and deployment models. She began by laying out the traditional RMF method an organization would typically use when implementing an on-site technology service:
- Categorize information system (data)
- Select security controls
- Implement security controls
- Assess security controls
- Authorize information system
- Monitor security controls, repeat
This framework is valuable, but it is designed for on-site technologies and program implementation. Since both your agency and an off-site cloud service provider manage the cloud, the RMF model must be modified. Many of the security controls are out of your hands.
The level of security required also depends on which cloud service model your agency decides to acquire. Iorga explained that infrastructure-as-a-service (IaaS) provides the most access to customization and control to the agency, while software-as-a-service leaves most of the security controls and access to the cloud provider. Platform-as-a-service (PaaS) falls somewhere between these two extremes.
Given the diversity and of service options, it is important to have an understanding of your data, how your data moves and how your customers use your data before determining your security needs and choosing an appropriate cloud provider.
Iorga ultimately recommended following the Cloud-Adapted Risk Management Framework to. Many of the steps are the same as the traditional RMF, but accounts more appropriately for the cloud’s unique security challenges:
- Categorize information system (data)
- Identify security requirements, perform risk assessment and select security controls
- Select best-fitting cloud architecture
- Assess service providers and their controls
- Authorize use of service
- Monitor security controls (ongoing, near real-time; monitor own controls and negotiate with provider)
Think of this model as a six-step plan to safe and sound cloud implementation. Your agency can ensure a smooth transition by understanding both your agency’s data needs and the various cloud services offerings. Iorga also recommended consulting FedRAMP documentation to determine if a particular cloud service provider meets federal security standards.
Looking for more best practices on how to implementing cloud smoothly and securely at your agency? Check out GovLoop’s recent guide, “Innovations that Matter: How Cloud is Reinventing Government.”