This interview is an excerpt from our recent guide, The Future of Cybersecurity, which examines 15 trends transforming the way government safeguards information and technology.
Four years ago, the White House unveiled the Cloud First policy. The White House mandated that agencies must evaluate safe, secure cloud computing options before making any new investments. It sounds easy enough, but many agencies balked. There was a real fear for many that moving to the cloud would leave agencies vulnerable to increased cyberattacks.
In order to help agencies evaluate the risks associated with moving to the cloud, the Office of Management and Budget crafted and updated two security compliance measures FISMA and FedRAMP.
While these compliance measures are a good first step, in order for agencies to be fully secure when moving to the cloud, they need to focus on more than just checking the compliance boxes.
GovLoop sat down with John Lind, Vice President of Federal Sales and Oliver Schmidt, Chief Audit Executive from QTS, a data center provider, to learn about how compliance does not equal security. “We try to get across to agencies that as the cloud service provider we have gone through all the compliance requirements including FedRAMP, FISMA,” said Lind. “Relying on commercial cloud service providers like us, they’re in better shape and get better services than if they try to do it themselves.”
One of the reasons cloud environments are more secure, said Lind, is because many agencies’ current architectures and systems are outdated. “The reason we’re in business is to provide high-level quality security services so agencies can focus on their mission and not worry about security. Our highly qualified staff utilizes our compliant data centers combined with best of breed hardware and software to create, operate and maintain premium services. That’s our business. That allows Government IT directors to be able to focus on their top priorities – their mission and programs - and let us handle the security requirements.”
However, just because cloud providers can take on the security burden for agencies, it doesn’t mean that agencies lose control over their data. Compliance doesn’t equal security. True security comes from implementing best practices from industry and government. Oliver Schmidt of QTS explained: “I think a lot of fear with moving to the cloud comes from feeling like you have to relinquish control. We’re not looking for agency IT staffs to relinquish control. We want to enter into a partnership.”
The partnership allows agencies to move away from a check box-style security. “Agencies really need to pick cloud providers that are more than just FedRAMP certified. For example, an agency may need certain managed services. The agency should target a cloud service provider that offers additional managed security services and meets multiple compliance certifications, like ours,” said Lind.
While relying solely on compliances or mandates to remain secure is ill advised, agencies do need to remain compliant with federal regulations. Those regulations can and should be embedded into the cloud process from the beginning. “Take healthcare for example, a hospital doesn’t just have to think about tech requirements like FISMA, but also compliance standards like HIPPA. We create multiple compliance to assure that there are no gaps,” said Schmidt.
The cost of staying compliant is also a major factor. “By going with a provider that’s doing compliance for multiple agencies and sectors, we can definitely make it more efficient in terms of attaining those compliance banners because we can leverage best practices across fields,” explained Schmidt.
“Every day we are working with differing compliance regulations and control frameworks from the federal government’s NIST Special Publication 800-53, to the Control Objectives for Information and Related Technology (COBIT) for business, Payment Card Industry Data Security Standards, and the American Institute of Public Accountants Service Organization Control reports. Each of those frameworks and standards focus on different aspects of security and compliance,” explained Schmidt. “The advantage for any of the federal agencies that are working with us is, they’ll get to hear about some of the things that we’re seeing within the other standards that may be of interest to them beyond their own compliance standard.”
Additionally, each individual program within an agency might have different requirements. Agencies do not want to approach multiple vendors for each system. “They want a provider that can demonstrate capabilities in handling lower level classified information systems within for example a federal community cloud, provide them with hybrid cloud capabilities that can interact with existing systems, and/or for more classified systems with a dedicated private cloud,” said Schmidt. “We are able to demonstrate our capabilities very well in that area.”
In the end, moving to the cloud shouldn’t be frightening for agencies if they create a fully secure IT environment and partner with industry to leverage security expertise and resources.