This article is an excerpt from GovLoop’s recent guide, “Solving the Cloud Conundrum: Security, Procurement, Workforce.” Download the full guide here.
Cloud computing can provide significant returns on investment and potential cost savings, but it may also represent a significant risk without proper oversight. Although cloud services are relatively secure, agencies are hesitant to adopt the technology as it can potentially place their critical assets and data in harm’s way. At issue is who owns what in the cloud, how much control agencies have over their critical assets, and what duties cloud providers are responsible for.
The reality is that cloud vendors can’t shield government assets from every risk. Although cloud service providers acknowledge many responsibilities regarding their customer’s data and asset protection, the customer is still accountable for their infrastructure and retains many oversight and operational responsibilities.
Ultimately, public and private sector partners must better prepare for these risks by incorporating the same key controls used for managing risks for their traditional on-premise infrastructure in the cloud. Key controls represent methods for managing vulnerabilities and reducing and mitigating risk.
To understand how agencies and their cloud providers can partner on security, GovLoop spoke with Tim Appleby, Director of Federal Programs at FireEye. FireEye is a cybersecurity solutions provider that helps agencies establish the appropriate key controls and oversight customers need to properly mitigate their risk when migrating to cloud providers.
“Ultimately, FireEye’s approach is to assess a customer’s readiness to move to the cloud, assess their risk in doing so, and determine the best solution for the customer based on the resulting return on their investment” he said.
Appleby said that agencies must first assess the key controls protecting their infrastructure, develop oversight for maintaining those measures, and understand their responsibilities in the relationship before moving to a cloud provider. Although a cloud option may seemingly offer significant cost benefits, compensating for the loss of critical controls may offset those savings.
So how should agencies ensure they’re on the same page as their cloud vendors? Appleby recommends service level agreements (SLAs). SLAs are included in contracts between agencies and cloud providers. These agreements ensure that agencies get the level of quality they expect from their cloud providers and can audit their cloud’s performance accordingly. “Many customers feel that because of their service provider’s size, that provider won’t change their terms,” Appleby said. “But that doesn’t always hold true. They’re going to bend over backward to get your business.”
Overall, agencies must recognize cloud’s shared responsibility paradigm. The shared responsibility paradigm concerns the duties that agencies and their service providers share when protecting resources in the cloud. By considering both accountability and responsibility, applying effective and measurable key controls, and ensuring success through periodic oversight, cloud risk can be mitigated to an acceptable level.