Thales Blog

Even With FedRAMP, Cloud Security Is Still Hazy

June 4, 2014

Back on January 7, I outlined my predictions for 2014. To recap, prediction #3 stated that enterprises will require encryption and access control for information they store in cloud environments. I said that we could expect to see far greater cloud visibility and continuous monitoring. This month we’re seeing these items addressed with a looming deadline under FedRAMP and an expected update to Federal Agency security control guidelines under NIST.

As part of the federal “Cloud First” policy set by former U.S. CIO Vivek Kundra in 2011, Federal Risk and Authorization Management Program, or FedRAMP, is a government-wide IT initiative designed to forge a standard approach to the security and monitoring of cloud products and services. On June 5, government agencies not using cloud service providers (CSPs) that are certified by FedRAMP are taking a big risk: they could lose the ability to operate an application in the cloud.

While Oracle just received authorization in late May and the CIA is aggressively moving to cloud services provided by Amazon Web Services, there are only 11 FedRAMP-certified cloud services. More than double that are still waiting for authority to operate and even more waiting for certification.

Yet agencies choosing to go the route of cloud computing must balance the cost savings against the need to protect sensitive data stored in U.S. government networks. Currently the rigorous controls of FedRAMP address the CSP’s infrastructure, from the physical data center to the hypervisor, and focuses on security via a specific set of standards. Those standards are still evolving. On June 6, FedRAMP will publish an updated security control baseline to reflect changes in revision 4 of NIST SP 800-53 security control baseline.

While the majority of the FedRAMP standards focus on securing the cloud itself, there are some mentions of data security within the current documents. Specifically, FedRAMP authorization requires that CSPs support the capability to encrypt data-at-rest, and then advises that the government agency should include specific requirements for data encryption within the contract.

Add to that a recent Ponemon study which found that among SaaS users, encryption adoption jumped from 32 to 39 percent in 2013, and among Iaas/PaaS users, it increased from 17 to 26 percent. Yet the real “a-ha” from this study is that more than halfof respondents have sensitive data in the clear when stored in the cloud. That’s a scary number!

Whether you’re a government agency or a private company, the issue of data security in the cloud is the same: whose job is it – the service provider or the user? What responsibility does the user have in protecting data in cloud environments?

The frank answer is that it’s a joint responsibility. You can’t abdicate accountability for your sensitive data to a third party. At the end of the day, it’s the company’s job to make sure that sensitive data is secure. Outsourcing the infrastructure and applications is great way to cut costs and redeploy resources on more strategic activities, but you can’t outsource responsibility. Due diligence with all cloud service providers is key. Ask the right questions upfront, especially about encryption policies and technologies, as well as key management. And don’t rely solely on your service provider for answers and promises; it’s up to you to defend your data.