In the rush to the cloud over the last three years, most agencies have tempered their desires and excitement because of security concerns.
Agency chief information officers have struggled to satisfactorily answer a number of questions regarding data ownership and protection, and how do the existing cross-agency cyber initiatives fit into the cloud structure.
A new white paper by SafeGov, an industry organization promoting safe and secure cloud computing, makes 12 recommendations to help agencies move to an integrated cloud and cyber approach and away from one that is fragmented and ad hoc in many respects.
Karen Evans, a co-author of the report and a former Office of Management and Budget administrator for e-government and IT, said this paper is a deeper dive into addressing the growing challenges of integrating cloud and cybersecurity.
“When you are looking at your cybersecurity posture and then moving out or trying to deploy new services, you want to take into consideration all the initiatives you are responsible for. So, we specifically highlighted the ones that are the cross-agency performance goals dealing with cybersecurity and how that needs to be integrated in when you are thinking about cloud services,” Evans said. “Architecture is at the heart of that issue. The paper even goes a step further and declares that if you are moving forward to cloud services, you are saying that it’s an external connection, unless you’re implementing the cloud internally within your network such as the Defense Information Systems Agency. If it’s an external service and now you are turning around and doing the Trusted Internet Connections, and implementing Microsoft Office 365 or Google services and putting them inside your firewall, it makes it very difficult to realize the proficiencies and performance of cloud technologies if you are then putting this additional layer of top of that. In essence, you are routing all of that traffic through a single point.”
Juggling too many balls
The white paper offers suggestions to the federal CIO Council, OMB and the White House on short- and long-term steps to help agencies with the integration challenges.
OMB and the White House cyber coordinator set cross-agency priority goals in 2012 for agencies to implement continuous monitoring and the Trusted Internet Connections initiative, and to have widespread use of smart identity cards under Homeland Security Presidential Directive-12 (HSPD-12) to log on to their computer network.
“When a CIO shop is trying to meet all of these objectives, you have to do it with the underlying piece of what kinds of business services am I delivering?,” Evans said. “I’m not trying to do open government, providing data out there on Data.gov, and then I got to turnaround and have to implement HSPD-12 and do TIC. We even go a step further and say things such as HSPD-12 have to be revisited. It’s identity management that you want, but that policy was written a while ago and you need to go back and take a look at that, and the way to do that is through the architecture efforts.”
It’s not like agencies have ignored cloud security over the last three years.
There’s the Federal Risk Authorization and Management Program (FedRAMP) that is scheduled to hit full operational capability this summer. So far the Joint Authorization Board (JAB), which is made up of the chief information officers from the departments of Defense and Homeland Security and the General Services Administration, has granted provisional approval to 10 vendors and one agency for their cloud services having met the security requirements for low and moderate systems.
Responsibility extends to the cloud
But FedRAMP is focused on individual cloud service offerings, and DHS and GSA haven’t publicly clarified the requirements for continuous monitoring or TIC when it comes to cloud services.
“If you now put stuff out on an external cloud service, then it should be treated as external, which means you have to get into an joint partnership with the cloud service provider in order for you to meet the requirements of the continuous diagnostics and mitigation program that DHS has, but you still are responsible for what’s happening out there should some type of compromise happen to your services there,” Evans said.
She added the agencies still must use two-factor authentication through HSPD-12, route all traffic through the secure gateway under TIC and know in real-time the health of those networks whether they own them or rent them from a cloud service provider.
“So there are a lot of moving pieces when you are trying to implement something that is a service when some of these programs were initially started knowing that you were either owning that resource or implementing some of those things internally,” Evans said. “Now you have to look at the architecture and integrate that and say, ‘what are you really trying to get to and what is your risk posture for that particular data or service you are offering.'”
In the paper, Evans said two of the most important recommendations focus on the CIO Council developing an integrated architecture and the FedRAMP JAB requiring more complex continuous monitoring of cloud service providers.
The council’s Information Security Identity Management Committee (ISIMC) should issue a national implementation plan for the integrated architecture with milestones to help agencies transition from their “as-is” to the “to-be” state.
Additionally, the ISIMC should coordinate with agency inspectors general to ensure Federal Information Security Management Act (FISMA) evaluations use the recommended architecture, standards and transition plans.
Evans said by issuing the integrated architecture, it would help vendors as well, because they would get a better understanding of where they fit in the architecture and offer services that meet agency needs.
EA needs to be up-to-date
SafeGov recommended the JAB require all cloud service providers to perform penetration testing in their operational environment, so they can find and react to threats or vulnerabilities in real time.
“This process of testing whether computing systems have been penetrated could be similar to the payment card industry’s Data Security Standard (PCI DSS), which is a well-established set of industry benchmarks for online payment services,” the white paper stated.
SafeGov suggested the penetration testing occur at least annually, but it has to happen whenever the cloud service provider updates software, or changes or adds servers too.
“You want that testing to occur, and you want it by an independent third party and not by an agency, because not all of them have these capabilities,” Evans said. “You want that baseline so when you are doing your annual assessments under FISMA, the same data is being looked at and evaluated by the IGs. You can say, ‘Yes this is the risk posture of this agency.’ It’s trying to get it to a standardized approach and agreed upon baseline so even if management changes, the CIO changes or the administration changes, the IGs now have an agreed upon baseline and you can measure the agency’s progress against that baseline versus starting all over every time there is a new IG or a new CIO.”
One of the most important factors in this effort is whether agencies have kept their enterprise architectures up-to-date. Evans said if they have, then it wouldn’t be too difficult to imagine the “to-be” state and develop a transition strategy.
SafeGov shared the draft paper with members of the CIO Council and had informal discussions with OMB, the White House and members of Congress.
“The goal is to help them, not derail any internal operations, policies or activities that are happening. The reaction wasn’t like, ‘Whoa, you’re really crazy.’ They were looking forward to reading the paper,” Evans said. “I’m sure this will be considered as they go forward determining what their work plans will be, just as other think tank papers are looked at and considered. The intent of the paper is to really leverage the existing efforts underway and then they can be more transparent, so industry can respond and be helpful so they can get to those goals.”