12 ways to better merge cloud services with ongoing cyber initiatives

Thursday - 1/23/2014, 4:09am EST

Listen to Jason Miller's full interview with Karen Evans, a former Office of Management and Budget administrator for e-government and IT.

Download mp3

In the rush to the cloud over the last three years, most agencies have tempered their desires and excitement because of security concerns.

Agency chief information officers have struggled to satisfactorily answer a number of questions regarding data ownership and protection, and how do the existing cross-agency cyber initiatives fit into the cloud structure.

A new white paper by SafeGov, an industry organization promoting safe and secure cloud computing, makes 12 recommendations to help agencies move to an integrated cloud and cyber approach and away from one that is fragmented and ad hoc in many respects.

Karen Evans, a co-author of the report and a former Office of Management and Budget administrator for e-government and IT, said this paper is a deeper dive into addressing the growing challenges of integrating cloud and cybersecurity.

"When you are looking at your cybersecurity posture and then moving out or trying to deploy new services, you want to take into consideration all the initiatives you are responsible for. So, we specifically highlighted the ones that are the cross-agency performance goals dealing with cybersecurity and how that needs to be integrated in when you are thinking about cloud services," Evans said. "Architecture is at the heart of that issue. The paper even goes a step further and declares that if you are moving forward to cloud services, you are saying that it's an external connection, unless you're implementing the cloud internally within your network such as the Defense Information Systems Agency. If it's an external service and now you are turning around and doing the Trusted Internet Connections, and implementing Microsoft Office 365 or Google services and putting them inside your firewall, it makes it very difficult to realize the proficiencies and performance of cloud technologies if you are then putting this additional layer of top of that. In essence, you are routing all of that traffic through a single point."

Juggling too many balls

The white paper offers suggestions to the federal CIO Council, OMB and the White House on short- and long-term steps to help agencies with the integration challenges.

OMB and the White House cyber coordinator set cross-agency priority goals in 2012 for agencies to implement continuous monitoring and the Trusted Internet Connections initiative, and to have widespread use of smart identity cards under Homeland Security Presidential Directive-12 (HSPD-12) to log on to their computer network.

"When a CIO shop is trying to meet all of these objectives, you have to do it with the underlying piece of what kinds of business services am I delivering?," Evans said. "I'm not trying to do open government, providing data out there on Data.gov, and then I got to turnaround and have to implement HSPD-12 and do TIC. We even go a step further and say things such as HSPD-12 have to be revisited. It's identity management that you want, but that policy was written a while ago and you need to go back and take a look at that, and the way to do that is through the architecture efforts."

It's not like agencies have ignored cloud security over the last three years.

There's the Federal Risk Authorization and Management Program (FedRAMP) that is scheduled to hit full operational capability this summer. So far the Joint Authorization Board (JAB), which is made up of the chief information officers from the departments of Defense and Homeland Security and the General Services Administration, has granted provisional approval to 10 vendors and one agency for their cloud services having met the security requirements for low and moderate systems.

Responsibility extends to the cloud

But FedRAMP is focused on individual cloud service offerings, and DHS and GSA haven't publicly clarified the requirements for continuous monitoring or TIC when it comes to cloud services.

"If you now put stuff out on an external cloud service, then it should be treated as external, which means you have to get into an joint partnership with the cloud service provider in order for you to meet the requirements of the continuous diagnostics and mitigation program that DHS has, but you still are responsible for what's happening out there should some type of compromise happen to your services there," Evans said.

She added the agencies still must use two-factor authentication through HSPD-12, route all traffic through the secure gateway under TIC and know in real-time the health of those networks whether they own them or rent them from a cloud service provider.

"So there are a lot of moving pieces when you are trying to implement something that is a service when some of these programs were initially started knowing that you were either owning that resource or implementing some of those things internally," Evans said. "Now you have to look at the architecture and integrate that and say, 'what are you really trying to get to and what is your risk posture for that particular data or service you are offering.'"