Cloud Security

Rules Make Adoption of Cloud Computing Challenge for Agencies

Survey: 64% in Government Rank Security as Top Cloud Concern Federal agencies want to employ cloud computing technology, but are hesitant because of information security concerns and existing government compliance regulations.

"Cloud computing is of great interest to the U.S. government, and it's seen as a great opportunity to promote efficiencies, but there is not widespread adoption" says Peter Mell, who leads cloud research team at the National Institute of Standards and Technology, citing information security and compliance concerns.

"At all levels of the government, at least in IT, there is intense scrutiny of the new paradigm and evaluation of its utility," says Mell, whose five-member team is on a nearly year-long quest to develop guidance and standards to help agencies certify and accredit cloud computing providers; the first of their work appear in a NIST special publication to be released this summer.

Concern over cloud computing security was confirmed by a recent survey by IT integrator Dataline of some 200 government officials involved with the acquisition of information technology wares and services. Sixty-four percent of the government respondents ranked security as their top concern on adopting cloud computing technology. Dataline conducted the survey in February; a similar survey taken in October said 54 percent of the government officials cited security as their primary concern. Knowledge about cloud computing ranked second among top concerns, at 5 percent, down from 12 percent in October.

Besides NIST guidance, forthcoming legislation to reform the Federal Information Security Management Act could help resolve some of the IT security challenges of cloud computing. When President George W. Bush signed FISMA in 2002, cloud computing was just surfacing as a viable technology but widely unknown and not addressed in the legislation. Though FISMA reform will follow the same general framework of the original act, it will contain provisions to address nascent business-technology models such as cloud computing. The measure would require the executive branch to develop specific information security and procurement regulations tailored for cloud computing use.

Yet, even with a new law and regulations, agencies could be challenged to find cloud computer service providers willing to open up themselves for appropriate security compliance vetting. "The biggest issue with using the public cloud is the opaqueness of the infrastructure," says Jackson, the Dataline business development director who conducted the survey. Companies, he says, such as Amazon and Google jealously protect their processes and infrastructure from outside scrutiny. "That's really the core to their competitive advantage," Jackson says.

Such ambiguity doesn't pose a problem to most commercial customers, especially those with service-level agreements, who aren't as concerned as the government about the inner-workings of the cloud computing infrastructure and can be financially reimbursed if promised services aren't delivered. But that's not the case for government IT managers who must certify the security of cloud computing providers' IT systems.

"The government doesn't have the luxury of just saying, 'Oh, give me my money back,'" Jackson says. "They need to follow laws that have been specifically laid out to protect national security, to protect personal liberties; so, it's really not just a commercial transaction. They really need to understand the details within these infrastructures. It's not enough to say, 'Oh, yes, it's secure.' The government has to understand how it is secure, why it is secure, what are the risks. If the government can't see that, then it's very difficult for them to leverage that type of service."

Still, the likelihood exists that once the government spells out how to certify and accredit cloud computing services through NIST guidance, FISMA reform and Office of Management and Budget regulations, some providers will make themselves available for security scrutiny to gain access to federal dollars.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.