Federal government embracing robust cybersecurity as cloud integration accelerates
The federal government, like countless other organizations across the country and globe, has made significant progress in the realm of cloud adoption and integration over the past few years. Cloud technology is an incredibly powerful resource for virtually every agency and department within the U.S. government, and it is all but certain that cloud usage will continue to expand and develop in the coming years.
Yet despite all of this progress, it is also true that there are certain factors in the realm of cloud computing which continue to cause problems for organizations in the public sector. Arguably the most notable of these is the issue of cloud security. When cloud technology first began to gain steam, many decision-makers hesitated to embrace these solutions for fear that doing so would put their firms at risk. That's still an important point for government leaders to take into account. However, it is becoming increasingly clear that the federal government is taking active steps to shore up its cybersecurity as its cloud integration efforts accelerate.
The most obvious example of the federal government's focus on cloud cybersecurity is the creation of FedRAMP. FedRAMP was specifically designed to enable government agencies to adopt cloud services with confidence, as solutions approved by the FedRAMP program must pass substantial cybersecurity qualifications. This has undoubtedly contributed to agencies embracing cloud integration to a greater degree in recent months and years.
"There are limits to FedRAMP's utility."
At the same time, though, there are limits to FedRAMP's utility. After all, the program is not meant to guarantee that a given cloud service is perfectly safe and applicable to every government agency, as Michaela Iorga, senior security technical lead for cloud computing at the National Institute of Standards and Technology, explained. She told Fed Tech Magazine that FedRAMP only establishes a minimum level of security. For many government agencies, more comprehensive, robust controls are needed. The NIST is contributing to this effort by developing precisely such controls for government departments' cloud selection needs.
The source pointed out that FedRAMP itself is also working to improve its base-level security requirements, a process which is largely springboarding off of the progress NIST has already made. Additionally, it's important to note that FedRAMP is limited in terms of how quickly it can approve rapidly emerging cloud services. This can potentially further limit cloud integration efforts for various agencies that are eager to embrace new offerings.
This focus on cybersecurity should not be taken to mean that the cloud poses a security threat or trade-off for federal agencies, however. On the contrary, cloud integration will likely improve the government's ability to keep its data and operations safe. Roger Greenwell, chief of cybersecurity in the Defense Information Systems Agency's Risk Management Office, told Fed Tech Magazine that DISA built an enterprise cloud email systems for users throughout the Department of Defense, and this system marks a significant cybersecurity improvement over the legacy solution.
"None of the government's breaches have actually involved cloud environments."
In case of breach
The government's caution and focus on cybersecurity has, in many ways, already paid dividends. Obviously, federal agencies have experienced a number of serious, widespread data breaches in recent months. Notably, the Office of Personnel Management suffered a cyberattack which resulted in nearly 20 million exposed records, while the State Department and White House have both had their computer networks compromised. However, as Nextgov contributor Frank Konkel pointed out, none of these breaches have actually involved cloud environments. This alone is a testament to the inherent security of cloud solutions. After all, federal networks are tempting, high-profile targets for a wide array of hackers, and agencies now store a significant amount of information in these hosted platforms, and yet none of these cloud environments have been breached.
Still, the writer noted that it is likely only a matter of time until a government cloud solution experiences a breach of some sort or another. The cloud is simply becoming too popular among federal agencies for this eventuality to never come to pass. Consequently, government leaders are already focusing on how they will respond in such an event.
Speaking at the ATARC Federal Cloud Computing Summit, Patrick Stingley, chief technology officer at the Interior Department's Bureau of Land Management, emphasized the need for government leaders to deflect blame away from the cloud as a concept, and rather attribute any breach to the specific factors that allowed the attack to occur.
"My fear is that we'll have a break-in in the cloud in the next three to five years and blame it on the cloud instead of the lack of effective authentication mechanisms," said Stingley, the writer reported. "I'm afraid when something blows in the cloud, we'll blame cloud and it won't be the cloud."
Instead, Leo Wong, chief information security officer for the Agriculture Department's Food and Nutrition Service, explained that responses should be tailored to the specific cloud services and vendors involved, Konkel wrote.
To reduce the risk of breaches and prepare in advance for their fallout, a carefully considered, knowledgeable cloud cybersecurity strategy is clearly essential.