Enterprise Security Management in the Cloud
Background
When Amazon Web Services was proposed in 2003 by Benjamin Black, it had already been a year since the U.S Government completed its effort to create and finalize the Federal Information Security Management Act (FISMA) – which defined IT security across public agencies and partners. This update to U.S. law had taken fifteen years to supplant the aging Computer Security Act of 1987 and did not include the developing technology of cloud services. So when AWS finally did launch in 2006, leading to the cloud services revolution, the FedRAMP program was introduced to clarify how FISMA applies to cloud services.
The major benefits of cloud solutions became immediately apparent and were quickly adopted by individuals, making it increasingly difficult for businesses and corporations to ignore. Once employees began to use cloud services on their own devices in major organizations, the problem could no longer be overlooked, and in 2011, the Office of Management and Budget (OBM) declared a Cloud First policy seeking to organize and integrate a fragmented IT infrastructure with the aid of cloud services.
Benefits to Cloud Adoption
As with all innovations, the cloud has positive and negative aspects. The Department of Defense (DoD) led the way in Federal cloud adoption; it also published guidelines for other agencies seeking to harness the new technology.
Commonly cited benefits from the DoD’s cloud adoption include,
- Consolidation of DoD’s infrastructure, especially of data centers
- Protection of sensitive data
- Reduction of redundant processes
- Decrease in overall IT spend
But while the DoD has largely achieved the OBM’s goals, looking at its success is misleading without examining the huge amount of effort expended to make its infrastructure secure and to fix potential vulnerabilities. The security of cloud platforms may be a bigger matter of concern today than it was seven years ago.
Risks to Cloud Adoption
In 2013, the International Journal of Computer Science & Information Technology (IJCSIT) published a study suggesting the following areas of special concern:
- Distributed Denial of Service (DDoS) attacks
- Moving to the cloud from locally-contained networks can make an organization’s assets vulnerable to attack, leading to downtime
- Data loss
- Not only can attacks compromise sensitive data, but as the AWS crash of 2011 showed us, failure of systems can do likewise
- Malware injection
- New methods to compromise cloud systems are being developed all the time
- Susceptibility to malicious insiders
- Unlike systems strictly isolated to administrators, the cloud is usually enterprise wide, leaving it accessible to any personnel
For this reason, it’s not surprising that the Defense Security Service (DSS)’s latest Voice of Industry survey indicated that FSOs are emphasizing cloud concerns now more than ever:
“[FSOs] would prefer that more attention is placed on cloud and mobile computing as it is a major source of concern for the protection of sensitive information. And this threat is expanding on a daily basis.”
Introducing FedRAMP
IT modernization always brings a new set of challenges and potential dangers. But if cloud security concerns were insurmountable, it’s probably fair to say the DoD wouldn’t have adopted it. And, in fact, the set of federal guidelines that DoD used to develop its security strategy is available to all agencies and agency partners.
When the Cloud First initiative was launched, the OBM issued the Federal Risk and Authorization Management Program (FedRAMP) to ensure high standards of security compliance among both Cloud Service Providers (CSPs) and their customers.
Getting approved is a difficult task on both sides of the equation, but here we focus on clients. To participate in FedRAMP, an organization or agency must meet a list of criteria laid out in the General Service Administration (GSA)’s Guide to Understanding FedRAMP. A non-comprehensive list includes:
- The ability to process electronic discovery and litigation holds
- The ability to clearly define and describe system boundaries
- System provides identification & 2-factor authentication for network access to privileged accounts and non-privileged accounts
- System provides identification & 2-factor authentication for local access to privileged accounts
- Boundary protection with logical and physical isolation of assets
- Cryptographic safeguards preserve confidentiality and integrity of data during transmission
Although the rigorous guidelines require scrupulous review of assets, protocols, systems, and physical environments, the benefit of compliance is much-reduced security concerns and end-to-end protection of confidential information.
Why FSOs Should Care
While the data shows that some FSOs are broadly hesitant about integrating cloud-based solutions into their facilities, the practical advantages are significant. In fact, when security regulations are followed carefully, the cloud can even offer superior security options such as the following:
- Better threat insights: When working alongside a FedRAMP certified CSP, FSOs can benefit from service-side monitoring, making threats within or outside the cloud easier to identify.
- Shared knowledge: Certified CSPs may serve multiple agencies at a time, giving them a scope of experience which can surpass what any single client has ever encountered.
- Scalability: As one of the most significant factors that drove cloud adoption in the first place, the easy scalability of cloud systems prevents breaches that stem from expanding operations.
MathCraft leads the way in promoting digital transformation throughout the country by delivering custom, FedRAMP-compliant cloud-based tools to FSOs across the federal government. The Access, ViSi, and Portal Commander platforms protect some of the nation’s most sensitive infrastructure, demonstrating MathCraft’s commitment to the highest standards of security and trust.
MathCraft Security Technologies offers a robust product line of NISPOM-compliant security applications for cleared contracts and enterprises. Our solutions are carefully engineered to improve security processes, giving Facility Security Officers (FSOs) and employees the comprehensive tools that they need to manage data, monitor visitors, and automate workflows. For ultimate convenience, they are also available on-premises or via the cloud.