On June 22, Pillsbury hosted the first annual Federal Cloud Security Summit, organized by the Washington, DC, chapter of the Cloud Security Alliance (CSA-DC). The keynote address was presented by Sonny Bhagowalia, former Deputy Associate Administrator with the GSA’s Office of Citizen Services and Innovative Technologies and current CIO of the State of Hawaii, and covered the GSA’s efforts and outreach to help drive Vivek Kundra’s 25-Point Plan and “Cloud First” initiative.
Among other things, Mr. Bhagowalia spoke extensively about the Federal Risk and Authorization Program (FedRAMP), its goals, its accomplishments and where it is headed. FedRAMP was created to support the government’s cloud computing initiative and is intended to provide a standard, cross-agency approach to providing the security assessment and authorization for agencies to use the services required under the Federal Information Security Management Act (FISMA). The idea is to facilitate the adoption of cloud computing services by federal agencies by evaluating services offered by vendors on behalf of the agencies. The evaluations are based on a unified risk management process that includes security requirements agreed upon by the federal departments and agencies. Because the services are vetted by the FedRAMP, theoretically each agency does not need to conduct its own risk management program – reducing duplication of effort, the time involved in acquiring services and costs.
A draft of FedRAMP requirements was released for comment in October 2010, and final release of the first version was expected by December 2010. Initially, the comment period was extended through January 2011 and the release delayed until the end of June, but according to this report, the requirements are now expected to be released sometime between August and October.
Despite the delays in the FedRAMP program, GSA has recently announced that it is offering cloud computing services via its Apps.gov website. Federal agencies now can order from a menu of three Infrastructure as a Service (IaaS) offerings–cloud storage, virtual machines and Web hosting–from service providers who have received GSA authorities to operate (ATOs) to offer them. Under the GSA program:
- Each service provider is offering its own cloud services and bundled pricing;
- Services are billed by the month; and
- The process includes agencies getting quotes for the type of service they are looking for through the GSA eBuy system before making a purchase.
Mr. Bhagowalia’s presentation was followed by two panels. The first was a Federal agency panel discussing challenges and opportunities presented by cloud computing for federal agencies, The second was an industry panel that I moderated on cloud computing in general.
The federal agency panel featured:
- Greg Elin, Chief Data Officer, FCC
- Bill Perlowitz, Vice President of Advanced Technology, Apptis
- Katie Lewin, Director of Cloud Computing, U.S. General Services Administration
and was moderated by Bhavesh C. Bhagat, Co-Founder ConfidentGovernance.com and EnCrisp and one of the co-founders of the CSA-DC chapter.
The main theme of the first panel was that the goal of FedRAMP is not perfect security, which is impossible, but, rather, “to put the risk back into security management.” The panel noted that organizations that want the benefits of cloud-based services must accept the fact that some risk is inevitable in moving to the cloud and must have a system to manage that risk. According to Greg Elin, Chief Data Officer for the FCC, “This is not about pretending we can stop it from happening.” Katie Lewin, Director of Cloud Computing for GSA estimated that about a quarter of the government’s $80 billion annual IT budget could be shifted to the cloud, with the least critical and sensitive applications going first. Early candidates would include public facing websites and internal email services. The panel noted that the shortage of qualified government technical workers with expertise in cloud computing increases the risk associated with moving to the cloud.
The panel’s consistent message was that the perfect may be the enemy of the good, and that if we wait for FedRAMP and the cloud itself to be perfect we will never see their benefits. While concern about all vulnerabilities is important, it is important to recognize that FedRAMP provides criteria for a common evaluation of the security of cloud services, not a guarantee of security. Several audience members pointed out, however, that the fear on the part of many organizations is that even a minor vulnerability could result in a catastrophic data breach, and given that risk many executives are reluctant to move to cloud-based services despite the significant operational and financial benefits.
The industry panel featured:
- Pam Dingle, Senior Architect in CTO office, Ping Identity
- Eran Feigenbaum – Director of Security for Google Apps
- Suprotik Ghose, Principal Cybersecurity Architect, Microsoft Corporation
- Taso Mangafas, Principal, Cloud Security, Juniper Networks
- Brendan Peter, Director, Government Relations, CA Technologies
The conversation started with an evaluation of a statement by George Tenet, former Director of the CIA, that “[W]e have built our future upon a capability that we have not learned how to protect,” and covered a broad range of topics with lively discussion across the panelists and the audience (including a few pokes at Microsoft’s “to the cloud!” advertising campaign). The industry panel supported the general premise of the agency panel that cloud security (and security as a whole) will never be perfect, and the expectation of perfection will prevent people from reaping the benefits of cloud services. The panel discussed the steps each of their companies is taking to improve security and make it easier (and safer) for organizations to adopt cloud-based services, but were unanimous in their opinion that we need to move back to a more realistic risk- and cost-benefit-based approach to these kinds of decisions.
From a legal perspective, companies contracting to provide or receive cloud-based services need to recognize that security around cloud-based services is not perfect, nor is such perfection achievable within a financially and operationally realistic framework. Given that “Data is going to be spilled,” companies need to draft contracts that appropriately and reasonably allocate the risk associated with such data breaches.
Pillsbury is a founding sponsor of the DC chapter of the Cloud Security Alliance.