While the federal government sees the cloud as a way to cut costs and increase flexibility, there is concern, particularly among information security officials, about the security of the cloud. McChesney told Infosecurity that government security personnel have a number of questions about the cloud.
"If I go into the cloud, is my information going to be mixed up with 500 online businesses? Who gets to look at, touch, and feel my data when something goes wrong? Is there some kind of background check of cloud providers? Where is my data?"
At this point, the federal government is looking mostly at using private clouds because of the need to meet minimum federal information security requirements. According to a Vangent white paper on private cloud security:
"It is imperative that a provider or agency builds security into the private cloud suite of offerings. Strict compliance with federal and state mandates for security (physical, logical, and human) and privacy must be inherent in private cloud solutions. Provisions of independent audit verification should exist, and the environment should be ready for application deployment very quickly....A private cloud provider must proactively monitor all infrastructure, network, and security components for the purpose of preventing incidents before they occur."
John George, Vangent's chief information officer, told Infosecurity that the primary risk of using the cloud is the loss of data. He said his company has a product that provides an "envelope" around the cloud that addresses the data loss risk. "From a private cloud user perspective, while the FISMA [Federal Information Security Management Act] and NIST [National Institute of Standards and Technology] controls are necessary, they are not sufficient to insure the security and integrity of the data that we host for our government customers. We add data loss prevention to our cloud so our customers can feel more secure."
George explained that the government has two types of information: sensitive and publicly available. There is a lot of publicly available government information that is just "waiting for apps" to provide it to users in innovative ways. "That is a perfect candidate for public clouds," he said. But the sensitive information needs to be handled within a private cloud. "There is room for both types of clouds" in the government information systems, he added.
Vangent also published a white paper on cloud information security measures. Commenting on this white paper, McChesney said: "If 85% of your losses are due to people...how can we handle that through information security training and policies....Another problem is structured process. One of the examples I gave in the white paper was a data loss of almost half of the population of the United Kingdom. This data was compromised, it was misplaced....So the key is to envelope data in a proactive manner. The next thing is to monitor VMs [virtual machines]. If there is an incident involving a VM and you need to transfer the information to another place, how do you track it? That's important."
John Lamboy, Vangent chief information security officer, said a cornerstone of cloud information security is data loss prevention. "It is a set of security tools that you add on to your network platform so we can track all sensitive data. It's not only that. We can track data in motion, data in use, and data at rest." By tracking the sensitive data, the Vangent system can prevent data from being compromised, he explained.
McChesney added: "Think about some of the high-profile data breaches that have happened; folks either accidentally or on purpose copy lots of sensitive information to a hard drive or thumb drive....The system we have in place can detect and stop that before it happens."
Lamboy said that the government is moving away from relying on passive certification and accreditation processes and more toward proactive continuous monitoring.
According to the white paper, "by integrating security with change management (or release management) and constant review of applications and infrastructure, the information assurance [IA] discipline moves to the proactive stage. When armed with trained practitioners, adequate tools, and professional management, the organization may then be on the offensive with respect to IA. Cloud security becomes a matter 'of course.'"