Will feds be ready for cloud security regulations?
U.S. public authorities are taking a page from the thousands of enterprises that have taken a liking to cloud computing, but whether or not they'll be able to meet government security standards has been up for debate. The priorities of a federal agency aren't much different than those of a private multi-billion dollar enterprise. Making sure that all information held within databases remains confidential is essential.
Preparing for reviews
According to InformationWeek, back in 2011, the Office of Management and Budget ordered agencies and cloud service providers to meet a new set of cloud defense requirements by June 5, 2014. The principles, which are defined under the Federal Risk and Authorization Management Program (FedRAMP), were incited at a time when many public organizations had only just begun implementing plans to migrate to cloud servers. As can be imagined, meeting these standards is easier said than done, primarily due to a couple of reasons.
Every CSP offers a different kind of service. While some build private cloud infrastructures, others allow entities to store information on remote databases. These are just two out of several dozen examples of how cloud technology can be leveraged as a business offering. Essentially, it's going to be quite difficult for officials to review each and every CSP doing business with federal organizations.
FedRAMP enforcers will scrutinize how beneficiaries are using the technology, as well as the designs, deployment methods and security management techniques employed by the hosting companies under scrutiny. Federal authorities will review how CSPs patch operating systems, orchestrate firewalls, deploy intrusion protection and surveillance, implement anti-virus and anti-malware solutions and secure connections between separate agency networks. The latter factor is particularly important, as bodies such as the Central Intelligence Agency and Department of Defense typically share information.
What are the available options?
Paul Rubens, a contributor to eSecurity Planet, noted that on one hand, some enterprises have hired managed security services to provide them with 24/7 surveillance over their cloud networks. On the other hand, some professionals have surmised that maintaining all security protocols in house or leaving it to CSPs to be the more economical options. Cloud hosting organizations are becoming more cognizant of the concerns expressed by business leaders wary of making the transition from on-premise data centers.
Retirement Clearinghouse, a retirement services company based out of North Carolina, recently decided that outsourcing to a managed security service provider was the best option to them. Mike Goode, the company's CIO, contracted Alert Logic to monitor the company's cloud infrastructure. Previously, the CIO's staff used to conduct security measures on its own, but weren't able to dedicate as much time to protecting the network as the MSSP. Recently, Alert Logic warned Goode that it was being pinged from a server in Florida.
"We were made aware that there was a steady attempt to connect to us going on, so we blocked it at our firewall," said Goode, as quoted by Rubens.
Letting a hosting company, MSSP or an in-house team handle security is based upon the different business priorities. For public authorities, hiring an MSSP to help them expedite the implementation of protection may be advisable.
- Welcome to GoGrid!
- I'm a Cloud Infrastructure and Big Data Solutions expert.
- What questions do you have today?