In fact, a growing number say cloud security is weaker than on-premises
Despite advances in cloud security and the efforts of federal government to address the issue through the Federal Risk and Authorization Management Program guidelines, security remains a stumbling block for many agencies when it comes to the cloud.
According to a January 2012 survey by the 1105 Government Information Group, more than half of the respondents indicated that cloud solutions simply aren’t secure enough. The majority of respondents mentioned potential data loss or leakage, lack of robust identity authentication and credential management, the inability to clarify ownership of records and data in a cloud environment, lack of secure and timely identity provisioning, and concern that cloud data won’t remain within U.S. borders.
Although security is a concern for federal agencies with every type of cloud implementation, the biggest area of government concern by far is security in the public cloud. Survey respondents rated private clouds a 69 on a scale of 1 to 100 for being strongly associated with security and data protection, while they rated the public cloud only a 39.
The survey also found that, despite evidence to the contrary, a growing majority — 60 percent, versus 54 percent last year — believe cloud computing security risks are greater than on-premises security risks.
“That’s a misconception to some point, but it’s understandable because of some well-publicized security breaches,” said Deniece Peterson, senior manager of federal industry analysis at Herndon, Va.-based Deltek, a software and services provider. “An argument can also be made that public clouds are more secure because it’s the provider’s bread and butter and because their business is running a multi-tenant environment.”
Security concerns should slowly decrease over time, mainly due to the ratification of FedRAMP last December and its operational rollout in the third quarter of this year, said Renell Dixon, managing director at PricewaterhouseCoopers' public sector practice.
“For a long time, government agencies and cloud providers have been waiting for a framework that could help them understand what they could do to address some of the security concerns around this new environment,” Dixon said. “Now that FedRAMP is a reality, I’ve seen the pace of cloud adoption pick up as well as early adoption of new FedRAMP controls by federal cloud providers. Agencies that were just considering it are now starting to fast-track those decisions because cloud providers are anticipating the need and focusing more on security.”
But relying solely on FedRAMP for security assurance in the cloud isn’t the only factor agencies should consider. In addition, they should ask a lot of questions of cloud providers on their own, such as how the providers have incorporated audit and assessment tools, as well as continuous monitoring tools and techniques, into their cloud service.
Dixon says federal government decision-makers are leaving nothing to chance when it comes to security.
“What the federal government wants to do is pull continuous monitoring data together and look for trends and attackers and organized threats that they can then protect our infrastructure against,” she explained. “It will take a while for them to get there, but imagine a repository that will maintain the threats and vulnerabilities that come from potential attackers — one that contains information for law enforcement to be able to do something about it.”