Live from the Gov 2.0 Expo – Security in the Cloud

NIST is leading the way in government cloud thought

Cloud computing comes with tons of potential; however, when you open up your network to the outside, you need to ensure that everything you transmit is done so securely.  Peter Mell of NIST, Christofer Hoff of Cisco, and Nick Hoover of InformationWeek all took part in this discussion, which is an extremely important facet of the cloud proposition.  As we move more and more necessary applications and services to the cloud, it is paramount that they run safely and securely.  Cloud services are not a viable option if they are not secure (or well controlled).  This talk was fast paced with a really high data rate, so forgive me for what I missed!

Chris Hoff first brought up the need to identify the difference between security and control.  Security is the capability to keep others from your network, while control lets you determine who is allowed to do what.  The technology which enables cloud computing is well evolved, but often the operational systems are not.  They do not provide the transparency and capabilities back to the owners (or stakeholders).

Peter brought up the point that security in the cloud is usually no different than the pre-cloud posture.  Often we choose services that are cost-optimal, which means that they are inexpensive.  Security is an expensive option, so it is unlikely that a firm would switch from a high security localized platform to a low security cloud platform.  If the vulnerabilities exist in our pre-cloud services, they will most likely persist in a cloud based system.

Cloud computing is fundamentally about giving up control.  One gives up control to create advantages (agility, cost, power, etc).  Giving up that control requires asking the service provider for complete transparency to ensure that the security posture fits your security needs.

Peter brought up that one of the first questions asked is how to use a cloud solution if others using the cloud are not doing it securely?  His answer is that when security assessments and risk measurements are conducted for the cloud, the first assumption is that all fellow cloud customers are hostile.  Utilizing this primary assumption, security assurances are created so that cloud access will be secure.

Chris describes the cloud as a very messy process.  Google and Amazon, albeit market leaders, are corner cases in terms of deployment models.  They own their entire stack.  It is built, created, and owned all in house.  This enables them to have complete control over their stack.  Chris believes that issues of multi-tenancy become fewer because the service providers often offer to carve out space just for government types.

Due to FISMA, government administrators and officers have to have full knowledge of what is in the “black box” so that they can survive an audit.  What can be changed to enable CIO/CISO/CTOs to use cloud under FISMA without failing audits?  NIST has proposed a process for how the Government could assess and authorize cloud services – performing risk management on a government scale.  A proposal for a framework to determine and examine government wide risk management was turned into a program.  This program is called FedRAMP, and it is the best hope to speed cloud adoption.  They are working on choosing implementation designs, with the hope to have an implementation soon.

The inter-agency body has done a lot of work creating security requirements that can be agreed on.  Created a draft set of agreeable requirements which is making its rounds.  There is a large amount of agency buy-in.  For the implementation, it will either be a massive shared resource for government, or individualized deployments.

As FedRAMP becomes a reality, it is important to keep and eye to see what the  government does.  Certification and Authorization will be an important part of it, but in the long run, compliance is what will matter most (and what we need to work toward!).

CTOvision Pro Special Technology Assessments

We produce special technology reviews continuously updated for CTOvision Pro members. Categories we cover include:

  • Analytical Tools - With a special focus on technologies that can make dramatic positive improvements for enterprise analysts.
  • Big Data - We cover the technologies that help organizations deal with massive quantities of data.
  • Cloud Computing - We curate information on the technologies enabling enterprise use of the cloud.
  • Communications - Advances in communications are revolutionizing how data gets moved.
  • GreenIT - A great and virtuous reason to modernize!
  • Infrastructure  - Modernizing Infrastructure can have dramatic benefits on functionality while reducing operating costs.
  • Mobile - This revolution is empowering the workforce in ways few of us ever dreamed of.
  • Security  -  There are real needs for enhancements to security systems.
  • Visualization  - Connecting computers with humans.
  • Hot Technologies - Firms we believe warrant special attention.


About Ryan Kamauff

Ryan Kamauff is a senior analyst with Crucial Point LLC. He produces technology focused content for and reports on analytical megatrends at the new analysis focused Analyst One.


  1. [...] Live from the Gov 2.0 Expo – Security in the CloudThe Cloud and CybersecurityA few minutes with Justice’s CIO, Vance HitchDHS CIO discusses 12 Cloud ServicesA look at VMware’s vFabric Cloud Application PlatformGSA to hold industry workshop on federal cloud security controlsCrucialPointLLCFederal officials launch FedRampCrucialPointLLCFederal CIO says FedRAMP to be mandatoryCrucialPointLLCFedRAMP includes 168 security controlsCrucialPointLLCNov 4 NIST Cloud Computing Forum, Day 1: “Cloud Computing is not a fad”Dr Cloud’s Flying Software Circus [...]