Cloud computing comes with tons of potential; however, when you open up your network to the outside, you need to ensure that everything you transmit is done so securely. Peter Mell of NIST, Christofer Hoff of Cisco, and Nick Hoover of InformationWeek all took part in this discussion, which is an extremely important facet of the cloud proposition. As we move more and more necessary applications and services to the cloud, it is paramount that they run safely and securely. Cloud services are not a viable option if they are not secure (or well controlled). This talk was fast paced with a really high data rate, so forgive me for what I missed!
Chris Hoff first brought up the need to identify the difference between security and control. Security is the capability to keep others from your network, while control lets you determine who is allowed to do what. The technology which enables cloud computing is well evolved, but often the operational systems are not. They do not provide the transparency and capabilities back to the owners (or stakeholders).
Peter brought up the point that security in the cloud is usually no different than the pre-cloud posture. Often we choose services that are cost-optimal, which means that they are inexpensive. Security is an expensive option, so it is unlikely that a firm would switch from a high security localized platform to a low security cloud platform. If the vulnerabilities exist in our pre-cloud services, they will most likely persist in a cloud based system.
Cloud computing is fundamentally about giving up control. One gives up control to create advantages (agility, cost, power, etc). Giving up that control requires asking the service provider for complete transparency to ensure that the security posture fits your security needs.
Peter brought up that one of the first questions asked is how to use a cloud solution if others using the cloud are not doing it securely? His answer is that when security assessments and risk measurements are conducted for the cloud, the first assumption is that all fellow cloud customers are hostile. Utilizing this primary assumption, security assurances are created so that cloud access will be secure.
Chris describes the cloud as a very messy process. Google and Amazon, albeit market leaders, are corner cases in terms of deployment models. They own their entire stack. It is built, created, and owned all in house. This enables them to have complete control over their stack. Chris believes that issues of multi-tenancy become fewer because the service providers often offer to carve out space just for government types.
Due to FISMA, government administrators and officers have to have full knowledge of what is in the "black box" so that they can survive an audit. What can be changed to enable CIO/CISO/CTOs to use cloud under FISMA without failing audits? NIST has proposed a process for how the Government could assess and authorize cloud services - performing risk management on a government scale. A proposal for a framework to determine and examine government wide risk management was turned into a program. This program is called FedRAMP, and it is the best hope to speed cloud adoption. They are working on choosing implementation designs, with the hope to have an implementation soon.
The inter-agency body has done a lot of work creating security requirements that can be agreed on. Created a draft set of agreeable requirements which is making its rounds. There is a large amount of agency buy-in. For the implementation, it will either be a massive shared resource for government, or individualized deployments.
As FedRAMP becomes a reality, it is important to keep and eye to see what the government does. Certification and Authorization will be an important part of it, but in the long run, compliance is what will matter most (and what we need to work toward!).