Cloud security has evolved significantly. Five years ago, the government introduced the Federal Risk and Authorization Management Program (FedRAMP). Now, a half decade later, agencies and contractors are working together to protect government agency data and networks in the cloud.
However, despite the progress, questions still remain about who owns data security operations, cloud contract vehicles, how agencies like yours should manage risk and oversight and future security evolutions.
In GovLoop’s recent Tech Trends Virtual Summit, we learned ways agencies can successfully manage cloud security.
Cloud Security Challenges and NIST Guidance that Can Help
Dr. Michaela Iorga, Senior Security Technical Lead of the Cloud Security Division at the National Institute of Standards and Technology (NIST) spoke on building a secure cloud solution that supports continuous monitoring and assessment.
“Cloud is now about transforming business, interacting with customers in real-time and ever-changing possibilities,” Iorga said. “But for many experts, architecting secure cloud solutions is very challenging.”
The main challenges agencies encounter is choosing the right cloud platform for their mission needs. Should they choose Infrastructure-as-a-Service? Platform as-a-Service? Or Software-as-a-Service? Then, there’s the added complexity of securing information in cloud-based systems.
To address these challenges, NIST offers a number of tools and frameworks to help agencies align their cloud solutions to capabilities while ensuring risk management and compliance.
NIST’s Cloud Security Reference Architecture, for example, leverages data and methodology to build a formal model upon cloud reference architecture. “This ensures cloud security aligns with cloud infrastructure with comprehensibility used to identify necessary components for any cloud system,” Iorga said.
NIST is currently working on Special Publication (SP) 800-174 (a build on to NIST SP 800-53) which provides recommendations on additional security controls agencies may want to implement beyond FedRAMP requirements.
Agencies can make the most of these frameworks and methodologies by using NIST’s Cloud Computing Rubik’s Cube (CCSRC), which leverages NIST’s Cybersecurity Framework to identify the NIST SP 800-53 security and privacy controls for cloud-based information systems.
The tool does this by suggesting functional capabilities and security controls based on consumer answers to a questionnaire. “When you answer questions here, the tool maps them to capabilities you might need for your system,” Iorga said.
To ensure standardization for how system security controls and corresponding assessment information are represented, NIST also offers Open Security Controls Assessment Language (OSCAL). “You can then ensure your cloud solution is standardized with provided security control and assessment information in an open, standardized way that can be used by both humans and machines,” Iorga said.
Cloud Trends and Frameworks in Government
Federal, state and local as well as public and private sector entities alike have been using platforms like Amazon Web Services (AWS) for their cloud security needs. Patrick Hannah, Vice President of Engineering at CloudHesive (a partner of AWS) shared how agencies can get started using AWS for enhanced security in the cloud.
Often, the problem is knowing what the agency, or the consumer, will be managing for the cloud solution and what the vendor will be managing. AWS is an IaaS platform, which means the consumer would be controlling less of the physical aspects of the cloud solution. “Anything dealing with the physical layer is under the responsibility of AWS, like physical connectivity through data centers,” Hannah said. “AWS will also manage above and beyond that for security, such as the actual security servers.”
For those using the platform, the consumer would be managing the application layer, like customer data, operating systems and network and firewall management.
To adopt a more secure cloud platform, Hannah advised focusing on perspectives, people, governance, platform, security and operations.
“Perspectives help you look at value realization while people need to have their separation of duties and roles,” Hannah said. “There are places where you could leverage automation instead to help manage security concerns as well. With governance, you have prioritization and control. Then, you want to make sure you’re managing risk and compliance around the adoption of cloud. As for operations, it has another huge role in the support of security and adoption of cloud in managing and scaling.”
As agencies decide on the right cloud platform, they’ll need a framework that helps ensure they’re meeting all of the design elements. According to Hannah, a well architected cloud framework requires these design requirements:
- Operational excellence: Perform operations as code and annotate documentation. Make frequent, small reversible changes. Refine operations procedures frequently. Anticipate failure and learn from all operational failures.
- Security: Implement a strong identity foundation. Apply security at all layers. Automate security best practices and protect data in transit and at rest. Prepare for security events. Use identity and access management as a best practice to get started.
- Reliability: Design to include test recovery procedures and help you automatically recover from failure. Scale horizontally to increase aggregate system availability. Stop guessing capacity and manage change in automation.
- Performance efficiency: Don’t over-perform your agency’s resources. Use serverless architectures and experiment more often.
- Cost optimization: Adopt a consumption model. Measure overall efficiency. Stop spending money on data center operations. Analyze and attribute expenditure. Use managed services to reduce the cost of ownership.
When deploying any new cloud platform or solution, Hannah emphasized the importance of incorporating testing and automation. “Don’t just trust it’s going to work,” Hannah said. “Test it and automate it. And continually look at how you can improve through the data you’re collecting.”
To tie it all together, Hannah referred to AWS’s Quick Start which has NIST compliance built into the solution. Agencies can use Quick Start to build a cloud architecture that supports NIST-based assurance frameworks on AWS.
While the future of cloud is certain in government, agencies may be less certain about how to navigate cloud security. But by having the right guidance, frameworks and platforms in place, government agencies can double down on cloud security with confidence.