Government cloud ambitions have grown by leaps and bounds under the Obama administration, but it is no secret that data security fears have inhibited the pace of progress within a number of agencies. A certain standard of due diligence is, no doubt, in order prior to migrating sensitive workloads, but preparations can be made much faster if all stakeholders are on the same page. As a result, it may be best for offices to focus on social and cultural issues first as they await the development of additional technical innovations.
Cloud security can mean any number of things to a government organization depending on who you ask. But the most important variation that must be addressed relates to the complex relationship between information security and compliance management teams. While each side has a key part to play in the agency's overall risk management strategy, their unique worldviews and priorities must be acknowledged and aligned.
As TechTarget contributor Ed Moyle explained in his latest post, there will always be a certain level of friction between the two sides. Oftentimes, technical teams will insist that a certain security control mandated by regulation is of limited utility for reducing practical risk. Alternatively, application of strictly pragmatic tools worries compliance officers as the use of unapproved utilities could warrant fines and sanctions.
While this push and pull brings healthy and necessary discussions, administrators must see beyond disagreement and realize what each side side has to offer.
"The use of cloud – especially multitenant, provider-supplied technology services – requires high-level coordination between compliance and technical security teams. Why? A significant percentage of cloud security controls in this context are provider-supplied resources," Moyle wrote. "As a result, these controls require input from both disciplines to be managed effectively."
So before government agencies set foot in the cloud marketplace, technical and compliance risk management arms must collaborate to identify the protective capabilities they are seeking and how they will validate a vendor's offerings to ensure operations hold up to regulatory expectation.
Internal agreement helps put procurement teams in a considerably stronger position to safely realize their cloud computing goals. But as with any IT outsourcing strategy, relationship building must extend outside of the organization as well.
As it stands, the regulation of government cloud services is still very much a work in progress as officials continue to analyze the risk of a rapidly evolving technology. As Government Technology writer Julie Anderson suggested, standardized approaches to threat reduction have been hard to come by. As a result, agencies must understand that they may have to take on a more proactive role in identifying and limiting risks.
"Specifically, current U.S. policy and legislation lack the full complement of tools necessary to minimize or prevent vendor data collection for commercial purposes," Anderson noted. "As more government agencies expand the use of cloud-based and mobile IT platforms, this problematic dynamic could threaten the protection of government information."
Existing laws do categorize certain information assets – such as Social Security numbers, financial records and biometric data – that cannot be disclosed under any circumstances. And agencies certainly have their own say in keeping classified documents within sight. But according to Anderson, even seemingly mundane information could be harvested for insights on strategic directions and policy priorities.
As a result, cloud customers will have to initiate the conversation as to how and why vendors will be processing hosted information. Additionally, agencies must comprehensively outline risk management mechanisms – from supported encryption standards to disaster recovery capabilities.
But in Anderson's view, this activism will ultimately have to be focused internally on the nation's capital. While static regulation may always be a step behind cutting-edge innovations, eventually legislators must codify data protection expectations and responsibilities for each side of the cloud partnership.
Cloud Security News from SimplySecurity.com by Trend Micro