United States government agencies and cloud technology providers are heading toward a reset in how they cooperate on cybersecurity challenges. The expected growth of cloud use will create a more complex federal security landscape, according to a recent report from Thales Group.
Federal agencies actually have moved ahead of businesses in cloud adoption, with 54 percent of agency data already embedded in the cloud, the report notes. Furthermore, cloud technology is central to a broader “digital transformation” goal in the federal government, recently highlighted by ramping up remote workplace sites in response to the COVID-19 virus.
“Data security requirements will only continue to be more stringent as more and more data and services are migrated to the cloud,” said Brent Hansen, federal chief technology officer at Thales.
“This year registers the first year where more federal data is stored in the cloud versus on premises. This is a huge turning point and the trajectory will only continue to favor cloud,” he told the E-Commerce Times.
Even without the impetus of COVID-19, agencies were on a path for expanded cloud utilization. In its most recent assessment, marketing consultant Deltek forecasted that federal demand for vendor-furnished cloud computing goods and services would grow from US$5.3 billion in fiscal 2019 to $9.1 billion in 2024, reflecting a compound annual growth rate of 9.6 percent.
Security will become even more formidable as federal cloud deployments increasingly involve multi-layered functionality. Additionally, agencies still have a lot of catching up to do to secure existing cloud resources.
Managing security for basic cloud configurations is complicated. Agencies and cloud service providers (CSPs) now split cloud security accountability across a range of eight operating factors — but at differing levels, the Thales report notes.
For example, for Software as a Service, agencies are responsible for securing two operational factors, while vendors cover the remaining six. For Platforms as a Service, the “shared responsibility” ratio was three factors for the agency and five for the CSP. For Information as a Service, security was split evenly with four factors each.
In the future, the engagement of multiple vendors for “as a Service” components, combined with the broader use of cloud, will only increase security complexity.
Agencies Show Concern but Implementation Is Uneven
In general, federal agencies are properly concerned about cloud security. However, attitudes appear contradictory, and some efforts are misdirected regarding the nature of threats, current security confidence levels, and relations with cloud providers.
For example, agencies reported that an estimated 51 percent of the data they store in the cloud is “sensitive.” Only 63 percent of that data is protected by encryption, and just 52 percent is protected by tokenization. These protection levels rank low, according to Thales.
The “2020 Thales Data Threat Report — Federal Government Edition,” released in April, focuses on survey data from more than 100 federal agency respondents. Thales sponsored the report, with survey and related analysis developed by IDC. Among the significant findings:
- Agencies are “seemingly most concerned about issues owned by their cloud providers, like security breaches at the provider and privacy service level agreements. Although valid, the real possibility of these issues happening are quite low.”
- Federal IT managers appear “less worried about issues over which they have direct control, and which represent greater potential vulnerabilities,” such as encryption key management. “This mismatch between threats that respondents perceive, and where they should actually focus their concern, implies that respondents have not fully considered data security in a cloud-first world.”
- Each type of cloud environment requires a “shift in security responsibility,” involving the factors related to as-a-service deployments. As a result, agencies, “should shift their cloud security focus and concern to the portion of the shared responsibility model where the organization can influence the security of its data.”
Cloud Providers and Agencies Must Adapt to Change
This changing landscape will test relations between agencies and providers. As security becomes more challenging, agencies are likely to put tougher protection requirements into their service level agreements with vendors. FedRamp, the government’s program for setting cloud security standards and compliance, will be upgraded as well.
“Security expectations will only continue to get tighter,” Hansen said. The task of getting FedRamp certification “is an extensive process and, once certified, opens up your platforms and products with federal security in mind.”
Tension between CSPs and their government and commercial customers is a common occurrence, observed Katie Lewin, federal director of the Cloud Security Alliance (CSA).
Some of that friction “is rooted in an understanding of shared responsibility,” she told the E-Commerce Times. “We have gone from a high degree of caution by federal agencies in using cloud technology to an attitude by some that they are only responsible for the SaaS and can forget about the other layers of the stack that are cloud-based.”
CSA, which represents a broad range of cloud stakeholders, participated in peer review of the report.
Upgrading security standards for vendors doesn’t mean that agencies can — or should — avoid their own role in shared responsibility. The demarcation between vendors and customers for cloud security will remain.
“CSPs need to ensure that their customers are educated on how shared security responsibility works. They cannot assume that many of their federal customers understand how these fluid boundaries work,” Lewin said.
Microsoft last fall restated its position in a white paper, Shared Responsibility for Cloud Computing, by Frank Simorjay and Eric Tierling.
“Many organizations that consider public cloud computing mistakenly assume that after moving to the cloud their role in securing their data shifts most security and compliance responsibilities to the CSP,” the authors noted. Cloud vendors “may provide services to help protect data, but customers must also understand their role in protecting the security and privacy of their data.”
Neither agencies nor CSPs can afford to be rigid in relations with each other. Cloud security will require a more creative and flexible approach in the future.
“As more and more cloud providers are offering their services, there must be a baseline of federal security acceptance and guidelines,” Thales’ Hansen said.
Agencies not only can assess security issues themselves, but also can benefit from utilizing FedRamp, which “will continue to evolve,” he pointed out. “More and more services and providers will find new, innovative ways to offer cloud services.”
Federal Cloud Growth Will Remain Strong
Agencies have been working to include security service levels in their vendor agreements, CSA’s Lewin noted.
“Since there is a common definition of the controls included in the FedRAMP program, agencies have a better understanding of where they should spell out requirements for CSPs. Some enterprise-level cloud services may have standard SLA clauses for certain levels of security already baked into their contacts,” she said.
Increased security will “not necessarily” inhibit cloud adoption, Lewin suggested. “In general, cloud technology is inherently more secure than on premises — but agencies need to get a handle on how they should address security.”
Federal cloud adoption will remain strong, Hansen said.
“The cloud makes almost everything faster and easier to implement,” he added, including security tools such as encryption.
“I have yet to hear that costs of these native encryption offerings and services are a roadblock,” said Hansen. “I believe that these efficiencies and ease of use will only continue to drive cloud adoption.”
One key for vendors and agencies to consider in the future is that cloud technology is evolving. Data protection “on premises” does not directly equate with protection in the cloud, Hansen noted, and thus security policies “must morph and adapt for cloud offerings to ensure mandates are met and mission-critical data is secured.”