Security Blog

Compliance is never easy and cloud computing only adds to the challenge of keeping up with standards and regulations. Until now U.S. government agencies have found it difficult if not impossible to get their sensitive information onto the cloud despite federal programs aimed at doing just that. The issue has always been with compliance and security. The management of sensitive data has strict regulatory requirements that must be followed in order to protect information.

A few of those important regulatory requirements are location and access control. Sensitive data from U.S. agencies is required to be stored within US boundaries and only be accessible by users residing within the U.S. With most cloud services spanning across a few continents the challenge of keeping that data contained is nearly impossible.

Amazon Web Services hopes to defeat this challenge with their newly announced GovCloud offering.

A description from Amazon Web Services about GovCloud:

AWS GovCloud is an AWS Region designed to allow US government agencies and contractors to move more sensitive workloads into the cloud by addressing their specific regulatory and compliance requirements. Previously, government agencies with data subject to compliance regulations such as the International Trade and Arms Regulation (ITAR), which governs how organizations manage and store defense-related data, were unable to process and store data in the cloud that the federal government mandated be accessible only by U.S. persons. Because AWS GovCloud is physically and logically accessible by U.S. persons only, government agencies can now manage more heavily regulated data in AWS while remaining compliant with strict federal requirements.

The new service is also compliant with FISMA, SAS-70, ISO 27001, FIPS 140-2 compliant end points, PCI DSS Level 1, and HIPAA. This will most definitely make compliance auditing far less taunting and increase security of data in the cloud. Hopefully this new service will lead more federal agencies to begin joining in the cloud movement and finally begin to fulfill goals outlined in Vivek Kundr's Federal Cloud Computing Strategy.

It's 2a.m on a Monday, the workweek starts in 6 hours, and your cloud service provider just notified you that their services are down. What do you do?

This is the same question European consumers were asking themselves when Amazon's EC2 cloud services and Microsofts BPOS cloud services were taken out by a lightening strike in Dublin early this week.

Despite a proper disaster recovery and business continuity plan developed by these cloud providers, things do not always go as smoothly as they look on paper. Amazon has backup generators that should have powered up in perfect synchronization to cover the power loss however, the lightening strike was so substantial it knocked out the phase control system which synchronizes the power loads. Thus the backup generators had to be powered up and load managed manually resulting in a noticeable outage for customers.

This is something for cloud services consumers to keep in mind. You have been reminded time and time again during security training that proper cloud integration involves strict audits of your cloud service provider. These audits are sure to include disaster recovery and business continuity planning procedures. Having all this on paper is only one half of the equation for effective system resilience and reliability, the implementation of those procedures under pressure is the true test of recovery performance.

This brings us to what many IT security professionals see as the most important aspect of disaster planning, having a backup. This can include file backups, virtual image backups, and even fully operational system backups (what many of us recognize as "hot sites").  Most cloud service providers will offer you extensive features to include many of these protection services. Although bundling them all into the same provider may be more convenient it can also lead to further disaster in times of peril.

As we have seen by the abundance of cloud outages so far this year, bad things do happen to cloud services. The cloud will go down. This brings an increased importance to third party services to keep you running while your main cloud service provider gets back on their feet again. Just as it isn't smart to "put all of your eggs in one basket," it probably isn't a good idea to place all of your computing power and resources in the hands of one provider.

Although early cloud computing adopters boast of its cost savings, there seems to be a catch that many organizations are not prepared for. The cost savings in IT is no myth, your organization will save on its IT budget however this money saved may not be going directly into your pocket right from the start. This money must be reinvested and distributed among other company resources to ensure a safe transition to the cloud. These other resources include security and auditing. Without receiving corporate permission to increase these budgets and implement a new approach to measure cloud security, the transition can fail and the result will be reports showing a lack of funding and lack of security.

The unexpected “reinvestment clause” regarding a cloud transition has taken many federal organizations by surprise. Since the recent cloud-first mandate by United States Chief Information Officer, Vivek Kundra, federal organizations have been urged to transition three services over to the cloud within the next year. Many have been transitioning their low hanging fruit and resources of minimal importance which has taken some weight off of the organizations but still does not offer the benefits that the mandate aims to succeed. Other organizations that have gone for broke have done exactly that, gone broke. Data has shown that 79% of federal organizations are complaining of a lack of funds. If only these organizations would have planned on reinvesting in auditing and risk management they would have been able to report financial gains instead of money woes.

“The policy and risk assessment work just hasn’t been done.” said Paul Sand, Vice President of IP³ Inc. A transition to the cloud takes planning, auditing, research, and careful budgeting. If you are smart about it, and take note of hidden factors, your organization has the potential to gain great success by joining the cloud movement. This methodology reminds me of an old proverb, “Those who fail to plan should plan to fail.”

While we are on the topic of cloud transition it is also important to note the consequences of a failure to budget properly.  On top of those with funding concerns,  71% of organizations reported having fears regarding cloud security. The mindset that the cloud should just be secure is only a fallacy. A secure cloud takes initiative and constant monitoring and measuring by all responsible parties. This includes doing your homework and researching proper security controls, configuring SLAs to ensure proper controls  are implemented by cloud service providers, and also auditing those controls. But without a budget these tasks may go unmarked on the security checklist.

The lack of funds has also caused some organizations to sacrifice their privacy and security for multi-tenant, shared, private cloud implementations. This leaves these organizations at risk of spillover and cross contamination with neighboring information. Granted the multi-tenant implementation saves money, it still does not change the fact that it sacrifices security. Since the information being stored and used is usually highly classified federal information, the last thing we would want to do is make a choice based on an inadequate budget that scarifies security.

A transition to the cloud is not something that will happen overnight. It will take planning, budgeting, risk assessment and plenty of audits along the way. Be sure you know what your organization is getting into before you decide to take off into the clouds.