Federal agencies should take steps to make certain that service level agreements (SLAs) meet their security requirements. Cloud SLAs that build management and operational security controls into cloud contracts can give federal IT managers the oversight they need. That's what senior IT managers in the Federal government are advising.
The [cloud] vendors have to acknowledge that business as usual may not be good enough now that we're talking about highly complex [government information] systems.
director of information security complianceHomeland Security Department
"A large area of conversation among federal agencies is assuring that we have the proper SLAs between the federal government and vendors because right now the SLAs we're operating off of would be insufficient in a number of cases for us to be able to [ensure security]," said Emery Csulak, director of information security compliance at the Homeland Security Department.
"We think it's going to be really important to understand that contractual arrangement with the vendors going into the [cloud] process," he said at a recent National Institute of Standards and Technology panel on cloud computing security. "The vendors have to acknowledge that business as usual may not be good enough now that we're talking about highly complex [government information] systems."
K.S. Shankar, distinguished engineer at IBM Corp. and security and cloud computing specialist for the company's cloud computing team, said that building airtight and thorough requirements into cloud SLAs can bring some peace of mind.
"When you don't have control and the data is stored somewhere and somebody else is taking care of it, it's going to be more difficult to demonstrate [that data is secure]," he said. "It's a matter of some trust, some transparency and putting some rigorous procedures from your cloud provider in the SLA."
For instance, it's crucial to get cloud vendors to state in a contract how they would handle a security breach, he said. "When there is a serious leak of your data, what happens? That's very important," he said. In SLAs vendors also should answer questions about data backup procedures, infrastructure protection and physical security. "You have to worry about those things," Shankar said.
It's also critical for providers guarantee the segregation of data in multi-tenant cloud environments, he said. "If you have a situation where you have virtual machines serving different users, your partition may be next to somebody who is going to commit a crime," he said. "So it's very important that we keep these things highly segregated."
The new Federal Risk and Authorization Management Program (FedRAMP), a nascent framework for governmentwide cloud computing security standards, outlines requirements for service providers in areas such as continuous monitoring.
For example, service providers "must demonstrate their ability to perform routine tasks on a specifically defined scheduled basis to monitor the cybersecurity posture of the defined IT security boundary," according to FedRAMP.
Csulak, who helped develop FedRAMP, described the framework as "not perfect by any means but it's definitely a stepping stone." But the first step in reducing security is to weigh the sensitivity of the data that you're putting in the cloud, U.S. chief information officer Vivek Kundra told TechTarget.
"From my perspective, you've got to take a risk-based approach," he said. "For example, if you have data that's sensitive or that's vital to national security, you're going to require a very different framework than if you have information that is [less sensitive] in nature."
"If it's national-security sensitive data, you would not want it in a consumer cloud," he said. "You would want to make sure that the government owns and operates the cloud."
About the author:
Richard W. Walker is a freelance writer based in the Washington, D.C., area who has been covering issues and trends in government technology for more than 10 years.
This was first published in December 2010