CHICAGO -- All cloud service providers working with the U.S. federal government must comply with FedRAMP by June 2014, but according to the CEO of a FedRAMP-certified third-party assessment organization,
The U.S. government-backed Federal Risk and Authorization Management Program (FedRAMP) aims to provide a standard approach to cloud security assessments across federal agencies, with the ultimate goal being the reduction of duplicate efforts. Many organizations considering purchasing cloud services have also looked to the FedRAMP initiative as a possible benchmark for their own cloud security assessments.
Still, there are several unanswered questions, as well as unforeseen questions, related to cloud security that FedRAMP has yet to address in an adequate manner, according to Maria Horton, CEO of Reston, Va.-based security consulting firm EmeSec Inc., and who presented on the topic Wednesday at the 2013 (ISC)2 Security Congress.
"What we are seeing is that there aren't any FedRAMP lessons learned yet," Horton cautioned. "Even as a FedRAMP 3PAO [third-party assessment organization], our lessons are very anecdotal evidence."
As an example FedRAMP compliance pain point, Horton pointed to cloud service-level agreements (SLAs). When simply purchasing cloud services from a single provider, organizations can insert requirements related to uptime with little issue. As "cloud-in-a-cloud" and compounded SLAs emerge, a simple uptime requirement won't be sufficient in a scenario where downtime happens and two contracted cloud providers are pointing fingers at each other over which is responsible. Horton compared the situation to the transition from legacy to open source systems when there were many "awkward handoffs."
There are no clear security standards today with cloud providers. You have to make your own.
CEO, EmeSec Inc.
"We're going to need a whole new set of metrics," she noted.
Even if a cloud service provider is FedRAMP-certified, some customization is usually required to fit the needs of any particular customer organization. Horton pointed to enterprises that have run into trouble buying services from FedRAMP-certified providers, but the specific services purchased "may be different from what was 'FedRAMPed.'"
Because of the ongoing need for a customization process, Horton said organizations can't rely on a single standard when assessing cloud service security.
"There are no clear security standards today with cloud providers," she added. "You have to make your own. How are you addressing the security controls and carving out what is unique about your managed service?"
Russell Jones, an (ISC)2 Security Congress attendee who works in a compliance-based role with U.S. Bank, said he attended the session to see if federal agencies had "anything new to share" in terms of compliance strategies. He said he came away with a better idea of how to work with cloud service providers and manage the outsourcing process.
Regardless of whether FedRAMP is used to guide cloud assessments, Horton reminded information security professionals in attendance that they also need to decide where cloud (and mobility) will fall within their own internal security frameworks. Horton said organizations could either work up a separate cloud security policy, which would hold the advantage of being able to address specific cloud controls and business practices, or cloud security could be folded into a single organizational security policy, which would provide a greater level of consistency in terms of security program governance. Over the long term, Horton foresees so many traditional IT processes being offloaded to the cloud that enterprises will eventually revert to one unified policy anyway.
Even after highlighting some potential pitfalls with FedRAMP, Horton praised the FedRAMP guidelines as being an "innovative" approach to cloud security and anticipates seeing how the "last mile" unfolds over the next year or two.
"I'm looking forward to [seeing] how these documents are all going to come together to create a true risk management framework," Horton said. "I think for security professionals, there will need to be some vision and thought … to make sure your risk management framework is appropriate."