A newly released government report shows a lack of basic security controls in many departments and agencies, highlighting...
the precarious state of federal cloud security.
The 2014 Federal Information Security Management Act (FISMA) report, conducted by the Office of Management and Budget (OMB), examined 11 "cybersecurity areas" within federal agencies, such as risk management, incident response and reporting, and identity and access management. According to OMB, which surveyed 24 federal agencies via each agency's inspector general, there were significant deficiencies around cybersecurity and in particular cloud security.
The FISMA report stated that "incident response and reporting programs were largely compliant" with federal guidelines, but 14 out of the 24 agencies lacked at least one critical component of those programs. The report found at least three departments were "not capable of tracking and managing risks in a virtual/cloud environment."
In addition, OMB found a lack of programs for managing contractor systems, with at least three departments lacking a complete inventory of contractor systems and services residing in the cloud. The report also stated that six departments had cloud-based systems -- some of of which resided in the public cloud -- that "were not compliant with FISMA requirements, OMB policy and applicable NIST guidelines."
The FISMA report also identified issues in other cybersecurity areas that could potentially jeopardize cloud security within federal agencies. For example, in the area of identity and access management, the report found that seven departments had no processes in place to "ensure that accounts were terminated or deactivated once access was no longer required." And in the area of remote access management, three departments lacked any program or policy "to detect and remove unauthorized (rogue) connections."
Kamal Shahvice president of products and marketing at Skyhigh Networks
The FISMA report wasn't all bad news for federal cloud security. The OMB outlined improvements around FedRAMP, the federal government's risk management program for cloud services. Specifically, six cloud service providers achieved Agency Authorizations under FedRAMP, while another four earned Provisional Authorizations. In addition, agencies reported a total of 81 cloud systems as being FedRAMP-compliant.
Still, the OMB stated that significant improvements need to be made in federal government cybersecurity to keep up with an increase in "sophisticated threat activity and vulnerabilities," as well as the changing technology landscape. "We have seen notable progress by federal agencies, but there is work to be done," the report stated. "Federal agencies reported nearly 70,000 information security incidents in FY 2014, up 15% from FY 2013."
Some of the FISMA report findings echo results of other recent government-focused studies on cloud security. Skyhigh Networks Inc., a cloud security vendor based in Campbell, Calif., earlier this year released its first quarterly study devoted to government cloud adoption, titled Cloud Adoption & Risk In Government Report Q4 2014. The vendor surveyed 200,000 users in government agencies in the U.S. and Canada, and found that the average government organization used 721 cloud services in the fourth quarter; of those, only an average of 61 services were officially approved by the organizations.
"You would expect the government to be more locked down because of the kind of data they have, but they're not," said Kamal Shah, vice president of products and marketing at Skyhigh Networks. "They're 'cloud unaware.' They don't know what's being used by their employees, and they think they are blocking more cloud services than they really are."
For example, Skyhigh's report showed that 80% of agencies intended to block access to Dropbox, but only 16% were actually restricting network access to the cloud service.
Shad said government agencies are subjected to shadow cloud usage by employees just like enterprises are, although the numbers tend to be higher in the private sector. But, he added, government agencies need to do a better job identifying what cloud services they are actually using, governing access to cloud accounts, and monitoring usage of cloud services to detect potential threats.
"The Obama Administration has a 'cloud-first' policy, and they have embraced the cloud," Shah said. "It feels like knowledge and understanding of cloud security is growing rapidly in the government, which is good, but there's still more work to be done."
Learn more about the Cloud Security Alliance's new frameworks for government security