make a good business better

Blog Information Security

Print Divider Print Divider Branding

FedRAMP and Security Compliance: Clarifying a Cloudy Issue

04/29/2015  |  By: Thomas Lewis, CISSP, CISA, QSA, Chief Executive Officer, Information Security


Social Logo Social Logo Social Logo Social Logo

Cloud computing offers significant economies of scale, and as a result, recent Administrations have been strong proponents of migrating federal agencies to the cloud. To put muscle behind this directive, the Federal Risk and Authorization Management Program (FedRAMP) was established to assess and oversee the security of cloud-based product and service offerings, and more specifically, to standardize FISMA compliance as it applies to cloud-based computing services.

From a security perspective, the cloud is uncharted territory, oftentimes referred to as the ‘digital wild west.’ An increasing number of commercial enterprises are moving data to the cloud, and it follows that data ‘bandits’ are attracted to these well-stocked storehouses of information. For some agencies and contractors, relinquishing ownership of platforms, storage, applications, and connectivity to the cloud puts them in a quandary. Nervous about surrendering jurisdiction over compliance and security controls, these entities are struggling with the complexities of moving to the cloud and trusting that their regulated data will be safe. But holding on to control does not necessarily equate with improved security. After all, most threat-vectors exist for on-premise data as do for the cloud, including mobile device monitoring, social engineering, and access control—to name a few.

The recent flood of data breaches has not escaped the attention of the federal government, which is one reason FedRAMP was enacted in the first place. FedRAMP is a consorted effort by the government to adopt a ‘do once, use many’ approach to better secure all regulated data, and cloud computing might ultimately be the opportunity to make that happen.

Moving to the Cloud: Key Considerations For starters, you’ll need to partner with a Cloud Service Provider (CSP) who is FedRAMP certified. But just because a provider is certified doesn’t mean you can stop thinking about FISMA compliance. Ultimately, your data’s security rests on your shoulders, so specific details about security controls—and who is responsible for them—should be hashed out up front. How does your CSP perform audits? How do they monitor their data? How well do they segregate their FedRAMP-certified resources? What metrics are expected as part of your agreement with them? Make sure your contract spells everything out clearly, so you are not blindsided after you’ve signed up. Once on board, it can be extremely difficult to switch providers. Separation from your data is another factor to consider. Controls will most likely be virtual rather than physical, and you may have no idea where your data resides. In fact, unless otherwise specified, some of your data could be ‘living’ in other countries. Cloud companies also share resources and services with each other, so it may not always be clear who is managing your data at any given time. All of these factors need to be considered up front.

Migrating to the cloud has its own challenges. It’s important to ensure that your migration strategy is well thought out and reflects the needs of your business. Not every system, application, or service is a good fit for the cloud, so be sure to standardize (and document) your process for selecting the right candidates to migrate. If you are currently operating a legacy system, the transition is an opportunity to upgrade. But planning such a large-scale project—and its associated security risks—must be weighed when making this decision. Some entities opt to start small— moving email to the cloud, for example, but waiting until the concept is proven out before migrating more proprietary information such as personally identifiable information (PII) or electronic protected health information (ePHI).

Some of the key security issues to consider when working with a CSP are:

  • Data encryption strategy (usually an add-on service offered by the CSP)
  • Access controls (both physical and logical)
  • Data backup, recovery, and destruction (exit strategy)
  • System integration issues (on-premise vs. cloud)
  • Intrusion detection/prevention, SEIM, and how the CSP implements and manages these technologies
  • Shared environment/platform issues
  • Ensuring high-risk data is saved in managed locations
  • How systems and data centers are monitored
  • Right to audit or assurance that controls are tested and validated

Again, these are issues you face whether you are using cloud or premise-based computing. Be aware that moving to the cloud does not allow you to abdicate these responsibilities. Third Party Assessment Organizations (3PAOs) To help manage the complexities of moving to the cloud, many agencies, contractors, and CSPs engage a 3PAO. A 3PAO is an accredited independent assessor who can consult with you on the security implications of moving to the cloud. 3PAO’s are the ones who verify that CSP’s meet FedRAMP requirements when providers initially request certification, so 3PAO’s have first-hand knowledge of how to assess a CSP’s qualifications for you.

An overview of what you can expect a 3PAO to do for you includes:

  • Evaluate potential CSP for compliance with FISMA/FedRAMP
  • Support contract negotiations to clearly delineate responsibilities and expectations
  • Help classify the risk level of data
  • Structure a migration plan with regards to data security
  • Test and validate CSP security controls on an ongoing basis
  • Provide overall guidance, education, and support on adhering to cloud security best practices

If you are thinking of moving your data to the cloud, be assured that CSP’s are constantly improving, as it’s in their best interest to do so. Typically, providers invest in a physical and digital security infrastructure that most in-house IT departments can only dream of. They are subject to certifications and audits on an ongoing basis, and they often deploy advanced surveillance systems, data encryption, and regular testing against attacks. In other words, despite the fears associated with moving to the cloud, CSP’s may eventually become the safest place for your data to reside. Find out more about FISMA by downloading a free copy of our guide below, FISMA Compliance: Practical Strategies. On LinkedIn or Twitter? Follow us on LinkedIn and on Twitter at @lbmcsecurity. FISMA_Download

Posted in: FISMA, FedRAMP