Cloud computing offers the most security for government data, argued Homeland Security CIO of U.S. Citizenship and Immigration Services Mark Schwartz, at the Akamai Government Forum on Thursday.
“I think I often hear the argument that cloud is OK for data we’re not too worried about, but for the stuff that’s really important to us, we’d better keep it in-house,” Schwartz said. “The argument often can be made that the cloud environment is much more secure and that we should put our more critical and more important data there.”
Schwartz argued that cloud providers often have access to more advanced technologies and security systems, whereas the people who manage Federal data centers are often contractors anyway. The remainder of the panel had more caution about the concept, but agreed that pushing things into the cloud was the way to move forward.
“There has to be a culture change,” said Capt. Arlene Gray, deputy director for the Department of the Navy and the Navy’s CIO. “We have to trust that industry is able to take care of that for us.”
“You need to have standards that can be applied consistently so that you can feel comfortable with the cloud provider,” cautioned Col. John Rozsnyai, chief enterprise architect and cloud transition trail boss at the Department of the Army.
The specifics of those controls are what pose a stopping point in moving into cloud. Panelists addressed whether it was smarter to keep encryption keys within the department to increase security or allow the provider to keep the keys to increase operability.
Despite processes like FedRAMP and FISMA that attempt to regulate and streamline the standards requirements for cloud providers, there has been some trouble in getting those providers to be approved across agencies.
“We need to figure out and come together on a common standard,” Rozsnyai said.
Part of the struggle in quickly approving agencies is a reluctance to trust that providers will have all the correct controls and monitoring at all times.
“I cannot trust anything without verifying,” said Michaela Iorga, senior security technical lead for cloud computing at the National Institute of Standards and Technology (NIST). Her department is beginning work on an Open Security Controls Assessment Language (OSCAL), which would standardize the language around controls and enable agencies to process and verify providers faster.
There are some agencies that are embracing cloud as the future of security, namely the Department of Defense CIO Terry Halvorsen, who has been strongly pushing toward faster cloud adoption.
“I am just going to say that the Navy was there first,” Gray said.
The Army is adapting baselines that would encourage providers to comply with information impact levels 4, 5, and 6 information.
“We might even be pushing classified, secret high-level information off the premises,” Rozsnyai said.
“The users demand it; the leaders demand it,” Gray said. “We can do it together.”