Skip Links

OUTLOOK 2013 - ILLUSTRATION: Skip Sterling

Growing confidence in cloud security

Companies, schools, government chart course into cloud security

By , Network World
January 02, 2013 06:03 AM ET

Page 3 of 3

The goal of FedRAMP is to get cloud-service providers that serve government agencies accredited for specific security practices over the next two years. These practices would include incident response in the cloud, forensics in a highly dynamic environment, threat detection and analysis in a multi-tenant environment and continuous monitoring for remediation, among other things. The idea is that service providers must be prepared to report security incidents of many types to the U.S. Computer Emergency Readiness Team (U.S-CERT) and the government agency that might be impacted. Cloud service providers that can't meet these requirements in theory won't be allowed to provide services to government agencies.

John Streufert, director of the National Cybersecurity Division of the Department of Homeland Security, recently spoke at the Cloud Security Alliance meeting in Orlando on how the government plans to deploy a so-called "Continuous Monitoring" capability that would include "Continuous Diagnostics and Mitigation" to protect civilian federal agencies' data from stealthy attacks. The contract solicitation, which is expected to be put out for bid soon, could extend to an estimated 25 million seats and will include cloud-based services as well as on-premises tools. Streufert says it will likely take a few years to complete.

The federal government's initiatives are drawing interest from organizations such as PricewaterhouseCoopers (PwC) that harbor aspirations of becoming a government-certified cloud-services security assessor in the future.

Cara Beston, cloud-assurance partner with the PwC risk-assurance practice, says enterprise customers still have reservations about putting sensitive data in the cloud, but the conversation has clearly changed. For example, CIOs that adopted cloud-based services for what were considered less-sensitive data are now weighing how they might use cloud-services to manage data regulated under the PCI payment card rules or Health Insurance Portability and Accountability Act healthcare regulation. However, sensitive information concerning things like source code and engineering designs are still generally considered off limits to the cloud today, she notes.

She points out that the cloud has sometimes put internal IT, security and compliance managers on the defensive because line of business managers may have gone around them entirely to select cloud services without asking their advice. This can be tough to fight, but Beston says one way IT can nip it in the bud is to make the IT service acquisition process more collaborative.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail:

Read more about security in Network World's Security section.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News