Cloud Security – Follow the Feds?

Verisign Masters of Internet Infrastructure

Last week the Feds had a coming out party for FedRAMP (Federal Risk and Authorization Management Program).  Originally announced in October, FedRAMP sets standards for privacy and security for cloud providers to meet in support of government users. What I find exciting about FedRAMP is the standards work being done by the National Institute of Standards and Technology (NIST) can be very helpful to anyone planning their move into the cloud.

I don’t know about federal agency adoption but on the commercial side of things, 17% of companies are already using IaaS with another 18% planning to use by end of 2012. What is holding back further adoption is concern over security and compliance.  But, we’ve heard this a lot and what does it really mean? Well, based on the work of the European Network Information Security Agency (ENISA) the top security concern is lack of governance. And, this lack of governance directly ties to a lack of visibility into the controls cloud providers are putting in place to protect the confidentiality, integrity and availability of customer data. The only way to assess the effectiveness of these controls is through routine penetration testing, vulnerability assessments and audits. However, this is a no-win situation: it’s expensive and wasteful for every company to run the same tests and if every customer wanted to do pen testing and audits it would suck up all of the cloud provider’s support resources, permanently. FedRAMP is a better approach where a “trusted” third-party assesses the cloud providers on a regular basis. What we need is a commercial version and the organization heading in this direction is the Cloud Security Alliance (CSA). But, we’re not there yet. In the meantime, NIST is doing excellent work that is helpful to all organizations. For one of the best overviews of cloud security issues, check out NIST draft special publication (SP 800-144). It’s an easy read and does a nice job laying out the security and privacy concerns of public cloud computing.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2011 IDG Communications, Inc.