The U.S. General Services Administration has set guidelines for providers that want to setup a storefront to sell cloud services to government entities.
Security of these providers is a significant part of the request for quotation document issued by the GSA in order to establish a number of providers who can supply the government with cloud services such as storage and infrastructure as a service.
The document sets down an impressive list of criteria that must be met, but the bottom line is that they are forbidden from disclosing any safeguards they develop specifically for the government, which will reduce the ability for private-sector businesses from gleaning security tips from the government suppliers.
Among the things the RFQ requires are provisioning and administrative interfaces that are protected by SSL/TLS or SSH along with dual-factor authentication for a remote access scheme that enables government workers to perform duties in the hosted infrastructure. The providers will also create VPN connections between their facilities and the government agencies that hire them.
The providers have to show that it isolates individual agencies’ data in a multi-tenant environment and that data at rest and in transit will be treated securely.
Those businesses authorized to provide cloud services will have to either enforce government firewall policies or provide a way for the government to administer the firewall remotely.
At least two separate physical data centers must be provided and they must be within the continental U.S.
The guidelines set down by GSA are an attempt to create a cloud environment that follows National Institute for Science and Technology standards for security that government agencies must comply with when they build their own infrastructure.