Being Intentional About Your Cloud Security
Recently, the Department of Energy’s Inspector General (IG) said in an audit report that it found two locations in the department where cloud-based systems still needed to receive appropriate approvals and three locations where system authorization needed to be completed. Federal agencies are required by law to ensure that cloud computing services comply with the Federal Risk and Authorization Management Program (FedRAMP), which includes obtaining specific deliverables associated with continuous monitoring (of security controls) from service providers.
What is FedRAMP?
The Federal Risk and Authorization Management Program (FedRAMP) was established in 2011 to provide a cost-effective, risk-based approach to adopting and using cloud services by the Federal Government. FedRAMP empowers agencies to use modern cloud technologies, emphasizing the security and protection of federal information.
Using FedRAMP-approved products is beneficial not only to the Government but to commercial and private entities.
- Reduces duplicative efforts, inconsistencies, and cost inefficiencies.
- Establishes a partnership to innovate and advance more secure information technologies.
- Accelerates the adoption of cloud computing by creating transparent standards and processes for security and allowing organizations to leverage that security.
How is this relevant to your business?
The article and audit report are relevant to your business because your business is leveraging cloud solutions for functions such as email, file sharing, and information technology service management. There is a contingent who believes their information is secure because it’s on a cloud. A cloud is nothing more than someone else’s servers. There are a series of questions you may need to consider: Do we have a Service Level Agreement (SLA) with our provider? Are our cloud solutions FedRAMP approved? Are we using the proper version of the cloud offering identified on the FedRAMP list? How is the cloud service provider implementing security if the cloud solution is not FedRAMP-approved? Are we effectively leveraging the security features offered by the Provider? Can we improve how we use our cloud services?
Truly consider the above-listed questions and others because regardless of the cloud service provider, only some of their products or solutions may be FedRAMP-approved. This link will take you to the FedRAMP Marketplace, where you can search for your cloud solutions to determine if they are authorized or in the process of obtaining authorization.
Evaluating Cloud Security Features
Security in the cloud is different from security in the corporate data center. Distinct rules and rational apply when securing an infrastructure without real physical control. Some features for evaluation:
- Data encryption capabilities for both data in transit and data at rest.
- Data security, especially in a multi-tenant cloud environment in which access to your data and how it is isolated from vulnerability from other systems.
- Privacy controls on who can access your data, how long it may be used, stored, etc.
- Maintenance and management controls or other measures the service provider takes to ensure the system is always protected and updated with the latest software, server, and operating system security patches.
We’re not saying organizations (unless required by a local, state, or Federal Government entity or required by other rules, regulations, and guidelines) must use FedRAMP-approved solutions. However, you can rest better at night knowing you’ve transferred the risk to an entity actively monitoring its security controls.
Please contact us if your organization needs support implementing mitigations or other cybersecurity practices. Our team of cyber professionals is prepared to support you.