There is no doubt in my mind that federal agencies will continue to embrace the cloud and in the process, develop strong processes for ensuring data security. When Steve VanRoekle came on board as federal CIO he continued on the path that Vivek Kundra envisioned with a few extra tweaks making “Cloud First” a priority.
And late last year, VanRoekle was behind the FedRAMP guidance, to help agencies determine the appropriate outsourced services providers and government contractors to help them navigate the cloud.
The National Institute of Standards and Technology have also jumped into the clouds and are providing agencies with comprehensive guidelines to protect data and privacy in the cloud. In particular, the guidance highlights specific considerations for federal agencies including:
Understanding the IT environment: Each agency environment is different so there is not going to be a one size fits all approach to cloud. Large and complex cloud environments equates to numerous points of failure. By simply opening the door to services over the Internet, the risk of new threats from outside the network increases.
Establish Security Contract Obligations: NIST recommends that agencies should work with outsourced vendors to delineate roles and responsibilities around security and then continue to monitor progress and performance.
Monitor, Monitor, Monitor: It is not just a checkmark in the box for compliance. Ongoing vulnerability monitoring and management is a must.
Enforce: While security policies and monitoring is critical to the success of cloud security, enforcement has to be a part of the process. Blue Coat’s offering filters traffic in the cloud and enforces web policy for increased protection.
What best practices has your agency put in place for adopting cloud services? Share your thoughts with our readers by posting a comment below.