Even beyond its uses in federal agencies, the General Services Administration’s Federal Risk and Authorization Management Program (FedRAMP) has made an impression on private sector cloud computing.
“Actually you see that it’s more efficient for those cloud providers to provide that level of compliance for all their customers, whether they are a federal government customer or not,” said Jim Reavis, CEO and co-founder of the Cloud Security Alliance. “It’s easier to create one high baseline of security.”
His industry group works to raise awareness of cloud computing best practices. As the standard for security certification for federal cloud use, FedRAMP is widely — though not universally — compatible. It enjoys a high level of collaboration from federal agencies adding their own requirements to the program, and Reavis called it “fairly rigorous” compared to other cloud certification standards. But more compatibility is desired by cloud providers.
So now, the Cloud Security Alliance is teaming with FedRAMP to create a combined security certification known as FedSTAR, which married FedRAMP with the alliance’s own STAR cloud certification. The group said it expects FedSTAR to improve effectiveness and efficiency for private-sector companies by cutting down on duplicate requirements.
“The idea is actually to create some synergy here,” Reavis said. “To create compatibility between the auditor network and to create compatibility so we can get to a level of mutual recognition so that you are compliant with one, you are complaint with the other.”
Reavis said the indirect benefit to the federal government is that FedSTAR can create a greater market for security solutions providers.
So far, no true standard exists for creating security control standards in government. The controls which the alliance did study were primarily based on the National Institute of Standards and Technology’s 800-53 database. Reavis said the commercial sector also makes frequent reference to NIST 800-53 to have some alignment with cloud computing.
“What you’ll find is that some are very specific on the control implementations,” among which he included FedRAMP. By contrast, Reavis said STAR is a more abstract certification standard. Nevertheless, most security standards for cloud providers worldwide are about 80- to 90-percent compatible.
“So that’s the economy of scale we’re hoping users, we’re hoping cloud providers are able to see,” Reavis said. “Hey, we do the work once and maybe that’s useful in a lot of other places, but if not then the additional work should only be that 10 to 20 percent.”
According to Reavis, the GSA will take the lead on project and program management for FedSTAR. The alliance has a group called the Open Certification Framework Working Group which uses a transparent, “sunshine” approach to harmonizing standards. The working group is open to the public and holds several conference calls during the month.
Vendor checks more frequent, but gaps remain
Over the years, cloud technology has evolved significantly from a way to procure IT services to functions such as microtechnology and container services. While only a handful of large infrastructure providers exist, millions of applications and software reside in those clouds, much like an inverted pyramid, Reavis said.
“That’s where you have this very dynamic nature,” he said. “You used to think of technology and software being updated a few times a year and now it’s actually many times a day.”
The upside to this change is that security improvements can be made rapidly. However, much more vetting needs to be done as a result. Meanwhile, the number of security professionals is not growing as quickly as needed, Reavis said.
He praised FedRAMP’s practice of monitoring vendors every 30 days, although he thought it should be as close to zero days as possible. He also said it was important to understand that as many as three quarters of cloud security control responsibility is housed within the application.
The large infrastructure providers are only handling about a quarter of that. This will be important for the Defense Department, which is poised to release some requests for quotations for large cloud contracts in the near future. Reavis said the dynamic and expandable quality of cloud makes it ideal for military uses but beyond that, he expects the technology to overtake any kind of data center in future.
“But really we’ve seen a maturity over the last 10 years that, you could make the case pretty successfully, that cloud can be done right, the more secure option because of all of the structure and frameworks and you just don’t create a lot of opportunities for certain areas, customization in core areas,” he said. “We are expecting to see a lot more of that.”