Cybersecurity remains one of the biggest hurdles to the widespread use of cloud computing across the government. But a new type of data encryption may be the answer to those who still question whether their data can be safe in the cloud.
While the federal cloud security standards, known as the Federal Risk Authorization and Management Program (FedRAMP) gained acceptance, the standards don’t necessarily protect the data in and of itself. FedRAMP is more focused on protecting the network, and for some federal technology and security managers, the need to protect their data is a real sticking point that must be overcome before there is a huge expansion of cloud services.
Agency chief information officers and chief information security officers say while FedRAMP protects the networks, they are unclear about the best ways to protect the data from the cloud providers and the people that work for them. In many ways, the insider threat — both the vendor and agency employees — remains a huge concern for agencies and companies alike when they move applications and data to the cloud.
Joe Paiva, the CIO at the International Trade Administration in the Commerce Department, said there is an up-and-coming technology that could solve these data protection concerns.
“One of the hot new segments supporting cloud right now in IT is this idea of a cloud encryption gateway. Essentially what happens is whenever one of your people go out to your cloud — in each of your cloud service providers you have our own kind of URL — when your people hit that URL they are actually redirected through a cloud encryption gateway provider and what happens is all the data that you actually sit with that software- as-a-service or platform-as- a-service provider is encrypted using encryption keys from the encryption gateway,” said Paiva Thursday at the Microsoft Federal Executive Forum in Washington. “We have the option of maintaining the keys ourselves so we have the private key. So what it means is the encryption gateway provider, and/or Microsoft or whoever we use, none of them can get to our stuff. We are the only ones who can decrypt it.”
Another benefit of this approach is the ability to encrypt only the data that is most sensitive and then decide how much security to add to each piece of information
Paiva said that feature lets the organization make risk-based decisions while not impacting performance of the cloud network.
“You can actually tailor the encryption to allow faster searches or to allow faster data input, or to put a little extra security on the things that are really important or a little less security on the things that are already public knowledge,” he said.
Rick Holgate, the CIO at the Justice Department’s Alcohol, Tobacco, Firearms and Explosives Bureau, said there are positives and negatives with this idea of cloud encryption.
“It’s predicated on the encryption with the customer controlling the keys to encryption, which basically makes the data meaningless to the cloud service provider,” he said. “When it’s meaningless to the provider, they can’t read our data, they can’t understand what’s in our data and they have no visibility into our data, which means they also can’t use the elements of our data to make the service more meaningful or deliver more meaningful service.”
Holgate said with certain cloud service providers such as Microsoft, that issue has been a major reason why agencies haven’t encrypted data in the cloud.
But Box, the secure file sharing company, recently let customers control their own data encryption keys — one of first among cloud service providers.
“In closing those gaps and being able to replicate a similar user experience with encrypted data… that is the next layer of solution we need to come to,” Holgate said.
Paiva said he’s excited about the possibilities of cloud encryption and looking in to it for ITA.
“Right now, we are officially in the market research phase with a very aggressive acquisition schedule,” he said. “I think it’s the absolute key because then you don’t have to trust your cloud provider, and why would you? There are no guarantees in life. So I think a good cloud encryption gateway just kind of opens the door for cloud and really takes the limiter off.”
Limiting data exposure to CSPs
The data encryption piece is huge, but at the same time the people issue, the insider threat, also is a continued concern.
Holgate said ATF had to deal with the personnel security clearance challenge when his agency moved to the cloud for email and collaboration.
“The way we dealt with it was to address our concerns from a personnel security perspective of who had access to our data in an unencrypted form in a way we were comfortable with. For us that involves trust of the people who have access to data and coming up with a mutually agreeable procedure to adjudicate people for eligibility for access to our data. That was with the assumption that those individuals could potentially have access in an unregulated, unrestricted, completely open fashion to all our data,” he said. “That was probably an overly conservative assumption about the level of access they’d have to our data because Microsoft, like other cloud providers, has a much more selective fashion in which they allow their employees to have access to user, customer data. So in our case, there aren’t users who have access to all our data. There are users who are selectively granted access to a small part of our data for a limited amount of time. It’s a much more fine- grained security model than we are used to in our environment so it requires us to adjust our thinking about what represents a security risk and what level of trust do we have to exhibit or grant these people to have access to our data.”
Holgate said ATF still is struggling to come to terms with this new model. Does the person who is granted access to a small amount of data for a limited amount of time need the same personnel security oversight as someone who has open access?
Holgate said ATF decided to follow the standard DoJ adjudication process for Microsoft’s personnel. But he said there could be a time when the government could live with a more flexible security model.
Vendors also are addressing this personnel security issue.
Holgate said Google applied for the moderate security level under FedRAMP, and as part of that effort, the company is putting its employees through an Office of Personnel Management-like background investigation. He said that’s an independent personnel security model to get closer to.
He said any mode would have to meet a standard set of expectations across government, and better defining risk based on the controls the cloud service providers apply to controlling access to the data.
A record of data manipulation, access
Along with the background checks, companies and customers depend on audit logs and other technologies to track who touched the day, when they touched and if they changed it at all.
Holgate said a recent incident highlighted the importance of audit logs when it comes to cloud security and data assurance not just for CIOs but also for the business and mission owners.
“We actually had an issue where Microsoft reported to us where they inadvertently had given an employee access to our data for an extended period of time,” he said. “They had the logs to prove they gave him the access, nothing was done during that period of time, nothing compromised our data so the controls also are the ability to verify what happens during those periods.”
The continued security concerns aren’t stopping agencies from using the cloud. But the reason for the migration is less and less about cost, and more and more about flexibility, agility and capabilities.
The Labor Department moved its email to the cloud a year or so ago and the benefits weren’t from cost savings.
“What we found was when you wrap all the cost up, not only of the service, not only of the integrator, but your own staff, the mailbox cost comes out to be pretty much equivalent, but you get a lot more. We basically increased our storage for our staff by 400 times,” said Dawn Leaf, the Labor CIO. “The challenging parts were standardizing because we are a federated organization.”
The IT staff had to basically go through a process of modifying the firewalls, moving to a more consolidated infrastructure just to get to the service. There is a fair amount you have to do to your infrastructure even to be able to access the cloud services.”
She added that Labor found 150 inconsistencies per bureau in its network and access infrastructure that had to be resolved before getting to the cloud.
But at the same time, there are certain obstacles to moving to the cloud that every agency faces. Along with security, the acquisition approach continues to limit the widespread adoption of cloud services.
Pavia said he’s trying get out of the IT business by outsourcing much of ITA’s technology infrastructure. But he’s struggling with the procurement model where the agency buys the service based on how much it uses, which is new to many contracting officers.
While none of the CIOs thought these challenges were insurmountable, they all agreed it would take time to change the culture of the government to buy, secure and use cloud computing.