Securing the US Government Federal Cloud

Over the last several years, great efforts have been made to implement the US Federal Government’s “Cloud First” strategic initiative to develop, promote, and streamline the “on ramp process” for Federal agencies to adopt and migrate to cloud architecture through Federal Risk and Authorization Management Program (FedRAMP). However, even with FedRAMP, each Federal Agency should remain vigilant to insure that their respective cloud architectures remain compliant with Federal cyber security mandates as well as industry best practices. Inheriting the formal Security Controls provided by FedRAMP accredited Cloud Service Providers (CSP’s) is a great “first step” towards implementing a robust, secure Agency cloud infrastructure, but it is not a “one and done” project. Instead, it is an on-going, and never ending, programmatic effort. Maintaining security in the cloud requires continuous dedication, persistence, and an acute awareness of rapidly emerging threats to cloud architecture.

Malevolent APT actors never sleep. Therefore, neither can the CSP’s and neither can the Federal Agencies that are hosting their mission critical applications in FedRAMP accredited cloud infrastructure. As Thomas Jefferson said, “Eternal vigilance is the price of liberty.” There are pernicious state and non-state actors that recognize that their ability or inability to successfully compromise, disrupt, or destroy Federal cloud infrastructure are now key components of US national security. Our future as a nation depends on getting this right the first time and keeping it right.

General Consensus on Cloud Security Responsibilities

A general consensus has emerged that there are certain responsibilities (enforceable through Service Level Agreements) that fall directly on the CSP’s but that other specific responsibilities must remain squarely upon the shoulders of the Federal Agency cloud customers. Simply put, there are certain defensive cyber operations that can never be completely outsourced. In short, the proper implementation and persistent management of these responsibilities are not just “nice to have,” but are instead “must have” requirements that must be met day in and day out.

As examples, the CSP’s should ensure that their infrastructure is secure from end-to-end (security in layers/security in depth). CSP’s should also ensure that their clients’ data and applications are protected (via proper data isolation and logical storage segregation for each discreet customer). CSP’s must also conduct rigorous employee background checks for those CSP employees with physical access to servers and other associated infrastructure that is physically located within the CSP Data Center facilities. Lastly, CSP’s must constantly monitor their Data Centers for potentially nefarious activities that could negatively impact the “CIA Triad” of “Confidentiality, Integrity, and Availability” of their cloud customers’ data. Failure in any of these areas, even for a brief lapse of time, would likely be catastrophic to the cyber posture of Federal Agency customer data hosted within that CSP cloud architecture.

Some examples of the responsibilities that should remain with the CSP customers (meaning the Federal Agencies that use their services), the Agencies, even as customers, must be resilient in updating, patching, and otherwise managing each of their cloud based applications. The Agencies must also enforce the use of strong passwords for anyone accessing cloud infrastructure, and they must also provide robust, commensurate authentication measures. Otherwise, even the best cloud security policies will fail to keep data safe in the cloud.  Ideally, agencies should provide strong encryption for any sensitive data in the cloud. They should also prohibit shadow IT projects (no matter how well-meaning or how benign) that may comingle with otherwise known, secure, and accredited cloud-based systems and data sets.

Leveraging Policies, Deployed Technologies & Controls to Protect Data, Applications, & Cloud Infrastructure

If one looks at Annex A of the DRAFT NIST SP 500-299, it provides the Cloud Computing Security Reference Architecture, which maps exactly to Cloud Security Alliance architectural recommendations. In Annex B of DRAFT NIST SP 500-299, it details out how it maps to NIST SP 800-53R4 Security Control families. In other words, the more things change, the more they stay the same in that NIST expects US Government Federal Agencies to maintain the same NIST SP 800-53R4 Security Controls in the cloud environment. Although the "attack surface" in the cloud is different than the "attack surface" of on-premise infrastructure, the requirements to safeguard the systems remains the same.

In short, whether or not Agencies are using FedRAMP cloud infrastructure to provide them with Software as a Service (Saas), Platform as a Service (PaaS), or Infrastructure as a Service (IaaS), the service model that the Agencies choose should not give them a false sense of security. Each service model has its pros and cons. The Agencies themselves may delegate Security Controls to the CSP's, but in the final analysis, the Agencies cannot delegate the responsibility of maintaining rigorous, NIST SP 800-53R4 compliant and accredited IT services across their entire IT infrastructure, whether on-premise or in the cloud. As NIST has stated, cloud security requires a broad set of policies, deployed technologies, and controls to protect data, applications, and associated cloud infrastructure. I know that down at the operational and tactical levels, our Federal Government’s talented cyber security practitioners already know how to effectively secure, harden, and audit their on-premise IT systems and are already doing so with professionalism and dedication. Now is the time to apply that same professionalism and dedication to Federal cloud infrastructure.

For more information on securing your cloud, email edm-solutions@www.dlt.com.

By Kevin McPeak, Security & Mobility Architect, Symantec

About Kevin: Kevin McPeak is a Symantec Security & Mobility Architect who is focused on supporting US Government customers. In this capacity, he serves as a technical SME for reputation based malware filtering, endpoint management, endpoint security, data loss prevention, encryption, mobile device management, mobile app management, secure mobile content delivery, and new defensive technologies.