The Federal government has transitioned from a “Cloud First” to a “Cloud Smart” strategy intended to guide agencies in leveraging cloud technology without compromising security. However, accomplishing this is a team effort, Federal officials said during a SCGov panel discussion on November 16.
In this shared responsibility model, a cloud security framework dictates the security obligations of a cloud computing provider and its user to ensure accountability.
According to Brian Conrad, acting FedRAMP director and the program manager for cybersecurity, each party – the cloud service provider (CSP) and the user – is accountable for different aspects of security and must work together to ensure full security coverage.
“There are certain things that the CSP is going to do [to ensure cloud security], but it’s also incumbent of the users to make sure they are doing their part,” Conrad said. FedRAMP has and will continue to work as a moderator between CSPs and agencies, ensuring that both parties are well informed, he added.
Steven Hernandez, the chief information security officer of the Education Department, added that FedRAMP serves as a nexus of information. And “a CSP with FedRAMP authorization gives agencies a sense of comfort knowing the biggest security issues are off the table,” Hernandez said.
Yet FedRAMP authorization is not the end all be all, but a good starting point for organizations looking for a CSP, he added. Agencies must continue to evaluate CSPs and their residual risks.
“There are agencies that are operating under the assumption that when CSPs have a provisional authorization, they meet all the requirements an agency has for a CSP,” Hernandez said. But there are residual risks that come with some CSP services that some agencies might not want to take on, while others may be fine with taking on those residual risks.
“Agencies must continue to evaluate CSPs before pursuing it full on because there may be residual risks to big for any agency,” Hernandez said.