September 28, 2012

Cloud Providers Want Government Stamp of Approval

Robert Gelber

According to recent surveys conducted among enterprise professionals, security concerns have been a major roadblock in the path to cloud adoption. However, new developments show that users and certain government agencies have started warming to the idea of using cloud services to handle more sensitive data.

Take for example the General Service Administration’s (GSA) FedRAMP program, a collaborative effort aimed at increasing confidence in the security capabilities of cloud service providers. FedRAMP involves members from the National Institutes of Health, Department of Homeland Security, Department of Defense, National Security Agency, Office of Management and Budget along with the Federal CIO Council and private industry professionals.

One of the benefits of the program is the government’s ability to assess and certify the security practices of cloud service providers. This accomplishes a number of tasks.

1) Creates a uniform system for testing cloud service providers.

2) Increases transparency between providers and government agencies.

3) Generates more confidence in cloud providers that achieve certification.

This week Federal Times reported that since the FedRAMP program was launched, more than 50 cloud service providers applied to get their government stamp of approval. Unfortunately less than a handful will have the chance of receiving that recognition. GSA member Dave McClure expected to complete reviews for just three operators by January.

If any of those lucky providers do pass the security test, they will receive a provisional authority to operate (ATO). With an ATO in hand, these companies will be certified for use by the Department of Homeland Security, Department of Defense and General Services Administration. The ATO makes other agencies aware of a provider’s capabilities, which in turn, speeds up the process of adoption.

The system seems both rigorous and hopeful, but the devil is in the details. For example, a number of cloud providers have difficulty with certain federal security requirements. If an operator is to receive FedRAMP certification, they have to show that systems housing government data are accessed with two-factor authentication. Also, employees with access to government data have to undergo extensive background investigations. Seems like a lot of legwork to receive a shiny certification.

While the government works to bring cloud vendors up to speed with security, commercial outfits are coming up with some creative solutions to secure data in a public cloud environment. On Wednesday, the NASDAQ OMX group launched a service called FinQloud, powered by Amazon Web Services and aimed at the needs of financial services sector. The platform is hosted by Amazon and protected by a robust key encryption management system.

Share This