GAO: Additional security needed to address cloud computing concerns
A study by the Government Accountability Office (GAO) concluded that cloud computing has both positive and negative information security implications for federal agencies.
Published Oct. 6, the GAO study stated that potential benefits include the use of automation to expedite the implementation of secure configurations on devices, reduce the need to carry over data on removable media and low-cost disaster recovery and data storage.
GAO was asked to testify about the security implications of cloud computing. In a 2010 report, GAO noted that government-wide cloud computing security activities had been undertaken by organizations such as the Office of Management and Budget (OMB), General Services Administration (GSA) and the National Institute of Standards and Technology (NIST); however, significant work remained. “For example, OMB had not finished a cloud computing strategy, including how information security issues were to be addressed,” the report stated.
Additionally, GSA had begun a procurement process for expanding cloud computing services, but had not yet developed specific plans for establishing a shared information security assessment and authorization process. NIST was responsible for establishing information security guidance for federal agencies, but had not yet issued cloud-specific security guidance.
GAO added that the use of cloud computing could create security risks for federal agencies as 22 of the 24 federal agencies reported they were concerned or very concerned about the potential information security risks associated with cloud computing. These risks included dependence on the security practices and assurances of vendors, and sharing of computing resources. “These risks may vary based on the cloud deployment model,” GAO stated. “Private clouds, whereby the service is set up specifically for one organization, may have a lower threat exposure than public clouds, whereby the service is available to any paying customer.
“Evaluating this risk requires an examination of the specific security controls in place for the cloud’s implementation,” GAO continued.
In its 2010 report, GAO made several recommendations to address cloud computing security that agencies have taken steps to implement. For example, GAO recommended the OMB establish milestones to complete a strategy for federal cloud computing and ensure it addressed information security challenges.
“OMB subsequently published a strategy which addressed the importance of information security when using cloud computing, but did not fully address several key challenges confronting agencies,” GAO said.
Published Oct. 6, the GAO study stated that potential benefits include the use of automation to expedite the implementation of secure configurations on devices, reduce the need to carry over data on removable media and low-cost disaster recovery and data storage.
GAO was asked to testify about the security implications of cloud computing. In a 2010 report, GAO noted that government-wide cloud computing security activities had been undertaken by organizations such as the Office of Management and Budget (OMB), General Services Administration (GSA) and the National Institute of Standards and Technology (NIST); however, significant work remained. “For example, OMB had not finished a cloud computing strategy, including how information security issues were to be addressed,” the report stated.
Additionally, GSA had begun a procurement process for expanding cloud computing services, but had not yet developed specific plans for establishing a shared information security assessment and authorization process. NIST was responsible for establishing information security guidance for federal agencies, but had not yet issued cloud-specific security guidance.
GAO added that the use of cloud computing could create security risks for federal agencies as 22 of the 24 federal agencies reported they were concerned or very concerned about the potential information security risks associated with cloud computing. These risks included dependence on the security practices and assurances of vendors, and sharing of computing resources. “These risks may vary based on the cloud deployment model,” GAO stated. “Private clouds, whereby the service is set up specifically for one organization, may have a lower threat exposure than public clouds, whereby the service is available to any paying customer.
“Evaluating this risk requires an examination of the specific security controls in place for the cloud’s implementation,” GAO continued.
In its 2010 report, GAO made several recommendations to address cloud computing security that agencies have taken steps to implement. For example, GAO recommended the OMB establish milestones to complete a strategy for federal cloud computing and ensure it addressed information security challenges.
“OMB subsequently published a strategy which addressed the importance of information security when using cloud computing, but did not fully address several key challenges confronting agencies,” GAO said.