Cloud computing is shifting the federal CIO’s responsibility from managing data centers to managing cloud services, especially for cloud security, even when those services are procured outside the CIO’s office. As a result, CIOs must pay close attention to the security controls its agency programs are getting with their cloud infrastructure for web hosting. The best way to mitigate risk is to seek the highest level of security controls available in the cloud stack, and ensure all controls are certified by FedRAMP or a GSA Authority to Operate (ATO) until cloud service providers (CSPs) are certified by FedRAMP.

Yet, in efforts to minimize costs, some programs are procuring just basic cloud services (known in the GSA BPA as Lot II Virtual Machines or VMs) that only provide security at the hypervisor boundary level and omit many critical controls designed to protect the operating system (OS). The Information Security and Identity Management Committee (ISIMC) identified 12 controls—mostly in the OS layer—that, when deficient, lead to 85 percent of intrusions. While some programs are buying additional controls to go up the cloud stack, many of those controls are neither integrated nor validated in the automated cloud provisioning process, and may not be deployed consistently.

The reality is that not all cloud web hosting security controls are created equal, so CIOs should be asking:

• Are all controls fully integrated? While programs are delegating many FISMA controls to CSPs, procurements often fail to address how controls will integrate into an agency’s security posture. Typical architectures have a CSP doing network intrusion while the program or integrator does the host-based log and host intrusion detection system (HIDS) monitoring. In this scenario, no team has adequate situational awareness. When controls are integrated, however, a single security operations center and incident response team have a complete and audited view of both host and network security so are better able to proactively defend against attacks.
• Are responsibility boundaries abundantly clear? Even when procurements require CSPs and integrators to deploy NIST 800-53 controls, boundaries between applications and infrastructure can be unclear or buried in fine print, as can responsibility for controls such as scanning, backup and contingency planning. Host-based protections may be deployed and e-mailed to program contacts that are not able to correlate events or understand the impacts. Major applications remain most secure when events can be correlated with real-time analysis by experienced security professionals.
• Are all controls validated? The FedRAMP Service Mark (SM) certifies that a CSP has passed a rigorous security assessment process—validated by a third party—to verify that controls are tested, integrated and within the assessment boundary. Again, for VMs, this only includes the hypervisor boundary level. In general, the cloud gives controls to users who traditionally did not provision infrastructure and often do not understand the full security posture requirements of the system. Automated security controls greatly reduce these risks.

Agency programs can realize the best value when their cloud security posture can be addressed holistically by their CSP (with the exception of application-specific controls of course). CGI’s cloud web hosting service provides fully integrated controls. As the only CSP with a permanent ATO for this service, CGI’s controls have been validated by auditors as working cohesively to provide a security posture that remains strong through continuous monitoring. Even for controls outside the boundary, we use vulnerability scanning to double check that application controls have been deployed properly.

Our service also includes OS security and provides many critical controls identified by ISIMC, such as patching, vulnerability scanning, OS intrusion monitoring and OS hardening. Controls are automated to minimize risk. However, since comprehensive cloud security cannot be fully automated, we also employ highly trained security professionals to continuously evaluate our security posture and protect against constantly evolving threats.