Security is at the top of IT executives’ concerns in adopting cloud computing. Almost every major study confirms this. At the time of this post, even our own informal poll on the CGI.com homepage has 55% of 2,400 respondents citing “security risks” as their biggest concern in moving to the cloud.

Yet, amid these concerns, cloud adoption is ramping up, with the industry quickly weighing the risks and rewards, and learning how to best manage those risks.

Case in point…

In the U.S. federal space, agencies had to accept risks to leverage commercially available cloud services that failed to meet federal guidelines but could be delivered at aggressive price points. Typical cloud service providers lacked background checks, physical and remote access logs, the gathering and monitoring of audit logs, intrusion monitoring, remediation services and compliance scanning – all those areas that are crucial to maintaining the security posture of a system. However, with the General Service Administration’s (GSA) certification of IaaS providers, agencies no longer need to accept these risks.

As an awardee of GSA’s BPA for Infrastructure as a Service, CGI is required to pass a stringent assessment and accreditation, perform continuous monitoring, log events and regularly report to clients and the accreditation agency. By using the IaaS BPA, federal agencies can readily comply with the Federal Information Security Management Act’s (FISMA’s) comprehensive framework for securing their IT for the elements of the systems purchased. And with the Federal Risk and Authorization Management Program (FedRAMP)—the government-wide initiative to help agencies leverage the accreditation of systems to move to the cloud—many agency applications can, in fact, be more secure in the cloud than they are in many existing infrastructures, especially those based on legacy platforms using legacy controls.

In short: Our cloud security services must track, defend and report the security status of each client’s computer resources. Whether you’re reading this as a government or private-sector IT manager, as a pre-qualified and certified cloud provider for federal agencies, these required frameworks can help realize the inherent security advantages of cloud technology:

• Automated security management
• Greater monitoring and defense
• Better reporting and threat analysis
• Simplified security auditing

In addition, shifting public data to the cloud can reduce the risk of exposing sensitive internal data on physical machines, such as laptops that could be at risk. Centralizing data also often allows skilled experts to ensure that all security measures are taken, which may not feasible in a smaller environment.

More information on these topics is outlined in our issue brief, Cloud Security for Federal Agencies. I also welcome you to post a comment or contact me to discuss how to implement best practice security processes in your cloud computing environments.