Federal Cloud SecurityJanuary 2016
Topics: Cybersecurity, Cloud Computing, Computer-Communication-Networks, Government Agency Operations
When Federal government departments and agencies choose to adopt cloud computing, security is a major consideration in the planning, migrating, and operations and maintenance of critical IT systems. Agencies must consider the goals, planned cloud ecosystem, mission and business functions, processes, sensitivity of data, and processing capabilities. Agencies must fully understand the roles and responsibilities of themselves, FedRAMP, and Cloud Service Providers (CSPs). As consumers of cloud services, agencies must also fully understand the impacts of the three Service Models: Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS) with regard to security, as each Service Model brings different security requirements and responsibilities. As agencies transition their applications and data to cloud computing solutions, it is critically important that the level of security provided in the cloud environment be equal to or better than the security provided by its traditional IT environment.
The goal of this paper is to provide a government cloud consumer with a practical reference regarding current security considerations when adopting cloud computing technologies into the mission, business, and Information Technology (IT) enterprise. This paper provides a list of considerations for decision makers to evaluate security in multiple key areas based on the cloud Service Model and Deployment Model, as defined by the National Institute of Standards and Technology (NIST).