For years, information security professionals, analysts, and pundits have all been pointing out the security risks inherent in cloud computing. Far from being a "Chicken Little" message, these concerns have been backed up by nonstop real-world incursions into cloud services, including major successful attacks on customer-facing cloud environments hosted by Adobe, LinkedIn, CloudFlare, and others. One solution to the problem that these concerns raise is FedRAMP.
The Federal Risk and Authorization Management Program—FedRAMP—was developed in 2010 as a roadmap for security controls implementation for cloud service providers who serve government agencies. The government developed this standard through the National Institute of Standards and Technologies (NIST) as a way of ensuring that cloud services could be "pre-approved" for use by agencies. Indeed, certification is now a mandated requirement for any agency that desires to use a cloud service provider.
Cloud providers certainly haven't made it easy for their customers to gain visibility into security controls; Dave Shackleford's presentation at RSA 2014, for example, covers a broad range of security problems that exist with cloud technologies. Far too often, the only assurances to customers that some degree of security is being implemented has been buried deep in service agreement contracts, with customers having zero visibility into security events, system configurations, and other critical information that's required to ensure a secure environment. Even in cases where details of security controls within cloud infrastructure have been provided, those controls have varied wildly between cloud vendors, with no consistency and only the most basic controls (such as firewalls) standardized between companies. This has left customers without any visibility into the risks to their applications and data: data leakage, shared technology risks, malicious insiders, insecure APIs and other code, and many more. For security-conscious customers, finding reliable security in the cloud has been a fruitless effort. Moreover, since cloud providers share infrastructure, applications, and code across multiple customers and centralize larger amounts of data together on behalf of those customers, they are likely rich targets for government surveillance, such as the broad monitoring activities conducted by the NSA and recently identified by Edward Snowden.
Of course, one of the great things about government standards is that they're not solely for use by the feds. FedRAMP presents the first and most comprehensive set of security control standards for cloud service providers and is based on the comprehensive controls mandated under the FISMA law, which also applies to federal agencies. However, the full standard is freely available; cloud service providers who are interested in implementing these controls, and optionally getting certified, can leverage this valuable resource to give their customers peace of mind.
The benefits of adopting FedRAMP security controls for cloud providers are many. First, if the vendor doesn't just implement the controls but also pursues certification and accreditation through NIST, it means they can start providing cloud services to federal customers. This is a burgeoning growth market for the industry, as many agencies are being compelled to adopt cloud services. Second, it allows cloud providers to answer common security questions often asked by customers. Having a cohesive, complete answer to these questions will improve confidence and provide a valuable differentiator in the increasingly competitive cloud services market. Finally, if a cloud provider is located in the United States and paying taxes, they're already funding FedRAMP—they might as well use this tool that they are helping to pay for.
Of course, FedRAMP is not a panacea to all security problems that cloud service providers and their customers face. It is very comprehensive, and there will be costs incurred by vendors who implement the standard correctly, both in terms of time and additional security technologies. However, it provides a no-cost blueprint for securing cloud environments, and the benefits will likely outweigh the costs of implementation. There are many approaches to securing cloud environments, but FedRAMP is a solution backed by certification that will allow CISOs and other security professionals—both inside and outside the federal government—to sleep better at night.