cloud based software

Cloud Computing Systems Used By Federal Agencies May Not Be Up to Federal Standards

Hands typing on the laptop
While cloud-based information systems are becoming increasingly popular, many companies rely on outside services to help them manage their data and reduce security risks. Federal agencies are no exception, with most organizations using cloud computing arrangements to process and store government data. Unfortunately, a recent cloud security assessment suggests that a number of these agencies and their services are falling short of federal requirements.In late February, the 2014 Federal Information Security Management Act (FISMA) report to Congress was released to the public. According to the study, of the 17 inspector generals who reported that their agencies used programs to manage contractor systems, only eight believed their programs had all the required elements in place. While the departments were not identified, the stated problems were numerous: some never obtained sufficient assurance that the security controls were effective or compliant with guidelines, while others did not have a complete inventory of the systems being used. However, six of the departments admitted that their cloud systems were not compliant with FISMA requirements, federal polices and applicable National Institute of Standards and Technology (NIST) guidelines.

NIST regulations are the basis of the government’s Federal Risk and Authorization Management Program (FedRAMP). Designed to standardized security assessment, authorization and continuous monitoring of cloud solutions, the program is essentially designed to safely bring the government into a new age of information technology. However, the FISMA report shows that federal agencies fared little better when it came to FedRAMP requirements, noting that some departments are “not capable of tracking and managing risks in a virtual/cloud environment.”

Cloud Security is one of the Top 10 Priorities of the CIOs in 2015 and it is one of key areas of concern for the CIOs for not adopting Cloud technologies as fast as they should or they are expected to.

Fortunately, an element of the FedRamp process may address this issue. Once a cloud service is authorized under FedRamp, they are required to begin “continuous monitoring.” This means that all vendors must perform monthly vulnerability scans and remediate any findings deemed high-risk within 30 days. This change not only better aligns with the Department of Homeland Security’s own continuous monitoring program, but fixes a prevalent problem: previously, some security reporting was only performed quarterly.

Currently, the FISMA report shows that a total of 81 systems being used are FedRAMP compliant. Of this number, 26 agencies have reported using FedRAMP provisional authority to operate packages, which verifies that a cloud system meets the program’s standards. Agencies are required to review this documentation before granting vendors final authority to operate.

While it isn’t clear how many systems must meet FedRAMP standards, one of the program office’s top priorities for the coming year is to increase stakeholder engagement, particularly among the agencies implementing the program. Other goals including improving program efficiencies, automating FedRamp documentation and adapting the program to support evolving cloud technologies and policies.

Three Predictions on Enterprise File Sharing in 2015

Computer servers
Over the past decade, public cloud and private file transfer services have revolutionized the way electronic data is shared from one user to the next. Apps such as Dropbox, Google Drive, and Apple’s iCloud are wildly popular with the general public. The cloud has come a long way from the clunky floppy disks, primitive file transfer protocols (FTP), and scratch-prone CD-ROMS of the past. In the business world, cloud services are also a significant improvement from FTP and email services (email is still widely used but some providers still limit attachment sizes, which for business is a serious inconvenience).

However, the enthusiasm many people have about cloud and similar services has a pitfall: that is, the frequent and devastating breaches of security to have befallen public (for example, the hacking of celebrity cloud accounts) and private (such as the hacking of Target’s customer database last January) file services.

The fact is, many cloud services — even the private, “sophisticated” ones — are woefully underprepared for the security breaches, and that should cause concern for any consumer, casual or not. Companies, which handle millions (if not billions) of digital files, are certainly taking notice of the phenomenon.

“While cloud based file transfer services are attractive for their ease of use and deployment, many lack the necessary security, auditing and regulatory controls required by enterprises today. Companies that handle sensitive data such as financial and or health records need to carefully assess whether a cloud based solution can provide the level of protection needed while also meeting compliance requirements imposed by standards such as HIPAA (Health Insurance Portability and Accountability Act) and PCI (Payment Card Industry).” said Van Glass, CEO of JSCAPE, a leading provider of managed file transfer software.

Entrepreneur has drawn up three predictions regarding cloud-based platforms to watch out for in 2015:

    1. Businesses that use public cloud platforms will continue to be hacked: Businesses that use public cloud platforms such as Dropbox and Google Drive will continue to see their data vulnerable to hacks. Using these platforms is essentially outsourcing private data to a third-party that is distressingly unsecure and unregulated. Files such as employee information, business proposals, and mega-merger term sheets are liable to hacking, which can spell disaster for any business. Private cloud platforms aren’t invincible, to be fair, but at least they offer more information and troubleshooting resources if an incident does occur.
    2. Consolidation will cause massive data transfers: Though there are more than 120 cloud-based vendors available today, giant companies like Google, Microsoft, and Amazon have the advantage in terms of money, funds, and resources. Most likely, some of these 120 companies will be integrated into larger ones (as Dropbox was integrated into Microsoft in 2011) or merged with each other. As a result, billions of digital files will have to be moved to different clouds. Large-scale data migrations are incredibly intricate and time-consuming. Moreover, they are just as prone to human error as any other kind of migration.
    3. Consolidation will also cause specialization: As cloud vendors acquire or merge with other vendors, the remaining companies will struggle to keep afloat. One probable solution some of these companies will come to is to specialize their services. For example, a cloud vendor may focus on legal files; that is, managing, sharing, and storing digital documents for lawyers, court officials, and clients. As vendors specialize, they will garner more attention from companies weary of public vendors that want tighter security features — features that are typically found in private cloud platforms.

As companies expand and look toward the future, they will see the need to rely on private vendors more and more as security concerns increase. 2015 will be the year of productivity concerns coupled with privacy issues.