Richard A. Spires —

Note: In this fascinating article a former CIO addresses the critical problem of securing federal agency data in the Cloud.

I have implemented and seen the benefits of cloud computing for government, both the leverage of compute on demand and the use of software-as-a-service (SaaS) applications. According to Gartner, the worldwide public cloud services market is projected to grow to $206 billion in 2019. In particular, SaaS-based applications are driving tremendous growth and innovation – AngelList lists more than 15,000 SaaS start-ups, and IDC predicts the SaaS-based market to surpass $112 billion this year. Government adoption is certainly slower than the private sector, yet nearly every federal agency is now leveraging commercial cloud offerings.

The Cloud Security Challenge for Federal Users

While cloud computing and SaaS business models can enable IT organizations to lower infrastructure costs and enable more agility to support customers, this also increases the complexity in dealing with IT security. I think there is as a two-fold security challenge:

First, in regards to the use of cloud service providers, government agencies need to have confidence these providers are implementing security controls that match (or are at least be similar to) what they would implement within their own data centers and networks. In the private sector, the Cloud Security Alliance has developed the Cloud Controls Matrix (CCM) security controls framework. For the federal government, FedRAMP has been established as a means for cloud service providers to meet minimum security control requirements at three different levels as defined by the NIST 800-53 security control suite standards.

The Problem of Securing SaaS Applications

Yet even if you have faith in the control suite of the underlying cloud service provider, what about the case of an agency leveraging a SaaS application? In this case, sensitive data can be stored and controlled by the third party and used by agency employees, citizens, or partners in ways in which the data never even comes in contact with the agency’s network, firewalls, or any other security device or process. Thus the critical challenge is how to extend an agency’s security policies and controls to SaaS applications.

The Cloud Access Security Broker (CASB) Solution

This challenge has given rise to what are known as cloud access security brokers, products that serve as security enforcement points sitting logically between the agency and the cloud service provider to provide a range of services to include identity authentication and authorization, application whitelisting, encryption, alerting, malware detection, etc. Some of the leading vendors in the CASB market include Bitglass, Symantec, and NetSkope.

The SAAS Security Solution

On the positive side, the CASB vendors are filling a void in the market. As a former CIO, however, I have a jaded view of solving enterprise IT security challenges by continuing to add tools and then working internally to integrate them. I have rarely seen this strategy work well in government. Therefore, I have become a proponent that the best approach to address enterprise IT security challenges is the use of a SAAS IT security platform that provides the range of capabilities to help prevent and when necessary detect breaches throughout the enterprise, to include the use of cloud computing resources. In this market, Palo Alto Networks (in disclosure, I am member of the Palo Alto Networks Public Advisory Council), Cisco and Check Point Software provide integrated platform solutions.

Conclusion

The use of SaaS-based applications is becoming a preferred approach for rapidly delivering new capabilities for government agencies. The demand is coming from mission and business users, and as such, IT organizations must accept and plan for continued expansion in the number and use of SaaS applications. Accordingly, agencies need to develop a comprehensive enterprise approach for addressing the security challenges that come with relying on third-party cloud computing and applications.

Richard A. Spires is the CEO of Learning Tree International. He previously served as CIO of the U.S. Department of Homeland Security (DHS) and the Internal Revenue Service (IRS).