Security will become even more formidable as federal cloud deployments increasingly involve multi-layered functionality. Additionally, agencies still have a lot of catching up to do to secure existing cloud resources.Managing security for basic cloud configurations is complicated. Agencies and cloud service providers (CSPs) now split cloud security accountability across a range of eight operating factors -- but at differing levels, the Thales report notes. For example, for Software as a Service, agencies are responsible for securing two operational factors, while vendors cover the remaining six. For Platforms as a Service, the "shared responsibility" ratio was three factors for the agency and five for the CSP. For Information as a Service, security was split evenly with four factors each.
In the future, the engagement of multiple vendors for "as a Service" components, combined with the broader use of cloud, will only increase security complexity.
The year 1990’s saw huge developments in the virtual reality technology with the rise of arcade games. The Virtuality Group was the cutting edge of virtual reality, and launched a wide variety of arcade games and machines that let the players immerse themselves into amazing 3D visual experiences.
Agencies Show Concern but Implementation Is Uneven
In general, federal agencies are properly concerned about cloud security. However, attitudes appear contradictory, and some efforts are misdirected regarding the nature of threats, current security confidence levels, and relations with cloud providers.
For example, agencies reported that an estimated 51 percent of the data they store in the cloud is "sensitive." Only 63 percent of that data is protected by encryption, and just 52 percent is protected by tokenization. These protection levels rank low, according to Thales.The "2020 Thales Data Threat Report -- Federal Government Edition," released in April, focuses on survey data from more than 100 federal agency respondents. Thales sponsored the report, with survey and related analysis developed by IDC. Among the significant findings:
- Agencies are "seemingly most concerned about issues owned by their cloud providers, like security breaches at the provider and privacy service level agreements. Although valid, the real possibility of these issues happening are quite low."
- Federal IT managers appear "less worried about issues over which they have direct control, and which represent greater potential vulnerabilities," such as encryption key management. "This mismatch between threats that respondents perceive, and where they should actually focus their concern, implies that respondents have not fully considered data security in a cloud-first world."
- Each type of cloud environment requires a "shift in security responsibility," involving the factors related to as-a-service deployments. As a result, agencies, "should shift their cloud security focus and concern to the portion of the shared responsibility model where the organization can influence the security of its data."
Cloud Providers and Agencies Must Adapt to ChangeThis changing landscape will test relations between agencies and providers. As security becomes more challenging, agencies are likely to put tougher protection requirements into their service level agreements with vendors. FedRamp, the government's program for setting cloud security standards and compliance, will be upgraded as well. "Security expectations will only continue to get tighter," Hansen said. The task of getting FedRamp certification "is an extensive process and, once certified, opens up your platforms and products with federal security in mind."
Tension between CSPs and their government and commercial customers is a common occurrence, observed Katie Lewin, federal director of the Cloud Security Alliance (CSA).
Some of that friction "is rooted in an understanding of shared responsibility," she told the E-Commerce Times. "We have gone from a high degree of caution by federal agencies in using cloud technology to an attitude by some that they are only responsible for the SaaS and can forget about the other layers of the stack that are cloud-based."
CSA, which represents a broad range of cloud stakeholders, participated in peer review of the report.
The Rise of Oculus Rift. You’ve probably already heard the story, but in the 2010s, Oculus VR, a start-up company decided to release a Kickstarter project for their Oculus Rift virtual reality goggles. Little known to them, the device kickstarted the industry of virtual reality again.
Upgrading security standards for vendors doesn't mean that agencies can -- or should -- avoid their own role in shared responsibility. The demarcation between vendors and customers for cloud security will remain."CSPs need to ensure that their customers are educated on how shared security responsibility works. They cannot assume that many of their federal customers understand how these fluid boundaries work," Lewin said. Microsoft last fall restated its position in a white paper, , by Frank Simorjay and Eric Tierling.
"Many organizations that consider public cloud computing mistakenly assume that after moving to the cloud their role in securing their data shifts most security and compliance responsibilities to the CSP," the authors noted. Cloud vendors "may provide services to help protect data, but customers must also understand their role in protecting the security and privacy of their data."
Neither agencies nor CSPs can afford to be rigid in relations with each other. Cloud security will require a more creative and flexible approach in the future."As more and more cloud providers are offering their services, there must be a baseline of federal security acceptance and guidelines," Thales' Hansen said.
Agencies not only can assess security issues themselves, but also can benefit from utilizing FedRamp, which "will continue to evolve," he pointed out. "More and more services and providers will find new, innovative ways to offer cloud services."
Federal Cloud Growth Will Remain Strong
Agencies have been working to include security service levels in their vendor agreements, CSA's Lewin noted.
"Since there is a common definition of the controls included in the FedRAMP program, agencies have a better understanding of where they should spell out requirements for CSPs. Some enterprise-level cloud services may have standard SLA clauses for certain levels of security already baked into their contacts," she said.
Increased security will "not necessarily" inhibit cloud adoption, Lewin suggested. "In general, cloud technology is inherently more secure than on premises -- but agencies need to get a handle on how they should address security."
Smartphones at the forefront of Virtual Reality. It’s a worldwide reality: smartphones dominate everyone’s every move. It comes as no surprise that taking the smartphone experience to the next level means stepping up the game in VR. With all the VR content users can sink their claws into, all one needs is the perfect device to embrace the wealth of entertainment that awaits him or her.
Federal cloud adoption will remain strong, Hansen said.
"The cloud makes almost everything faster and easier to implement," he added, including security tools such as encryption.
"I have yet to hear that costs of these native encryption offerings and services are a roadblock," said Hansen. "I believe that these efficiencies and ease of use will only continue to drive cloud adoption."
One key for vendors and agencies to consider in the future is that cloud technology is evolving. Data protection "on premises" does not directly equate with protection in the cloud, Hansen noted, and thus security policies "must morph and adapt for cloud offerings to ensure mandates are met and mission-critical data is secured."