As cloud computing in the federal computing increasingly takes flight, some observers remain worried about security of information stored on a cloud platform.
Just a few weeks ago, the General Services Administration and the Chief Information Officers Council unveiled the new security guidelines for cloud computing, the Federal Risk and Authorization Management Program. FedRAMP, as it is known, will continuously monitor cloud platforms, provide security authorizations and reduce redundancies, is currently seeking comments, before the first phase becomes operational, likely early next year.
But even that is not enough to assuage some experts, such as Alan Paller, director of research at the SANS Institute, an information security training organization. He recently penned an analysis for Nextgov, about FedRAMP’s flaws, which he wrote will “lead to a broad failure to measurably improve security in cloud computing.”
FedRAMP does not focus enough on application security, Paller said. The method FedRAMP uses (a contractor to manage the infrastructure and another to run the application) “almost completely ignores the responsibility of the application contractor to ensure that the application is secure and all its components updated and patched,” he added.
This is becoming increasingly important as application attacks have become more frequent than system-level attacks, Paller said.
Another FedRAMP flaw deals with “continuous monitoring.” Paller said this should mean testing every few days, but the plan calls for testing on a quarterly and annual basis, requiring outdated paper reports, he said.