October 6, 2011 - Cloud computing has both positive and negative information security implications for federal agencies. Potential information security benefits include the use of automation to expedite the implementation of secure configurations on devices; reduced need to carry data on removable media because of broad network access; and low-cost disaster recovery and data storage.
The use of cloud computing can also create numerous information security risks for federal agencies. Specifically, 22 of 24 major federal agencies reported that they were either concerned or very concerned about the potential information security risks associated with cloud computing. Risks include dependence on the security practices and assurances of vendors and the sharing of computing resources. These risks may vary based on the cloud deployment model. Private clouds, whereby the service is set up specifically for one organization, may have a lower threat exposure than public clouds, whereby the service is available to any paying customer. Evaluating this risk requires an examination of the specific security controls in place for the cloud's implementation. In its 2010 report, GAO noted that governmentwide cloud computing security activities had been undertaken by organizations such as the Office of Management and Budget (OMB), General Services Administration (GSA), and the National Institute of Standards and Technology (NIST); however, significant work remained to be completed. For example, OMB had not yet finished a cloud computing strategy, including how information security issues were to be addressed. GSA had begun a procurement for expanding cloud computing services, but had not yet developed specific plans for establishing a shared information security assessment and authorization process. In addition, although NIST was responsible for establishing information security guidance for federal agencies, it had not yet issued cloud-specific security guidance. In its report, GAO made several recommendations to address cloud computing security that agencies have taken steps to implement. Specifically, GAO recommended that OMB establish milestones to complete a strategy for federal cloud computing and ensure it addressed information security challenges. OMB subsequently published a strategy which addressed the importance of information security when using cloud computing, but did not fully address several key challenges confronting agencies. GAO also recommended that GSA consider security in its procurement for cloud services, including consideration of a shared assessment and authorization process. GSA has since developed a draft of an assessment and authorization process for systems shared among federal agencies, but the process has not yet been finalized. Finally, GAO recommended that the NIST issue guidance specific to cloud computing security. NIST has issued multiple publications which address such guidance; however, one publication remains in draft, and is not to be finalized until the first quarter of fiscal year 2012. GAO is not making additional recommendations at this time beyond the ones made in its 2010 report.