GAO: Federal agencies lack advisement on cloud security

Share this article:

A growing number of federal agencies are running some form of cloud computing, but nearly all lack policies around securing data hosted offsite, according to a new report from the U.S. Government Accountability Office (GAO).

A lack of government-wide guidance appears to be the major holdup.

"Although individual agencies have identified security measures needed when using cloud computing, they have not always developed corresponding guidance," the report, released Thursday, said. "Until federal guidance and processes that specifically address information security for cloud computing are developed, agencies may be hesitant to implement cloud computing, and those programs that have been implemented may not have effective information security controls in place."

The report, written by Gregory Wilshusen, director of information security issues at GAO, found that 22 of the 24 major federal agencies are either "concerned" or "very concerned" about the security risks associated with cloud computing. Despite that, half of the agencies have moved forward on cloud computing projects, mostly for the technology's low-cost disaster recovery, data storage and self-service benefits.

Yet most agencies have expressed concerns over the risks, including the possibilities of a vulnerable service provider exposing data, an agency losing control and governance over the data to the provider and an agency failing to conduct a sufficient background check of the provider's employees, resulting in insider malfeasance, the report said. In addition, 23 of 24 agencies expressed worries over the concept of multitenancy, in which computing resources are shared among different organizations.

There also appears to be confusion over which entity — the agency or the cloud provider — is tasked with which responsibilities, according to the report.

"Agencies have also identified challenges in...clarifying the division of information security responsibilities between the customer and the vendor," the report said.

Agencies are interested in receiving official guidance on securing cloud environments, the report said. The federal Office of Management and Budget is planning to release a strategy for implementing the technology, which is expected to detail "information security challenges associated with cloud computing, such as needed agency-specific guidance, controls assessment of cloud computing service providers, division of information security responsibilities between customer and provider, a shared assessment and authorization process and the possibility for precertification of cloud computing service providers."

In addition, the Cloud Computing Program Management Office, under the General Services Administration; the Cloud Computing Executive Steering Committee, part of the Federal CIO Council; and NIST all are expected to provide guidance in the coming months, the report said.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

C&K apologizes for unauthorized access that led to Goodwill breach

A web hosting service apologized for intermittent unauthorized access of its hosted environment over 18 months that led to the Goodwill breach.

Yelp and TinyCo settle with FTC over COPPA Rule violations

Yelp and TinyCo settle with FTC over COPPA ...

Yelp will pay $450,000, and TinyCo will pay $300,000 to settle charges that their mobile apps collected information from children under the age of 13.

Tinba variant aimed at U.S., international banks

Tinba variant aimed at U.S., international banks

Researchers at AVAST have unlocked a Tinba variant and discovered it has been customized to target U.S. financial institutions.