A growing number of federal agencies are running some form of cloud computing, but nearly all lack policies around securing data hosted offsite, according to a new report from the U.S. Government Accountability Office (GAO).
A lack of government-wide guidance appears to be the major holdup.
"Although individual agencies have identified security measures needed when using cloud computing, they have not always developed corresponding guidance," the report, released Thursday, said. "Until federal guidance and processes that specifically address information security for cloud computing are developed, agencies may be hesitant to implement cloud computing, and those programs that have been implemented may not have effective information security controls in place."
The report, written by Gregory Wilshusen, director of information security issues at GAO, found that 22 of the 24 major federal agencies are either "concerned" or "very concerned" about the security risks associated with cloud computing. Despite that, half of the agencies have moved forward on cloud computing projects, mostly for the technology's low-cost disaster recovery, data storage and self-service benefits.
Yet most agencies have expressed concerns over the risks, including the possibilities of a vulnerable service provider exposing data, an agency losing control and governance over the data to the provider and an agency failing to conduct a sufficient background check of the provider's employees, resulting in insider malfeasance, the report said. In addition, 23 of 24 agencies expressed worries over the concept of multitenancy, in which computing resources are shared among different organizations.
There also appears to be confusion over which entity — the agency or the cloud provider — is tasked with which responsibilities, according to the report.
"Agencies have also identified challenges in...clarifying the division of information security responsibilities between the customer and the vendor," the report said.
Agencies are interested in receiving official guidance on securing cloud environments, the report said. The federal Office of Management and Budget is planning to release a strategy for implementing the technology, which is expected to detail "information security challenges associated with cloud computing, such as needed agency-specific guidance, controls assessment of cloud computing service providers, division of information security responsibilities between customer and provider, a shared assessment and authorization process and the possibility for precertification of cloud computing service providers."
In addition, the Cloud Computing Program Management Office, under the General Services Administration; the Cloud Computing Executive Steering Committee, part of the Federal CIO Council; and NIST all are expected to provide guidance in the coming months, the report said.