Cybersecurity in the Cloud: The Federal Landscape for Secure Cloud Services, Systems, and Solutions

Abstract

Deploying data and applications to a cloud computing environment, whether private, community, or public, changes an organization's information technology (IT) security risk profile. This is not to say that risk goes up in the cloud. However, the outsourcing of operational activities, the relinquishment of control over infrastructure components, and the sharing of environments and systems with untrusted entities modifies the threat vector domain and therefore the risks. All cloud environments utilize new software layers, such as virtualization technologies, within the IT infrastructure. While community and public offerings may employ similar technologies to private environments, the security implications of community and public clouds are more complex. Use of these offerings changes the risk profile because some security responsibility is transferred to the cloud service provider (CSP), and the organization's security perimeter is extended to include the provider's computing resources and personnel. Given these changes, organizations need to understand the risks and appropriate mitigations. This paper seeks to highlight the Federal perspective and considerations for moving from on-premise private to off premise public/community clouds. Key to ongoing risk management of cloud-based applications and data is the client's ability to have continuous situational awareness of network status and cyber events. Incident detection and response will be a coordinated effort, requiring data exchange between the partners. In order to appropriately assess the risks, an understanding of the threat actors and their techniques is needed. The ability to share indicators of compromise and coordinate mitigations will be necessary to prevent and interrupt attacks.

Document Details

Document Type

Technical Report

Publication Date

Jan 17, 2017

Accession Number

AD1107989

Entities

Tags