Across the government, agencies are looking to the cloud to achieve significant cost reduction and data center consolidation, but poll after poll reminds us that security remains a key concern and is usually the biggest stumbling block to federal agencies adopting the cloud. Launched in 2011, the FedRAMP program is intended to provide a streamlined way for agencies to adopt cloud services who meet or exceed the NIST 800-53 standard.
To maintain FedRAMP compliance and embrace the Cloud First policy, agencies may need to take a more proactive approach to auditing their employees’ actual cloud usage while safeguarding data across a myriad of cloud services used by government employees, whether those services are considered sanctioned or not.
The state of federal cloud adoption
An increasing number of government agencies are considering cloud access security brokers (CASB) to analyze their cloud usage while enforcing security and compliance policies. We aggregated and anonymized usage data from Skyhigh’s customer base to show the state of cloud adoption in the US federal government and found that the average agency today uses 859 cloud services, a 15.8% increase year over year. Not surprisingly, shadow IT is pervasive across the board with many consumer and business services in use. At the average agency, 26.9% of services in use last quarter were consumer services (e.g. Facebook, Twitter, LinkedIn, Evernote, etc.); the remainder were enterprise services (e.g. Office 365, Salesforce, Box, ServiceNow, etc.).
Interestingly, personal cloud services dominate the top 20 cloud services in use in government. Ranked by user count, Twitter, Facebook, YouTube, LinkedIn, and Pinterest occupy the top five positions. Illustrating the disconnect between actual cloud usage and government policy, Oracle RightNow and Google Drive are the only FedRAMP-compliant services that makes the top 20 list. Because the cloud is so porous and fluid, most agency execs we’ve spoken with acknowledge that there is major concern with unidentified services in use by employees that are outside of their cloud acceptable use policies. This “cloud enforcement gap” has multiple causes including access policies that are not standardized across all firewalls and proxies, cloud providers introducing new URLs not yet blocked, and exceptions that are more broadly applied than intended.
Across the 859 cloud services in use at the average agency, just 3.3% of them are FedRAMP compliant. The picture is only slightly better when you look at agency data uploaded to the cloud. Just 4.5% of agency data in the cloud is uploaded to FedRAMP-compliant services. That leaves the vast majority (95.5 percent) of agency data stored outside of approved services. With fewer than 100 cloud services that have met its compliance requirements, FedRAMP is one of the most stringent security accreditations. It may be tempting to think that agencies circumventing FedRAMP are using otherwise secure services that have not been approved yet. However, we found that this is not the case. Most cloud services storing agency data lack even basic security controls.
Across the services that store government data, the availability of security controls varies widely. Factoring in all agency data uploaded to the cloud, just 8.7% of data is uploaded to services that store data encrypted. Only 6.8% of data is uploaded to services that commit to not share customer data with third parties such as advertising networks. Only 14.5% of government data lives in services that delete data immediately on account termination. The picture looks a bit more promising when you look at data ownership. A slight majority of data (54.0 percent) is uploaded to services that specify uploaded data is owned by the customer and not the cloud provider.
What FedRAMP accreditation means for cloud security
Over the past 22 months, Skyhigh Networks has been diligently architecting and documenting what is now the world’s first FedRAMP-compliant cloud access security broker. Reflecting on the process, FedRAMP is without a doubt one of the most rigorous security assessments available today. As part of the accreditation process, a Third Party Accreditation Organization (3PAO) assesses cloud providers across a range of controls. In our case, Skyhigh is categorized as a moderate impact-level service. To document our controls, we submitted over 1,000 pages of documentation to achieve certification.
FedRAMP is so stringent that there is a trickle down effect whereby state and local governments are beginning to rely on FedRAMP when making procurement decisions. FedRAMP is also having a direct effect on foreign government security requirement such as the Canadian ITSB-105. Some aspects also apply to state and local government such as FedRAMP’s requirements that data be hosted in the United States and that only authorized cloud provider employees that are United States citizens living on US soil can maintain the application. In the private sector where the cost to evaluate a cloud service can run $15,000 – $20,000 per service and represents a mere snapshot in time analysis, accreditations like FedRAMP can significantly streamline the onboarding of new services. Many of the required FedRAMP security controls apply widely across the public and private sectors, including:
- Multi-factor authentication (MFA) or support for SAML
- Audit trails of all user and administrator activity
- FIPS-certified or NSA-approved cryptography
- Contingency and business continuity planning
- Continuous Monitoring (ConMon) for on-going incident detection and remediation
- Penetration testing and regular security assessments
- Account locking after a number of failed login attempts
- Application of the principle of least privilege
Some of the largest cloud application vendors including Microsoft, Box, Salesforce, and Oracle have made significant investments in security, exemplified in part by their successful completion of the FedRAMP accreditation. Achieving FedRAMP compliance can involve further investments in security controls and processes outside of the purview of one’s own SaaS environment. For example, cloud providers can also inherit certain controls from their infrastructure provider. Amazon, Microsoft, SoftLayer, CSC, Terremark, and VMware provide government-ready infrastructure-as-a-service (IaaS) for cloud providers to accelerate the delivery of FedRAMP-compliant cloud offerings.
How a CASB helps agencies standardize on FedRAMP-compliant services
The cloud access security broker (CASB) fills an important void in cloud security beyond traditional proxies, firewalls, SIEMs, DLP and the like. According to Gartner, the four pillars of functionality for a CASB are visibility, threat protection, compliance and data security. When agencies first deploy a CASB to gain visibility into their cloud usage, they consistently find that the scope of shadow IT usage within their agency is more than 10 times greater than agency-sanctioned cloud usage.
A CASB should provide continuous monitoring and deep analytics of cloud data showing which services are in use by which employees and their associated anomalous usage patterns as well as providing a comprehensive risk rating for each cloud service based on objective criteria such as geographic location, legal terms and conditions, data security in flight and at rest, and business risk, to name a few. Armed with this information, agencies can begin to coach and migrate users from shadow IT onto agency-approved alternatives that meet strict standards for security and compliance.
For example, an agency may discover that employees still use 100+ different file sharing services even though an investment has been made in a FedRAMP-compliant cloud service such as Office 365 or Box. Within a CASB, the agency may create a policy to block certain services entirely or perhaps display a notification to users in real time when they attempt to access a service out of policy, thus enforcing the policy, maximizing the investment in their cloud file sharing service and protecting agency data from accidental or willful leakage.
The policy can be implemented using the CASB’s proxy, or through integration between the CASB and the agency’s existing firewall, proxy or SIEM. The right CASB will handle this task in a manner so that the end user is unaware its existence while the responsible Risk, Compliance and Security teams’ processes are streamlined, thus saving the agency time and guesswork while greatly reducing fiscal waste.
And this is just the start. Taking advantage of a FedRAMP-compliant CASB’s threat protection, compliance and data security capabilities should allow agencies to continue leveraging existing IT security investments while extending those capabilities into the cloud. This is why Skyhigh Networks strictly adheres to a platform approach to data security and governance in the cloud. Our belief is that a CASB should be frictionless and invisible to the end user while providing a centralized control point for all cloud services that would otherwise require individual management.