FedRAMP Does Not Guarantee Data Security

The cloud and data security go hand-in-hand. While cloud computing provides valuable IT architectures and solutions for government agencies, it also requires them to relinquish data security to public cloud service providers. 

A cohesive risk management program, the Federal Risk and Authorization Management Program (FedRAMP), is described on the program’s website as a “standardized approach to security assessment, authorization and continuous monitoring for cloud products and services” created to be used throughout the federal government. It saves individual agencies time not only by supporting initial security evaluation but also by continuously monitoring the security of each cloud. Due to the varying needs of each agency, however, the FedRAMP process was designed to find solutions that align only with broad government needs.

Unfortunately, FedRAMP doesn’t mean your data is secure, nor does using the services of a cloud service provider (CSP) that is FedRAMP-certified, such as Amazon’s Simple Storage Service. That only means that the CSP has been vetted and has the capability to protect the data as mandated by the FedRAMP requirements. Also, the CSPs do not guarantee separation of duties with respect to data storage, encryption and key management, even though that separation is one of the bedrocks of true data security. The agency that owns the data has no way to know who has seen it in an unencrypted state or how many people have access to the encryption keys. In short, a government agency that relies on a CSP to encrypt its data and store and manage the keys has only the insight and control over its data security that the CSP lets it have.

In May 2017 the president issued an executive order meant to strengthen the cybersecurity of federal networks and critical infrastructures by holding an agency’s management responsible if the data is breached or otherwise compromised—even if the data security task is assigned to a third party. This reinforces the Federal Information Security Modernization Act of 2014.

In response to that executive order, the Cloud Security Alliance developed a set of guidelines specifically for data owners, such as federal agencies, to highlight the need to define roles and responsibilities for both CSPs and data owners. Per these guidelines, the CSPs remain responsible for securing, managing and monitoring their environment and facilities. However, data owners also retain the responsibility to protect their data in the cloud.

The alliance suggests that the best way to protect data in the cloud is for data owners to encrypt data before handing it over to a CSP and to retain control of the encryption keys. Following these guidelines ensures that data security remains under the control of the agency that owns the data, rather than the external CSP, its employees, vendors, consultants, subcontractors or anyone else who can gain access via the CSP. This substantially reduces the agency’s risk exposure.

Manage The Keys, Protect the Data

Perhaps even more important, key management is critical to controlling and maintaining data security whether or not a data owner encrypts before data goes to the cloud. There are eight essential elements of an effective agency key-management policy:

1. Following current standards. Effective key management must be built on a solid foundation. Knowing and following the National Institute of Standards and Technology's Recommendation for Key Management (SP 800-57 Part 1) standards is not just a guideline. It’s a requirement.
2. Preventing individual total access. Strong governance policies are critical to successful encryption strategies. For example, no single person should be responsible for key management duties, control and knowledge. These elements must be separated, doubled up and split between several parties. This ensures that no one person has full control over the platform.
3. Planning for the future. Agencies must be flexible enough to change or augment their encryption standards to meet new regulatory requirements or organizational changes.
4. Centralizing control. A key and policy manager should define user profiles and detail appropriate access to encryption resources, managing them centrally through a security administrator.
5. Retaining control. For transitions to a cloud environment, it is best to keep control by implementing on-premise key-management capabilities, rather than relinquishing encryption keys to CSPs.
6. Logging comprehensively. The core key management program component of keeping comprehensive event logs and audit trails is even more critical in a government environment than other circumstances. PCs, tablets, smartphones, IoT devices and drones create unique challenges as data is accessed in unsecure environments and potentially on unsecured devices.
7. Integrating and unifying. Security software doesn’t know or care about what data it’s encrypting. Whenever possible, use one centralized solution to support fields, files and databases. Demand that your key management product support application program interfaces that allow your company the flexibility to use that server for multiple encryption products and different encryption processes.
8. Consolidating systems. Lastly, keep third-party integration in mind. Encryption solutions are often not integrated with the applications they will be used with, but there are many benefits to using one solution for multiple types of applications. Look for an integrated solution that meets standards for key management interoperability protocol and that undergoes regular interoperability testing.

Sensitive data is always at risk whether stored in the cloud or on premises. FedRAMP decreases cloud security risks by ensuring that the CSP provides a basic set of functionalities, but it does not eliminate the risk. Implementing strong encryption and key management standards remains the responsibility of the federal agency that owns the data.

Bob Gourley is a co-founder and partner of Cognitio and the publisher of CTOvision.com and ThreatBrief.com. His first career was as a naval intelligence officer, which included operational tours in Europe and Asia. Gourley was the first director of intelligence (J-2) at Defense Department’s cyber defense organization JTF-CND. Following retirement from the Navy, he was an executive with TRW and Northrop Grumman, and then returned to government service as the CTO of the Defense Intelligence Agency (DIA).

Jane Melia, Ph.D., is vice president of strategic business development at QuintessenceLabs, a provider of quantum cybersecurity solutions and maker of quantum random number generators.