Back in the 1830s, most Americans lived on farms. Many probably secured their life savings in their trusty mattress. Then a new local bank opens in town promising more security, but has no track record to prove it. People didn’t trust the bank at first; it was new to the area and skeptical farmers felt it was not intrinsically secure.

“Now fast forward to the cloud,” cloud expert and blogger Kevin Jackson said last week as a panelist at the National Institutes of Standards and Technology (NIST) Cloud Computing Forum IV.

The same dynamic that happened with banks is happening with the cloud asserted Jackson during the Cloud Security Assumption Buster Panel.

“Because the cloud is new, people think it is not intrinsically secure,” he said. “We have to build trust in cloud providers, just like we have built trust in the banking system. Over time banks have proven their worth. The same thing will happen with cloud.”

For more than an hour, Jackson and his fellow Assumption Busters eagerly tackled the task at hand – debunking and busting common myths and assumptions about cloud computing.

We have to build trust in cloud providers, just like we have built trust in the banking system. Over time banks have proven their worth. The same thing will happen with cloud.” – Kevin Jackson

They busted common beliefs such as: cloud computing shifts all certification and accreditation (C&A) responsibility from the government to the private sector (not true); that FedRamp currently offers a mature set of security assurance processes (it’s coming); that a final, complete set of cloud standards, governance and compliance procedures exist and are already in place (it’s being worked on); and that cloud is a reliable means for achieving real cost savings (yes, but not for every application).

Joining Jackson, General Manager, Cloud Services at NJCC, LLC on the panel were:

• Curt Barker, Associate Director, ITL and Chief Cybersecurity Advisor, NIST (Chair)
• Bill Newhouse, Cybersecurity Advisor, Computer Security Division, NIST
• Ron Knode, LEF Research Associate, Computer Sciences Corporation (CSC)
• Min Hyun, Senior Security Strategist, Microsoft

After Barker started the session by listing some common cloud assumptions mentioned above, the Assumption Busters eagerly went about busting the No. 1 cloud computing myth: Cloud computing is intrinsically insecure and poses privacy and security threats to customer information.

Assumption Busted: Cloud Computing Is Intrinsically Insecure

Jackson conceded the cloud can’t be secure for everything. But “it is certainly secure for many agency requirements and needs,” he asserted.

“It is important to understand how cloud business and economic models match your own mission and requirements needs. To make the cloud secure, you must know how you are using it,” he noted. “The process of enforcing security in the cloud is different. It’s not the same. The old way of doing certification and accreditation (C&A) one time and then waiting three years won’t work in the in the dynamic cloud environment.”

Jackson said the continuous monitoring regimen required by FedRamp is “out of the view of many federal professionals. Security is not something you do periodically, but something you do continuously. In the end, cloud is different and it requires a change in mindset.”

Cloud is a 180-degree change in way agencies consume technology according to Jackson. Before agencies developed policies and built IT to match it. In cloud computing you have providers building solutions to focus on a specific customer set and then you must build policies around that.

“Understanding cloud operational model and economic models and leveraging them require a re-education of your technologists, your managers and your financial team, because this is different.”

NIST’s Bill Newhouse agreed noting that the assumptions around hardware and software trust anchors are often a religious argument with some. He said for progress to be made there needs to be a more transparent hardware and software security.

“If we could answer question what does risk look like, then we could answer a lot of questions about what type of cloud to use, we could do all the statistical analysis.”

Assumption Busted: No One Understands My Unique and Special Needs

In order to bust assumptions, you first have to know what assumptions need to be busted said CSC’s Ron Knode.

Topping Knode’s list is the common lament, “no one really understands my cloud security needs, and ergo I must start from scratch.” He explained that customers want a cloud implementation and operations template that fits their present and future needs into neat little boxes they can check off.

But since there are so many alternatives and cloud services available, Knode said the fallback is “there is no template I can use to put all the necessary pieces together to create (or buy) a cloud service that is trusted enough for me. I will never have the time or horsepower to go through all the steps or check all the circumstances of security for my cloud needs!”

“The revolutionary part of cloud is as a consumption mode,” he explained. “Technology is the evolutionary part of cloud. The big obstacle is the belief that because all is not ready, there is no payoff now. I don’t know anyone who wants to put everything in the cloud, but everyone wants to put something in the cloud.”

Those are conflicting messages and there is a difference in expectation and assumptions about what customers think they are getting when buying cloud services. “Figuring out how to pay for only what you use is tricky,” noted Knode. “Let the workload be the guide. Different workloads have different cost frameworks and what is included.”

Assumption Busted: One Size Fits All, All Providers Are the Same

Microsoft’s Min Hyun took aim at the myth that all vendors are the same. “All vendors are not the same,” she asserted. “Each has different stacks of security and different levels of service; some cover to the hypervisor level, some do not. Not one size fits all.”

She also stressed that the agency is still ultimately responsible.

“While the cloud service provider does undertake some risks and controls, policy decisions still reside within the agency,” Hyun said. “The agency is still responsible for what level of access person has; the same for data categorization – what is classified and what is not? – those are not cloud provider decisions.”

She explained it is important to know about the different cloud deployment models and types, but whatever model chosen has to meet the individual needs of the customer and align with the business needs.

“There must be responsible communication between the organization and cloud provider, so you know what exactly you need to do or are responsible for,” she said.

She also called for more education both inside and outside the CIO shop, especially so procurement personnel can learn more about what the cloud offers and how to leverage it.

Assumption Busted: My Information Can’t Be In the Public Cloud

When you change from a security risk adverse mindset to a risk management mindset, all security assumptions are “busted from the get-go,” added Jackson.

For example, in Washington, DC, the traditional mindset is you don’t want to be on the front page of the Washington Post. “If you don’t, then don’t put any of your sensitive information in the public cloud. It is not safe enough. However studies show that 95 percent of information agencies hold is public information anyway, so ‘what is the holdup?’ Now you want to have it be on the front page of Post.”

Use that as a measuring stick.

“What is the risk of the information winds up on the front page of the Post? If there is no risk, go to the public cloud, if there is significant risk go to a private cloud,” he said.

For information in the middle, in gray areas, Jackson said this is where you have government community clouds such as the one run by GSA. “That is where you have a cloud environment with other tenants just like you. Those other tenants have to meet the same laws and security levels you do. Leverage the community clouds government provides.”

“Risk is in the eye of the beholder,” added Knode. “If you have a risk management function, protocol and governance structures aligned for the cloud, then let the workload be your guide.”