While the U.S. government is planning on using cloud computing services to significantly reduce IT costs, several lawmakers and government IT experts expressed concern over data security risks, as agencies rely ever more increasingly on the security efforts of vendors.
Lawmakers pointed out that agencies have already begun moving their data to the cloud before the White House Office of Management and Budget (OMB) and supporting agencies have developed a government-wide security strategy, according to Gregory Wilshusen, director of information security issues at the U.S. Government Accountability Office (GAO).
The use of cloud computing can also create numerous information security risks, Wilshusen told the U.S. House of Representatives Oversight and Government Reform Committee. These risks generally relate to dependence on the security assurances and practices of a service provider and the sharing of computing resources.
The GAO released a report, stating that the Office of Management and Budget (OMB) has detailed a strategy that it says addresses many of the security challenges, including agency-specific guidance, the appropriate use of standards, and the division of cybersecurity responsibility between agency and provider.
In addition, the National Institute of Standards and Technology is working on formal guidance, which will be available for comment in September, to address cloud computing security issues lacking in existing NIST documentation on federal cybersecurity requirements. NIST recently released a similar document dealing with virtualization.
"Both federal and private sector officials have made clear that existing guidance is not sufficient," the GAO report said. The report recommended that NIST "issue cloud computing information security guidance to federal agencies to more fully address key cloud computing domain areas that are lacking in SP 800-53, such as virtualization, data center operations, and portability and interoperability, and include a process for defining roles and responsibilities of cloud computing service providers and customers."