The rise of hybrid clouds in general has ballooned the amount of encrypted traffic that cloud service providers’ solutions need to address. One question that comes up a lot is, if encryption truly plays a “key” role in keeping data in the cloud secure, how does that relate to FedRAMP authorization?
When government organizations place their data into public or private clouds managed by a FedRAMP authorized CSP, they can be sure their data is protected to the broad level demanded by FedRAMP, but the approach taken by the client and the CSP toward encryption and key management is crucial to realizing full protection. When a CSP is assigned the encryption task, it stands to reason that the client company has given up a major degree of control. The client must rely on the CSP’s best practices to deliver the security benefits encryption can provide.
It’s worth noting that, by executive order, managers of government agencies are held responsible for data breached, even if a CSP is handling encryption implementation. So, while CSPs manage the hardware environment and infrastructure, their clients should be aware of their own responsibility for data protection in the cloud.
Data Owners Be Aware…
To minimize danger of a breach, many government data owners encrypt before sending information to the cloud. In this case it makes sense for the owner to retain control and management of the keys, as well. If no one at the CSP has access to encryption keys, it shuts the door on an extensive list of potential bad actors—employees, consultants, partners, and more.
One suggestion worth heeding is that data owners should “go by the book” and follow the NIST’s standard guidelines for key management. This includes many good directives, such as a prohibition on any single person having full control—divide the duties, divide the exposure risk. It’s important to keep complete audit trails. Someone needs to act as the security administrator, and it is recommended to keep that coordinating role on the client side.
A knowledgeable CSP with extensive security experience can be a big help in planning the optimal encryption solution that fits the unique needs of government entities. For instance, in some cases going with hardware-based encryption technology may be an option worth exploring.
Takeaway: Personal and mission critical government data is only safe if it is encrypted both at rest and in transit across networks and to and from the cloud. While FedRAMP authorization indicates a CSP can deliver on important basic data security measures, it takes encryption and key management to finish the job of bringing agency cybersecurity up to enterprise standards, and this part of the security puzzle should ideally fall under the responsibility of the client. Working with a knowledgeable CSP can take much of the burden off the agency that owns the data.
This useful article in CyberEdge outlines eight points agencies should keep in mind when planning to work with a FedRAMP certified CSP to handle encrypted data.
For our clients, VAZATA does the research, then prescribes a cybersecurity approach and recovery regime that best meets each customer’s specific needs. Many factors, from hardware configuration to choice of encryption technology must be considered in order to best mitigate your unique risk from cyber threats efficiently and affordably.
Can VAZATA conduct a Needs Assessment for your business? Why not contact us today?