Benefits & Risks of moving Federal Information Tech into the Cloud: A GAO Report

The US Government Accountability Office (GAO) did a study on the benefits and risks of moving federal information technology into the cloud and released a report titled ‘Governmentwide Guidance Needed to Assist Agencies in Implementing Cloud Computing’ summarizing it’s findings.

An excerpt from the findings is as below:

Cloud computing has several service and deployment models. The service models include the provision of infrastructure, computing platforms, and software as a service. The deployment models relate to how the cloud service is provided. They include a private cloud, operated solely for an organization; a community cloud, shared by several organizations; a public cloud, available to any paying customer; and a hybrid cloud, a composite of deployment models.

Cloud computing can both increase and decrease the security of information systems in federal agencies. Potential information security benefits include those related to the use of virtualization and automation, broad network access, potential economies of scale, and use of self-service technologies. In addition to benefits, the use of cloud computing can create numerous information security risks for federal agencies. Specifically, 22 of 24 major federal agencies reported that they are either concerned or very concerned about the potential information security risks associated with cloud computing. Risks include dependence on the security practices and assurances of a vendor, and the sharing of computing resources. However, these risks may vary based on the cloud deployment model. Private clouds may have a lower threat exposure than public clouds, but evaluating this risk requires an examination of the specific security controls in place for the cloud’s implementation.

Specifically, several agencies stated concerns about:

• the possibility that ineffective or non-compliant service provider security controls could lead to vulnerabilities affecting the confidentiality, integrity, and availability of agency information;

• the potential loss of governance and physical control over agency data and information when an agency cedes control to the provider for the performance of certain security controls and practices;

• the insecure or ineffective deletion of agency data by cloud providers once services have been provided and are complete;

• potentially inadequate background security investigations for service provider employees that could lead to an increased risk of wrongful activities by malicious insiders.

Multi-tenancy, or the sharing of computing resources by different organizations, can also increase risk.

The complete report can be found here.