As both government and commercial organizations move to the Cloud there are increasing initiatives to assist with cloud security. A discussion of some of the Government initiatives to move to the Cloud and to provide standards and architecture guidance for Government entities and commercial offerings.
GSAs Federal Risk and Authorization Management Program (FedRAMP) is a cloud risk management and certification program under the auspices of the Government Services Administration (GSA). The focus of this program is certifying whether cloud products and services are secure for use by federal agencies. This complex and rigorous certification is coveted by commercial cloud providers as a valued selling point to the public and private sector. NIST Special Publication 800-53 Revision4, SP 500-292, SP 800-198 and the public sector Cloud Security Alliance (CSA) certification program (CSA Security, Trust & Assurance Registry ((STAR)) contribute standards to this FedRAMP certification program.
NSA has published information and security guidance for Cloud Security, including the concepts of shared responsibilities, cloud components, vulnerabilities, and mitigations.
DISA's Joint Enterprise Defense Infrastructure (JEDI) program, a $10B DoD controversial single-award competitive contract, awarded to Microsoft. JEDI will provide cloud services to the DoD mission (classified data and applications) allowing secure information sharing and standard Cloud IT operations form the Generals to the troops on the ground. Amazon has protested this award.
MilCloud v1/2: In 2013 the Defense Information Systems Agency (DISA) began offering in-house cloud computing services to interested DoD agencies and military commands via MilCloud 1.0. The intent was to encourage a shift from conventional data center hosting into a cloud environment and increase the comfort level of using this new environment while the data remained on-the-premises. The offering was a success and MilCloud v2 will go a step further with the introduction of hosting information (initially unclassified but working toward proper certification for higher classifications) commercial cloud providers/services as the host. As this unfolds a major question will be how does MilCloud fit into the JEDI programs.
DISAs Secure Cloud Computing Architecture (SCCA) is a suite of enterprise-level cloud security and management services. It provides a standard approach for boundary and application level security. While the document is intended for Government use, the architecture, standards and explanations are relevant to commercial products.
ICITE C2S: The Intelligence Community Information Technology Enterprise (ICITE) Commercial Cloud Service (C2) initiative was a fundamental shift to change historical agency IT models (i.e. conventional IT stovepipes) to a common architecture, shared service platform at the Top Secret level. There are many components to this initiative but a major one is moving information and applications to the Cloud. The IC chose the commercial Amazon Web Services (AWS) Cloud and encouraged customers to move sensitive workloads (non-classified) while being fully aware of their specific regulatory and compliance requirements.