A relatively new certification for cloud providers is “changing the game” for cloud data security, VMWare’s cloud management security and compliance evangelist, George Gerchow told a packed audience at Advisen’s San Francisco conference this week.
The Federal Risk and Authorization Management Program (FedRamp) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
The standard began operating in June 2012 and allows joint authorizations and continuous security monitoring services for Government and Commercial cloud computing systems intended for multi-agency use.
FedRamp is also rapidly becoming the de-facto standard for cloud security among corporations, according to Gerchow.
The additional security that the government endorsement provides is leading a wave of private-sector corporations to rush their data onto the cloud.
“Boards of directors are saying to their business heads: ‘if it’s good enough for the government, it’s good enough for us’,” Gerchow told the 150-strong audience at the Cyber Risk Insights Conference in San Francisco on March 11.
GG noted that the capital expenditure savings of migrating data to cloud providers was also a large draw for businesses. He added that IT departments are “disappearing” as businesses move to the virtualization of the their data.
However, coupled with the freedom that virtualization and the cloud bring to corporations, is risk. GG noted that ultimately, the corporation remains undeniably responsible for their own data, even if outsourced to the cloud.
In a separate panel at the Advisen conference, Cisco’s cloud compliance and data privacy strategy leader Evelyn de Souza warned that any large decision made around a company’s data needed to be a “mixture of policy, process and technology”.
“Mission critical access to information has to be a boardroom decision,” de Souza said. “If your board is rushing out to adopt cloud, you need to be on top of the risks and understand who has responsibility for protecting that data.”
Fellow panelist, Russell Cohen – a partner at Orrick, Herrington & Sutcliffe – added that it was important to choose your data cloud provider carefully and ask if they have insurance in place.
“Even if you outsource the data, it has your name on it,” Cohen said. “You will get the calls from regulators, customers etc if that data is compromised, so it is also important to make sure you have the insurance in place as well to cover cloud.”