Reducing Information Security Risk with Cloud
Information Assurance Analysis

Igor Pedan, MBA, PMP, PSM

“Cloud computing is often far more secure than traditional computing, because companies like Google and Amazon can attract and retain cyber-security personnel of a higher quality than many governmental agencies.”
Vivek Kundra, 2010 former Federal CIO of the United States

Introduction Rise of cloud computing technology in recent years has fueled discussions and concrete actions by the federal government to take advantage of significant cost savings promised by the concept. Shrinking IT budgets, emergence of powerhouse providers of cloud services such as Amazon and Terremark, and recent Executive Orders are driving federal agencies to adopt and implement cloud as part of their overall information technology strategy. While certain benefits of cloud technologies are undisputed, security and reliability of cloud services remain major concerns preventing their adoption. This situation is compounded by a number of security incidents that are a problem for both the users/adopters and service providers. Users are concerned that they may not be able to access service or that the confidentiality of their data may be compromised. Service providers are concerned their reputation may be (and likely will be) jeopardized (Ackermann, 2012).
In my personal opinion, security concerns of cloud environment based simply on cyber security incidents experienced by cloud service providers can only be compared to fear of flying. According to the National Highway Traffic Safety Board Administration data, CY 2012 saw over 33 thousand fatalities related to motor vehicle accidents (FARS Data Tables: NCSA Data Resource Website). In the same year, according to the National Transportation Safety Board, there were 449 fatalities across all segments of US Civil Aviation (Summary of US Civil Aviation Accidents: NTSB). Based on these statistics, flying is far safer mode of transportation compared to driving. However, “it may feel more dangerous because risk perception is based on more than facts”, according to David Ropeik, risk communication instructor at Harvard School of Public Health. Driving affords more personal control, making it feel safer. In addition, car crashes happen every day and spread the loss of life over time, making their combined effects less noticeable (Locsin). Similar to this, cyber incidents such as Distributed Denial of Service (DDoS) attacks on a single entity may be more frequent and the effects far more damaging to that organization, but is potentially less noticeable than infrequent successful DDoS attack on properly prepared cloud service provider that impacts multiple organizations at the same time.
In this paper I intend to discuss top perceived security concerns of cloud environments based on CIAAN framework of confidentiality, integrity, availability, authenticity, and non-repudiation, and highlight some specific characteristics of cloud computing technologies that can provide more secure IT operating environment to government agencies.

Risk Assessment
Technology and architecture that enable cloud computing have their roots in the days of mainframe computers, client-server applications, and early Internet. So, while both concepts have some similarities from risk and vulnerability perspectives, it would be a mistake to assume that they are the same. Cloud environments possess different attributes, including different capabilities, risks, and security concerns. However, despite many arguments that cloud environments are less secure, according to a study conducted by the Defense Science Board, “with the proper implementation and operations, cloud computing data centers have demonstrated as good or better cyber security, capabilities, and cost than is currently available in Department of Defense (DoD) data centers. These improvements, however, are by no means guaranteed for every case and