Cloud Storage and Computing

This page will provide some background information on what the cloud is, why you might want to use if for storing data or running applications, and how to secure DSHS data if it is stored there.

What (and Why) is the Cloud?

The term "cloud" is being heard more and more often in relation to computing. This is because cloud storage and cloud computing can bring several advantages to the business. But what is the cloud? In computing terms, cloud is really just a term for using servers and storage outside your business and in an environment that is hosted, managed, and maintained by a cloud provider; these cloud servers are accessible from the Internet, which is fantastic for efficiency but risky from a security perspective.

Cloud storage generally comes with a cost savings for any moderate to large business.

  • It outsources the storage of your data, and the maintenance of all the storage components in a way that can reduce your cost.
  • It allows your data to be available at any time, to anyone you grant access to, from anywhere with an Internet connection.
  • It facilitates disaster recovery and business continuity by, on the low end, allowing you to have a second, "back up" copy of your data that you can retrieve if your on-site data is lost due to a catastrophic event. On the high-end, your data can be replicated in the cloud in multiple locations, so no regional disaster can wipe out your data.
  • It allows you to access applications, databases, and other resources from a computer over the web using a client like a browser or small, local application. This makes it easier to provision those resources, since they do not have to be installed and maintained in multiple local locations.

These benefits make the use of cloud storage attractive for many businesses, and many applications that you can purchase today come with cloud storage baked in. Many mobile applications in particular use the cloud to save space on the mobile device and to make your data available to any device or computer you use.

Securing the Cloud (Consumer Grade)

The section above explains why the cloud may be beneficial, but there are always security considerations with any technology. In the case of cloud services, the data, in this case DSHS confidential data, will be out of the control of either the agency or the contractor. There are two approaches to protecting this data; either do it yourself, or let the 3rd party cloud provider provide the security.

Do it yourself - This solution only works if the cloud is being used for storage, and does not work if the cloud is providing applications, infrastructure, or frankly anything other than pure data storage. In this case, the DSHS data must:

  • Be encrypted while on an authorized computing device, either a state computer or, more likely, a contractor-owned and administered computer;
  • Remain encrypted when being transmitted to the cloud storage;
  • Remain encrypted while on the cloud provider’s site; and,
  • The key required to decrypt the data must never be accessible to anyone other than authorized contractor or DSHS staff.

The above is spelled out in detail within the Data Security Requirements Exhibit of the contract.

Cloud Storage Encryption Resources

There are many programs and utilities that will allow you to encrypt your files on your computer, prior to sending them to the cloud for storage. Some of these are completely free, many allow free use for a limited version or for a trial period, and the majority have an associated cost but are still relatively inexpensive.

Some popular utilities, such as WinZip and 7-Zip, allow you to compress and encrypt your files, saving storage space and protecting the data. Other encryption tools such as Sophos Free Encryption, Cloudfogger (which focuses on encrypting files for cloud storage), and AxCrypt will work well for protecting the data while it's not under your direct control. HOWEVER, please note that it is your responsibility to use these tools correctly, in order to ensure that adequate protection is applied to DSHS data. It's not enough to have the tool, contractor staff who use these tools must be aware of how to use the tool to ensure that they have strong encryption applied correctly.

For more information, GFI Software has some information on these and other tools that can be used for encryption of data that will be stored in the cloud.  https://techtalk.gfi.com/the-top-24-free-tools-for-data-encryption/

Key Management

Outside of ensuring that encryption prevents unauthorized access to the data, the most important consideration is key management, which is the process by which the key is stored to ensure that it is not lost, and protected to ensure the data isn't compromised. One characteristic of strong and effective encryption is that, if the key that is used to decrypt the data is lost, the data is effectively lost as well. Therefore, store the key in a secure place, secure from both access by unauthorized individuals, as well as secure from loss. Remember, losing the key is synonymous with losing your access to the data.

Securing the Cloud (Enterprise Grade)

In addition to storage of files, the cloud can be used to:

  • Host application software and databases, Software as a Service (SaaS)
  • Offer computing infrastructure such as virtual machines, Infrastructure as a Service (IaaS)
  • Provide a development environment to application developers, Platform as a Service (PaaS)
  • Provide other services/functionality to business customers.

In these cases, and for large scale file storage with redundancy and backup, the consumer grade solution of encrypting and decrypting files locally while storing them in the cloud just doesn’t work due to the scale. For this type of business or enterprise class cloud functionality, FedRAMP certification is required.

FedRAMP

FedRAMP is a process which federal agencies are required to use when determining whether the security provided by a cloud provider is sufficient for the data being stored or processed. FedRAMP requirements are compliant with the Federal Information Security Management Act of 2002 (FISMA) and based on National Institute of Standards and Technology Standard (NIST) 800-53 rev3.

Cloud providers submit specific services for assessment to an authorizing entity. This entity assesses the service to ensure that it meets all the requirements necessary to allow federal agencies to use those services. FedRAMP applications from cloud providers can be in one of three states, Authorized, Ready, and In Process. DSHS confidential data can only be stored or handled by providers whose service is either FedRAMP Authorized or FedRAMP Ready. Here is what the two designations mean:

  • FedRAMP Authorized - The cloud provider has submitted documentation and completed all the requirements necessary to allow their use by federal agencies.
  • FedRAMP Ready - The cloud provider has been initially assessed and the FedRAMP Ready status is an indicator that the service can achieve FedRAMP authorization.

While DSHS contractors are allowed to use FedRAMP Authorized and FedRAMP Ready cloud services, it is the responsibility of the DSHS contractor to ensure that the cloud service is configured in such a way as to protect DSHS data as described in the contract. A badly configured cloud service will not protect agency data, regardless the amount of scrutiny and assessment that it has undergone. The contractor must work with the cloud provider to ensure the required level of security.

For more information on FedRAMP, see: