Access your Pro+ Content below.
Is FedRAMP the cloud security standard we've been waiting for?
This article is part of the July / August 2014 Vol. 16 / No. 6 issue of Information Security magazine
The Federal Risk and Authorization Program was launched in June 2012 to support the adoption of standardized cloud services among federal agencies in response to President Barack H. Obama's "cloud first" policy -- a move intended to reduce the government's IT spending by cutting the number of data centers in use and sharing computing resources. To continue working with the federal government, cloud service providers (CSPs) had to apply for an authorization to operate (ATO) via either the FedRAMP Joint Authorization Board (JAB) or directly through a government agency by June 5, 2014. It's a feat that 12 CSPs have completed to date -- Akamai Technologies, Amazon Web Services, HP, IBM, Lockheed Martin, Microsoft and Oracle among them -- with dozens more stuck in a lengthy queue. While FedRAMP was created to save federal agencies both time and money ($40 million so far based on FISMA reporting), the accreditation program has been touted in some corners as a standards-based cloud security approach that could serve as a model for ...
Features in this issue
Big data offers horizontal scalability, but how do you get your database security to scale along with it?
Immature products and a lack of standardization raise critical questions about first-party risk and third-party liability.
FedRAMP raises the bar for security among applicable cloud providers, but can it influence broader cloud computing contracts and standards?
This Beyond the Page examines how some enterprises are protecting their big-data ecosystems with encryption, security data analysis and visualization.
Columns in this issue
Security deserves a seat at the risk management table.
Marcus Ranum chats with Columbia University's Joel Rosenblatt to learn how "apples to apples" comparisons helped automate critical security processes.
Threat intelligence feeds help you prioritize signals from internal systems against unknown threats. Security intelligence takes it a step further.