That’s the word from a new survey from nCircle, which quizzed more than 100 respondents in the federal IT security community (including senior management, IT operations, security professionals, and risk and audit managers from government agencies and contractor organizations) regarding key federal security initiatives such as cloud computing and mobile device security.
“In the current economic and political environment, IT initiatives perceived to cut agency costs, like cloud migration and [bring-your-own-device], are moving forward rapidly and require increased focus from agency IT security personnel," said Keren Cummins, nCircle's director of federal markets. "These same professionals report a disconnect between the pace at which these initiatives are evolving and agencies’ ability to effectively secure them. Given the rapid changes in agency IT environments driven by the push to cut costs, it’s easy to understand why compliance is an increasing concern.”
In fact, amidst a confusion as to proper security approaches, a full 95% of agency respondents indicate that only one-third or less of their infrastructure has migrated to the cloud, well behind general business trends.
And even though the Federal Risk and Authorization Management Program (FedRAMP) provides a risk-based approach for the adoption and use of third-party cloud services, only 13% of respondents acknowledge a role for FedRAMP in advancing their cloud strategy. Meanwhile, 53% have not determined a role for FedRAMP at all, even though it makes available to federal departments and agencies standardized security requirements for the authorization and cybersecurity of cloud services for selected information system impact levels.
"Only a very small percentage of respondents acknowledge a role for FedRAMP's baseline security controls in advancing their migration to the cloud," said Cummins. "Perhaps security is not an issue for the remainder, but it appears that FedRAMP still has some work to do to communicate the benefits of its security guidance. Thus far, it is not resonating and/or building confidence among agency heads, enough to significantly advance their move to the cloud."
However, nCircle found that while the federal cloud initiative is moving slowly, there is a growing level of confidence in the technology and policies that can enable higher-risk use of the medium. More than 30% of respondents report they are migrating moderate-impact data.
On a separate but related front, encouragingly, a healthy 82% of respondents said they have a mobility/bring-your-own-device (BYOD) security policy in place. Even better, 91% of those with a mobile security policy in place enforce it. However, all of that said, 62% of federal respondents said that they do not have a strategy for monitoring the variety of mobile devices being introduced into the government space. That sort of mobile device management implementation is lagging, opening up additional risk vectors. Concerns about various types of mobile devices span the gamut, although Android and iPhone represent the greatest concerns in the federal government.
"Interestingly, when asked about their plans for monitoring such devices, almost twice as many folks do not have a strategy for monitoring the variety of mobile devices being introduced into the government space, as those who do," Cummins noted. "As industry steps up with more mobile monitoring solutions, I suspect we will see a shift in this data."
Overall, nCircle has determined that the weight of compliance may be getting in the way of effective security policy implementation. "When you ask a question about 'security' concern and a large percentage of people direct their response toward 'compliance', it is an indication that we have our priorities in the wrong place," said Cummins. "As an industry, we are trying to get people to think about 'threat-directed' security. Let's hope that compliance is not considered a threat to federal IT security personnel. The government needs to make certain that compliance initiatives are contributing to security rather getting in the way.