George Moraetes, vice president, chief security officer and architect at Securityminders, has said federal agencies should take several measures to evaluate cloud service providers for compliance with the Federal Risk and Authorization Management Program and one of those is through cloud risk assessment.
Moraetes wrote in a guest piece published Thursday on IBM’s Security Intelligence that agencies that aim to move workloads to the cloud should classify data based on sensitivity and type.
“You may also want to perform a security assessment to determine whether a public, private or hybrid cloud solution carries more or less risk than simply hosting the data on-premises,†he noted.
He also called on organizations to develop a security policy in an effort to outline the risks and controls related to a cloud platform and identify applications and data that are suitable and secure enough for cloud migration.
Moraetes noted that CSPs offer cloud platforms through software-as-a-service, infrastructure-as-a-service and platform-as-a-service business models.
“These common cloud services should be evaluated according to the organization’s cloud security policy and risk assessment,†he added.
Agencies should also evaluate CSPs based on authentication protocols, data backup, encryption, data deletion, security procedures and data ownership, Moraetes wrote.