An audit of the US Postal Service cloud found that its contracts did not comply with the agency’s security standards, mainly because there is no designated group in the agency responsible for managing cloud services.
According to a report released Sept. 4 by the US Postal Service Office of Inspector General, US Postal Service management did not appropriately monitor applications or complete the required security analysis process for three cloud services reviewed. The agency also failed to have suppliers and their employees sign non-disclosure agreements.
By failing to have “proper knowledge of and control over applications in the cloud environment, the Postal Service cannot properly secure cloud computing technologies and is at increased risk of unauthorized access and disclosure of sensitive data.”
The information gathered from the audit will be consolidated to determine how successful the federal government is at protecting data in the cloud as it continues to implement its Cloud First policy across agencies. In April, the Department of Defense outlined its strategy for moving to the cloud, including creating security requirements prior to the migration.
The Postal Service cloud security policy requires its cloud service providers to be FedRAMP-certified, but according to the audit findings, this wasn’t always enforced. In four contracts, the Postal Service did not require CSPs to become FedRAMP certified because the personnel assigned to monitor the cloud services were not aware of all the contractual obligations or the agency’s cloud computing requirements.
While there are a growing number of cloud providers certified with FedRAMP, a lack of training and decentralized cloud management seems to have been behind the Postal Office’s blundered cloud service implementation.
In the UK, 83 percent of civil servants have had a poor experience with the public sector cloud, according to a report on the state of the UK federal government’s cloud first policy. More than half said that their agency lacked the technical skills to implement and manage a cloud environment. It wouldn’t be too surprising if the US Postal Service reported similar frustrations.
According to the audit, the agency has not defined “cloud computing” and “hosted services” and also does not have an enterprise-wide inventory of cloud services and contracts.
“The policy provides an overview of cloud computing initiatives and lists general roles and responsibilities; therefore, management and personnel in various functional areas have different interpretations of cloud computing and its associated capabilities,” the report says. “Without effective management of cloud computing technologies, the Postal Service cannot properly govern and assess the risk associated with these technologies.”
A lack of organization and management could defeat the purpose of moving to the cloud to save money and improve ROI, especially as the agency fails to cash in on SLA credits or doubles up cloud efforts.
Government cloud adoption is expected to see slower growth, which should give agencies the time to catch their employees up and give them the proper training.
This article originally appeared at: http://www.thewhir.com/web-hosting-news/us-postal-service-cloud-hodge-podge-creates-unnecessary-security-risks-audit