Securing Government Clouds Preparing for the Rainy Days

Transcription

1 Securing Government Clouds Preparing for the Rainy Days Majed Saadi Director, Cloud Computing Practice

2 Agenda 1. The Cloud: Opportunities and Challenges 2. Cloud s Potential for Providing Government Services 3. Strategizing for a Cloud-Based Government 4. Stratify: a Cloud Security Framework 5. Questions

3 Updated: 6/15/2012 SRA at a Glance Founded in 1978, SRA is dedicated to delivering innovative solutions to the US Federal Government. Approved FedRAMP 3PAO Assessor Current Cloud Vehicles Army Private Cloud (APC2) GSA as a Service (EaaS) GWAC FedRAMP 3PAO 90% of FY11 $1.7 billion in revenue generated as a prime contractor More than 6,300 employees across the country and around the world SRA Proprietary 3

4 4 SRA s Cyber Security Heritage SRA has always been focused on the protection of the Federal Government, beginning with Continuity of Operations work in the late 80s Developed the First Automated System Security Evaluation and Remediation Tracking Tool with the EPA (ASSERT) Received NSA IA-CMM Rating (Highest Rating Across Federal Contractors) Security Program Maturity Model Privacy Practice Established (DHS First Client) CyberRisk Compliance Process Developed Computer Network Exploitation Software and Services for the IC Cyber Security SOC Maturity Model Developed SecureElite SRA SDLC Finalized One of the First Federal ISO Certs for TSA SOC Congressional Scorecards (5 of the 7 A Scores are SRA Customers) Architect (Committers) of NSA Accumulo Secure Cloud Received Highest DoD CCRI Rating to Date (JSIN and EUCOM/ AFRICOM Projects) SRA Wins a Seat on the DHS CMaaS BPA Accredited FedRAMP Independent Third Party Assessment Organization (Type C) Cyber Security Practice Established moving to Critical Infrastructure Protection and cybersecurity in the 2000s, focusing on continuous diagnostics and mitigation, SOC operations, and cybersecurity preparedness Cybersecurity Big Data Capability using HADOOP

5 The Cloud: Opportunities and Challenges What do you need to know about government and the cloud? And why should you care?

6 Cloud & Cloud Security Trends

7 Government Cloud Computing Drivers Reduce infrastructure overhead (equipment & personnel) using cost controlled, easy to manage processing power Complying with federal mandates (Cloud First) Transfer infrastructure risks to contractors or service providers Satisfy short-term & short notice needs (Surges) Enhance service availability & remote accessibility options Increase agility in responding to infrastructure change requirements Facilitate proprietary application modernization, development and integration Improve business continuity & disaster recovery Improve the enterprise Green IT posture Why move to the Cloud? IT Efficiency Flexibility & Elasticity Compliance

8 Questions on Our Customer Minds How do I enable my agency to benefit from commodity cloud services while ensuring compliance and security??? How do I ensure that I have complete FISMA compliance with a FedRAMP cloud??? How do I transform my IT shop to allow my customers to consume cloud services from a centralized service catalog???

9 The US Government & The Cloud An Update Cloud First Initiative Potential Savings ~$20 Billion 25% of IT Budget Federal Data Center Consolidation Initiative (FDCCI) Close or consolidate ~1,200 of ~2,900 federal data centers Expected savings ~$2.4-$5 billion IaaS & EaaS BPAs Other Initiatives PortfolioStat Mobility Digital Government Strategy Source: FCW.com

10 Privacy and Security Legal Requirements Federal GLBA FTCA SOX FCRA/FACTA HIPAA FISMA, DIACAP FERPA 21 C.F.R. Part 11 (FDA Regulations) Executive Orders and Agency Memoranda COPPA Federal Risk and Authorization Management Program (FedRAMP) State Notice of Security Breach Other State Laws International EU Data Protection Directive Member Countries Canada PIPEDA Others (e.g., UK, Japan, Australia) Private Contractual Requirements and Standards PCI DSS Business Associate Agreements Service Provider Agreements NIST MPAA ISO 27001, 27002, etc. Cloud Security Association 10

11 FedRAMP s Purpose The Problem The Solution: FedRAMP A duplicative, inconsistent, time consuming, costly and inefficient cloud security risk management approach with little incentive to leverage existing Authorizations to Operate (ATOs) among agencies. Unified risk management approach Uniform set of approved, minimum security controls (FISMA Low and Moderate Impact) Consistent assessment process Provisional ATO 4/21/2014 Slide 11

12 FedRAMP Executive Sponsors Office of Management and Budget US-CERT Incident Coordination CyberScope Continuous Monitoring Data Analysis 4/21/2014 Slide 12

13 Cloud s Potential for Providing Government Services Is the cloud really the solution?

14 The Demand for Change is Great Sequestration Budget Cuts Mandates Shadow IT Mobile Workforce

15 Dad, What is This?

16 The Digital Natives are Here! Buy hardware for that I need an iron clad application License to own a product Build to last Expect it to be $$$ There is an app for that I need an app store License to use a service Build to replace $1.00 maybe?

17 A New Paradigm for a New IT Worker Designed for endurance Operated with a tech sense Service optional Designed to accept failure Operated with a business sense Service first

18 Is Cloud a Tipping Point? Cloud Computing is mature IT, but its also flexible IT, mission aligned IT and for some it s also cool IT Cloud Computing changes users expectations; and promises a simplified business oriented approach What IT organizations fear about the cloud is the potential of losing control. Cloud Computing does force IT organizations out of their comfort zone Cloud Computing will soon become IT as usual But it will surely impact all IT organizations

19 Strategizing for a Cloud-Based Government Yes. We do need a strategy!

20 Government Specific Considerations Procurement Vehicles Budget Cycles Security & Compliance Service Level Management Portability & Interoperability Organizational Change Management Politics

21 A Gap Example: The Power Grid Analogy One Metric = One SLA = Life is Simple

22 A Gap Example: The Power Grid Analogy Many Metrics = Many SLAs = Life is Complicated

23 The Power Grid Analogy Who reads the meters? Who trusts the readings? Who controls Spending? Who makes the decisions??

24 Developing a Realistic Cloud Plan Understand the Cloud Concepts Approach cloud as part of your strategy, but not as an ultimate solution! Identify the cloud solutions or technology components that make sense to your organization First envision, then architect Do not keep your strategy a secret Visualize Communicate Publicize Use proven framework to reduce risks TOGAF, DODAF, FEAF, ITIL

25 SRA s Cloud Computing Support Services Strategy Readiness Engineering Modernization Management Cloud Migration Planning and Execution Cloud Service Management & Governance Cloud Strategy Development Cloud Readiness Assessment Cloud Architecture Cloud Software Modernization Cloud Software & Services Integration Cloud Security Management SRA Cloud Computing Support Services cover the complete cloud lifecycle to ensure comprehensive alignment of Cloud Services with our customers business and mission objectives

26 SRA s Cloud Brokerage CONOPS Architectural Options Unified Service, Performance & Financial Reporting Trend & Predictive Analysis Program & Portfolio Management Federal Cloud Consumers Project Management Cloud Service Enabler (Full Broker) Application Management and Oversight Mission and Architectural Requirements and Objectives Requirements Changes Pre-negotiated SLAs & Pricing Cloud APIs Service Management Cloud Lifecycle Management Portability & Interoperability Management Security & Compliance Service Levels Warranty Support Response Support Discovery Support Cloud Service Orchestration Cloud On- Boarding & Off- Boarding Cloud Assessment Initial & Periodic Security Control Assessment Cloud Backbone Management (IaaS, PaaS, SaaS) Cloud Service Providers (AWS) FedRAMP 3PAOs Security Control Documentation Auditing Security Controls Documentation

27 Cloud Security is a Shared Responsibility SRA s Stratify allows federal CIOs and CSOs to address cloud security and compliance gaps by bridging FedRAMP and FISMA moderate controls with a realistic, practical and cloud-centric architecture Stratify Customer and Cloud Systems Integrator Responsibility Joint Responsibility Engineering & Administration Personnel Applications Data Operating Systems Service Management Transport Systems Hypervisors Cloud Service Provider Responsibility Physical Servers Physical Infrastructure Datacenter Personnel 27

28 The Stratify Reference Architecture Model 28

29 Anatomy of a Cloud A successful cloud implementation requires providing solution(s) for all required components as well as all the optional components required by the environment.

30 Security Reporting Anatomy of a Secure Cloud Compliance Validation Governance & Continual Improvement Security Technology To be able to call a cloud solution a Secure one, four elements should be introduced: Security Technology, Security Reporting, Governance & Continual Improvement, and Compliance Validation

31 Alerts Management Security Reporting Compliance Dashboards Stratify a Reference Architecture External Penetration Testing & Compliance Validation Incident Response, Notification and Remediation Application Software Security Security Audit Management Logs Collection & Analysis Configuration Management Asset Discovery & Control Configuration Control Image Management Baseline Compliance Identity & Access Management Multi-factor Authentication Authorization Management Single-Sign-On Continuous Vulnerability Monitoring & Remediation Malware Defense Managed Security Devices Network Access Controls Intrusion Detection & Prevention Network Behavioral Anomaly Detection Data Security Management Data-at-Rest Encryption Data-in-Transit Encryption Data Loss Prevention Data Resilience Perimeter Defense Personnel Security Training & Talent Management Governance & Continual Improvement Physical Security

32 Alerts Management Security Reporting Compliance Dashboards Reference Architecture Applicability Example External Penetration Testing & Compliance Validation Incident Response, Notification and Remediation Application Software Security Security Audit Management Logs Collection & Analysis Configuration Management Asset Discovery & Control Configuration Control Image Management Baseline Compliance Identity & Access Management Multi-factor Authentication Authorization Management Single-Sign-On Continuous Vulnerability Monitoring & Remediation Malware Defense Managed Security Devices Network Access Controls Intrusion Detection & Prevention Network Behavioral Anomaly Detection Data Security Management Data-at-Rest Encryption Data-in-Transit Encryption Data Loss Prevention Data Resilience Perimeter Defense Personnel Security Training & Talent Management Governance & Continual Improvement The applicability of certain architectural components to a specific environment is highly influenced by SRA s customer intimacy, understanding of strategic goals, and the applied use case Physical Security Key Must Have Good to Have

33 Alerts Management Security Reporting Compliance Dashboards Reference Architecture Responsibilities & Ownership Example External Penetration Testing & Compliance Validation Incident Response, Notification and Remediation Application Software Security Security Audit Management Logs Collection & Analysis Configuration Management Asset Discovery & Control Configuration Control Image Management Baseline Compliance Identity & Access Management Multi-factor Authentication Authorization Management Single-Sign-On Continuous Vulnerability Monitoring & Remediation Malware Defense Managed Security Devices Network Access Controls Intrusion Detection & Prevention Network Behavioral Anomaly Detection Data Security Management Data-at-Rest Encryption Data-in-Transit Encryption Data Loss Prevention Data Resilience Perimeter Defense Physical Security Personnel Security Training & Talent Management Governance & Continual Improvement Understanding the scope of ownership and responsibility for each of the architectural components is essential, as Cloud Security cannot be successful unless its underlining responsibilities are well defined and communicated to each of the players Key CSP Enabler Joint Customer/SI

34 Security Reporting Security Reporting Modular Implementations Approach Stratify can be applied as a blueprint architecture where an agency would map each of the architectural components to existing and road-mapped investments in security products External Penetration Testing & Compliance Validation Incident Response, Notification and Remediation Application Software Security Security Audit Management Logs Collection & Analysis Configuration Management Identity & Access Management Continuous Vulnerability Monitoring & Remediation Malware Defense Managed Security Devices Network Access Controls Intrusion Detection & Prevention Network Behavioral Anomaly Detection Data Security Management Governance & Continual Improvement It could also be applied holistically as a turnkey packaged solution (with all its recommended products). Especially when new programs or green field initiatives are commenced in the cloud External Penetration Testing & Compliance Validation Incident Response, Notification and Remediation Perimeter Defense Physical Security The modular Stratify architecture enables government agencies to utilize their existing security product investments to secure their cloud implementations. Using it as a target integration architecture also highlights any gaps that could be remediated using proven technology Application Software Security Security Audit Management Logs Collection & Analysis Configuration Management Identity & Access Management Continuous Vulnerability Monitoring & Remediation Malware Defense Managed Security Devices Network Access Controls Intrusion Detection & Prevention Network Behavioral Anomaly Detection Data Security Management Perimeter Defense Physical Security Governance & Continual Improvement 34

35 Mapping to Key Security Frameworks 35

36 Partner & Product Selection Criteria Integration Capabilities (APIs) Cloud Offerings and Licensing Model Stable Business Model Gartner/Forrester Assessment Tool Areas Mapping Proven in Government Thought Leader Comprehensive Cost Effective Feasible Practical Stratify Partner 36

37 Partner Mapping to Reference Architecture 37

38 My Final Message The Cloud is here, and the government is starting to consider it in its strategy With new opportunities come new challenges The Cloud will have an impact on the way the government supports its mission It will also have an impact on how commercial venders and FSI conduct business with the government The impact should not be overlooked!!!

39 Questions & Contact Information Majed Saadi Director, Cloud Computing Practice SRA International LinkedIn: ohcloud Blog:

40 Key Stratify Outputs Security Reference Architecture Model Mapping to Key Security Frameworks and Controls Technology Recommendations Compliancy Dashboards details the different technology components that constitute secure cloud environments and their interrelationships. Focus on common IaaS use scenarios and provide the blueprints for employing them. to assist CIOs and CSOs in making the cloud migration decision in the context of the proven models (FISMA, SAN s 20, FedRAMP, etc.) lists proven best-ofbreed technical solutions along with their associated vendors and aligns them with the architectural components detailed in the Security Reference Architecture Models provides CSOs with the ability to monitor their cloud environments with government-oriented security metrics 40

41 Stratify Demo 41

42 Availability Zone B Security VPC Subnet Vulnerability Scanning & Monitoring Tool Configuration Control Tool Logs Correlation Tool Aggregation Dashboards Secure AMI Library Simulated Attack Internet Gateway Penetration Testing Tool Auto scaling Group DB VPC Subnet Auto scaling Group App VPC Subnet Advanced Firewall Tool VPN Gateway Availability Zone A Anti-Virus Tool Elastic Load Balancing GovCloud Region Agency Data center 42

43 Availability Zone B Security VPC Subnet Vulnerability Scanning & Monitoring Tool Configuration Control Tool Logs Correlation Tool Aggregation Dashboards Secure AMI Library Simulated Attack Internet Gateway Penetration Testing Tool Auto scaling Group DB VPC Subnet Auto scaling Group App VPC Subnet Advanced Firewall Tool VPN Gateway Availability Zone A Anti-Virus Tool Elastic Load Balancing GovCloud Region Agency Data center 43

44 Availability Zone B Security VPC Subnet Vulnerability Scanning & Monitoring Tool Configuration Control Tool Logs Correlation Tool Aggregation Dashboards Secure AMI Library Simulated Attack Internet Gateway Penetration Testing Tool Auto scaling Group DB VPC Subnet Auto scaling Group App VPC Subnet Advanced Firewall Tool VPN Gateway Availability Zone A Anti-Virus Tool Elastic Load Balancing GovCloud Region Agency Data center 44

45 Availability Zone B Security VPC Subnet Vulnerability Scanning & Monitoring Tool Configuration Control Tool Logs Correlation Tool Aggregation Dashboards Secure AMI Library Simulated Attack Internet Gateway Penetration Testing Tool Auto scaling Group DB VPC Subnet Auto scaling Group App VPC Subnet Advanced Firewall Tool VPN Gateway Availability Zone A Anti-Virus Tool Elastic Load Balancing GovCloud Region Agency Data center 45

46 Availability Zone B Security VPC Subnet Vulnerability Scanning & Monitoring Tool Configuration Control Tool Logs Correlation Tool Aggregation Dashboards Secure AMI Library Simulated Attack Internet Gateway Penetration Testing Tool Auto scaling Group DB VPC Subnet Auto scaling Group App VPC Subnet Advanced Firewall Tool VPN Gateway Availability Zone A Anti-Virus Tool Elastic Load Balancing GovCloud Region Agency Data center 46

47

48

49

50

51

52

53

54 Clean Results Attack Initiated How Vulnerable Systems will show