Public Sector Cloud Service Providers
|
|
- Erika Mills
- 8 years ago
- Views:
Transcription
1 Public Sector Cloud Service Providers Critical First Steps for FedRAMP Success (Boundary Scoping) Summary James Leach Veris Group, LLC A Federal Risk and Authorization Management Program (FedRAMP) authorization is required for all cloud service providers (CSPs) selling cloud services to public sector entities such as federal civilian, defense, and intelligence agencies or state or local governments. Several cloud initiatives, government mandates, and the potential for significant cost savings for government are driving the fast pace of cloud adoption. The Office of Management and Budget (OMB) has mandated that all existing or new cloud systems must be approved through the FedRAMP Program by June Time to market remains a key concern for organizations offering these cloud solutions, but many CSPs applying through the FedRAMP program miss fundamental steps that can affect the success of this critical authorization. In their urgency to apply, CSPs may lack adequate planning, documentation preparation, and technical implementations required. CSPs that do not clearly and consistently define cloud components and adequately outline corporate (service inputs) against the FedRAMP cloud offering will encounter significant problems navigating the FedRAMP assessment. By streamlining the boundary scoping process, preparation and proper identification of the periphery interfaces and components, system interconnections, and data flows, CSPs stand to gain a significant advantage in regards to timeline, assessment costs, and overall approval of the respective system in the FedRAMP Program. As a trusted stakeholder in FedRAMP preparation process, an experienced FedRAMP Third Party Assessment Organization (3PAO) can provide a clear roadmap to defining and detailing the right elements of the boundary scoping FedRAMP requirements. The 3PAO can potentially lower assessment costs and help shorten the timeline to achieve FedRAMP authorization. Boundary Definition & FedRAMP: An Overview The National Institute of Standards and Technology (NIST) defines a system boundary (synonymous with authorization boundary) as [all] components of an information system to be authorized for operation by an authorizing official and excludes separately authorized systems, to which the information system is connected. i Clearly defining these boundaries, particularly in preparation for the intense scrutiny under FedRAMP review, can be a daunting task for any CSP. The cloud provider must carefully describe the abstract and physical cloud system including its sub-systems, system interfaces, stakeholders, third-party vendors/suppliers, and processes in order to prepare for a successful FedRAMP assessment. As a requirement for all FedRAMP approval methods (see box, FedRAMP Authorization ), a well-documented system boundary is one of the best indicators to the FedRAMP Joint Authorization Board (JAB) or sponsoring Agency FEDRAMP AUTHORIZATION The three most common ways a cloud system can be approved (authorized) for end federal government use via FedRAMP: 1. FedRAMP JAB Provisional Authorization (PATO) 2. FedRAMP Agency Authorization (ATO) 3. CSP supplied
2 that a CSP is prepared with a defendable assessment package. A CSP that cannot define and defend the boundary will likely have to schedule delays and cost overruns. The Federal Information Processing Standard (FIPS) 199 security categorization is conducted to detail data types. This process should be completed in parallel with the CSP system boundary definitions prior to any System Security Plan (SSP) being generated. ii Security-conscious organizations know what cloud systems and assets they have, what deployment models are in use, where the system physically resides, what data types exist (for service provider system data only), and how that data is protected. In determining system boundary, a CSP will confirm the identity of what hosts/assets are in direct management (common control and mission) and/or within the responsibility domain of the solution. Given the complexities in defining cloud boundaries, treating the cloud solutions as systems/sub-systems provides a targeted and cost-effective approach to an effective risk management process. Why Is Boundary Definition Important? A successful FedRAMP solution requires significant assessment preparation from the CSP to fully vet the solution both technically and operationally, including documenting clear system technology component definitions and how they interface within the cloud offering. Proper planning, architecture, and sound engineering practices are heavily weighted in the successful execution and completeness of a cloud solution. If the CSP fails to adequately plan or does not pick the right partners/subcontractors, the FedRAMP process may result in schedule delays, additional testing, and cost overruns. Schedule Time-to-market is a very important and valid concern for any CSP wanting to sell any technology solution. The danger (commonly overlooked) in an aggressive timeto-market push in the FedRAMP accreditation timeline/schedule is not spending the appropriate time scoping the boundary. Assets are often overlooked or underestimated, system boundaries are not fully defined and delineated (corporate versus third-party versus FedRAMP cloud offering boundaries), and system components are not consistently identified in the SSP and tested. Any of these issues may result in schedule delays because the FedRAMP JAB and/or Agency will not accept these types of inconsistencies. Costs Overruns CSPs seeking to minimize cost overruns will want to avoid key missteps such as not clearly defining the boundary (be very specific), not employing a robust asset inventory, changing the boundary mid-assessment, selecting poor architecture (non FIPS), having a weak vulnerability management process resulting in high scan findings (network/os, web and database), not dedicating internal staff, and not clearly delineating all system components and writing to the control implementation level for the required documentation. Additional Technology Testing/Partner Interconnections (Partner Services) Additional technology testing typically does not surface until the onsite testing portion of the FedRAMP assessment. A CSP may struggle to describe the differences between corporate infrastructure and its respective cloud offering. It is very common to see CSPs partner with other firms as a packaged cloud IaaS/PaaS/ SaaS solution. As the complexity of the assessment increases, asset counts, system interfaces, and documented system components tend to be missed/underdocumented by the CSP until testing execution is fully underway. This may result in
3 systemic boundary scoping issues that can delay schedule and result in cost overruns. What Is the Solution for CSPs? Successful FedRAMP preparation requires CSPs to work through a series of preparation activities ranging from confirming the characteristics of the cloud system to defining the boundary protections. By streamlining this process, CSPs will have the information and documentation ready to achieve FedRAMP authorization. The Five Critical Components/Steps for Boundary Development Offering a comprehensive boundary definition with detailed physical/logical interfaces of cloud systems is a challenge for all CSPs to work through. There are instances where current hosting offerings do not meet the metrics/criteria of a cloud system and further review should be done to ensure the FedRAMP model is the right fit for the service provider s system offering. An experienced 3PAO such as Veris Group offers the following critical components/steps process/methodology to work through the boundary scoping process. 1. Confirm Confirm the characteristics of the cloud system Within certain cloud hosting environments, it is possible that some FedRAMP requirements may not apply to the hosting provider. In order to assist the CSP or Federal Agencies in determining applicability, the CSP should align its cloud offering to the essential characteristics, service, or deployment models. A CSP should determine whether it has a true cloud system versus a dedicated single-tenant application running in the cloud. According to NISTiii: Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access Confirm Create Confirm characteristics of the cloud system Create clear system/ component descriptions Consistently detail cloud components to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. For example, this cloud model is composed of five essential characteristics, four deployment models and three service models, as detailed in the NIST SP , The NIST Definition of Cloud Computing :iv Detail Characterize Illustrate Characterize system inter-connections (internal/ external) Illustrate and describe data flow Essential Characteristics On-demand self-service Broad network access Resource pooling Rapid elasticity Measured service Deployment Models Private Cloud Community Cloud Public Cloud Hybrid Cloud Service Models IaaS PaaS SaaS
4 CSPs will need to evaluate the service offering against the cloud metric/characteristics identified above to ensure applicability of the FedRAMP accreditation program. Veris Group recommends that CSPs incorporate NIST guidance and validate how their cloud solution maps to the NIST definition of cloud computing. Once the CSP confirms how its cloud solution meets the cloud definition model/characteristics, the next step is to start documenting a clear system description to reflect the FedRAMP offering. 2. Create Create clear system/component descriptions Every good System Security Plan (SSP) starts with a detailed system description, inclusive of a very detailed system boundary. Outside of the full system description, unique identifier, system owner, governing organization, system location, and cloud offering versions, there are several other key considerations (not fully inclusive) in determining a detailed system boundary: v General/Enterprise o What is the system business function, charter (ownership), and cloud capabilities of the system? o Can the CSP provide network architecture/design overview, topology, and data flow diagrams? o Provide a comprehensive asset inventory (hardware, software, network)? o Types of users (internal/external) as it applies to boundaries? o Data process flows (inputs / outputs) of the federal cloud offering? o Is any corporate infrastructure included within the FedRAMP cloud offering? If so, how is the corporate infrastructure isolated from the FedRAMP offering? o Data types transmitted and/or processed (part of the FIPS 199 Security Categorization)? o Are network zones instituted if so, how? o Provide a granular description of system-specific, shared, and end customer specific controls/requirements (Control Tailoring Workbook/Control Implementation Summary). o Will federal agencies cloud data be co-mingled with non-government customers? If so, how will this be isolated? o Define geographic location where data resides. o Describe multi-tenancy how the cloud solution virtually isolates its data and configuration for each respective customer. o Does the cloud solution support multifactor authentication for network privileged/non-privileged and local privileged? If so, explain in specific detail how. o Where do all administrative staff reside, are they US citizens, and do they have adequate security clearances? o Are there live migration strategies, rules, and use case implementations (manual/automated) within the cloud system? System Interconnections/Perimeters o List all interconnected systems (partners, third party services), physical location and connection flow. o Identify all systems and subsystems (static/dynamic), Contiguous United States (CONUS).
5 o o o How do the cloud border devices (router access control list, firewalls, IPS/IDPS, IPsec tunnels, VPN) provide isolation on the external interfacing devices? Trusted Internet Connection how does the CSP plan on integrating their solution with the federal agency s Trusted Internet Connection? Define approved ports, protocols, and services platform functions allowed within the system (inbound/outbound). Network How do the cloud border devices (router access control list, firewalls, IDS/IPS, IPsec tunnels, VPN) provide isolation internally through multitenancy protections? Does the CSP isolate virtual machine zones on unique network segments? What type of traffic isolation is performed? Is NAT integrated into the solution (static, dynamic, overloading, overlapping, etc.)? If so, how what specific configurations and parameter changes are instituted? Are IP Geographic boundaries leveraged? If so, how? Are FIPS-validated encryption methods integrated for system processing, transmission, and data at rest? Remote access methods what are the end users, data flow and usage restrictions. Storage Does the storage solution consist of Direct Attached Storage (DAS), Network Attached Storage (NAS), iscsi, or Storage Area Networks (SAN) solutions, or others (API customization with the hypervisor tier)? Where does the data reside (physical locations) within the cloud offering? Cloud redundancy storage options given the redundancy of most cloud offerings, does it use a multipath environment (availability zones) for storage options/solutions (persistent/non-persistent storage options)? *While not completely uncommon, there are CSPs that have varying storage device offerings that will need to be detailed within the FedRAMP boundary. Is there a clear delineation between system, hybrid, and end customer storage responsibilities? These elements provide a good foundation/roadmap but are not meant to be fully comprehensive. Additional review and considerations would need to take place in compliance with FedRAMP requirements. 3. Detail Consistently detail cloud components Describing the CSP s cloud system components is essential. The SSP must have a welldefined technology component list which must also directly and consistently align to the component list included as part of the Security Assessment Plan (SAP). CSPs have the option of describing system components by an internal unique name or by functionality. The figure below is an example of the types of services available to the end cloud consumer.vi
6 Most cloud service providers have a good handle on what they are and what they offer from a cloud service model. The next step is to align the offering the graphic above and look to further define the system as it relates to unique technology components. The CSP then needs to further define the cloud offering to the actual technology components of the cloud solution: General/Enterprise (e.g., Multifactor authentication, Ticketing, IDS/IPS, Monitoring, Auditing, Self-serve portal) Network (e.g., Routers, Switches, Firewalls, VPNs, Load Balancers) Hosts/OS (e.g., RHEL, CentOS, Windows) Web (e.g., Apache, IIS, IBM HTTP Server, Oracle HTTP Server, Resin) Applications (Jetty, iplanet, GlassFish, JBoss, WebLogic) Virtualization (e.g., Hyper-V, Xen, KVM, VMWare ESX/ESXi) Database (e.g., Oracle, SQL Server, MySQL) Storage (e.g., NetApp, EMC) Whichever naming method (component or functionality-based) a CSP selects, a consistent naming convention remains critical as a functional or technical component description. The CSP s FedRAMP security authorization documentation should be consistent across the FedRAMP package. Each document should utilize the same names, acronyms, and terminology, and provide the same system description, components, and logical/physical inventory/assets. During the review by FedRAMP PMO or a sponsoring agency, these types of inconsistencies could considerably impact schedule delays and lead to cost overruns.
7 4. Characterize Characterize system inter-connections (internal/ external) One of the common mistakes CSPs encounter is the failure to adequately detail and describe how their cloud offering is physically and logically separated from their corporate infrastructure. The FedRAMP PMO has provided guidance in the SSP template and utilizes a table to define the system interconnections, which is provided below: CSP IP Address and Interface External Organization Name and IP Address of System External Point of Contact and Phone Number Connection Security (IPSec VPN, SSL, Certificates, Secure File Transfer etc.) Data Direction (incoming, outgoing, or both) Information Being Transmitted Ports or Circuit # Within many organizations, there may be legitimate business or risk-based justifications as to why the CSP cannot fully or always isolate all technical functions (Multifactor Authentication, Monitoring, Ticketing, Admin access, etc.). In these instances, a CSP must provide additional information to explain how the corporate infrastructure is properly secured, segmented, and logically communicates with the FedRAMP cloud solution. The table below provides context to the Service Provider Corporate and how these controls/interfaces should be documented. Corporate Resource Provided? Function Provided by which Business Unit/Group within the Organization? Key Point of Contact, Service Owner? Ports, Protocols, and Services Data Direction (incoming, outgoing, or bidirectional) Information Being Transmitted CSP Cloud Endpoint (identified device for demarcation) Cisco Identity Services Engine (ISE) /detailed) Credential validation / authentication functions Acme X Chief Security Office John Doe LDAP(389), SMB(445), KDC(88), Global Catalog (3268, 3289), KPASS(464), NTP(123) and LDAPS (636) Bi-directional Credential validation / authentication functions Cisco ASA 5515 (IP Address X.X.X.X) 5. Illustrate Illustrate and describe Network/System Diagram, Architecture, and Data Flow Another important step in the FedRAMP process, a CSP is required to brief the FedRAMP PMO/JAB or sponsor agency on the respective cloud system, including its mission, functionality, features, architecture, and the data flow for the services provided. Creating clear, concise diagrams that illustrate the end user experience and network traffic flows throughout the cloud system will significantly contribute to achieving initial FedRAMP stakeholder understanding, and ultimately setting a right foundation for the assessment
8 lifecycle. The more the FedRAMP PMO/JAB understand the cloud system upfront, the better position the CSP will be in to meet the end goal: risk acceptance/authorization. One of the main differentiators on the data flow diagram versus network topology diagram is that the data flow illustrations are more centric to the direction of network traffic flow and less about each and every component of the cloud topology. CSPs should look to create these data flow diagrams of the following perspectives: CSP Administrative Access graphically detail how support staff access the FedRAMP cloud environment internal to the corporate network, externally via VPN or other means. CSP Corporate Services (System Inputs) illustrate what services are provided to the FedRAMP cloud, viewed as inputs to the system but not part of the system. Examples of this could be multi-factor authentication or monitoring capabilities. End Customer Data Flow data flow experience on how IaaS/PaaS/SaaS services are rendered/provided to the end customer. If integrated cloud service models are deployed, multiple data flow diagrams may be required to demonstrate flow. System Interconnections/Partners data flow illustrations on system interconnects and integrated partners Storage data flow diagram depicting the cloud storage data flow. Accurate and complete data flow illustrations in the initial draft FedRAMP security authorization package will provide FedRAMP PMO, JAB, or sponsor agencies with a critical understanding of the cloud solution and provide a clear and concise view of the cloud solution to the stakeholders. Conclusion As with any successful task or project, effective and efficient planning is critical and the essential first step in ensuring success. With FedRAMP, a tactical approach in delineating the cloud system boundary, system interfaces, and corporate resource isolations are fundamental to the success of an independent FedRAMP assessment (also other regulatory requirements/assessments). FedRAMP success is predicated on the following elements/roadmap to success: Characteristics of the Cloud Well-Documented System Description Define CSP Technology Components (Functional) Data Flow, Network, and Architecture Diagrams/Illustrations System Interconnections CSPs can choose to take these steps internally utilizing their existing compliance team or look to outsource all or several of these preparation functions with a qualified 3PAO entity. The CSP s success in the FedRAMP program is founded in the planning phase, the preparation. To ensure a CSP s time-to-market goals are met, they must account for the boundary scoping points above to make the ultimate goal of achieving a FedRAMP approval (FedRAMP JAB, Agency, or CSP Supplied) a reality.
9 i Ross, Ronald & Johnson, L.A. (2010) NIST SP Rev 1, Guide for Applying the Risk Management Framework to Federal Information Systems [NIST Publication] ii Cichonski, Paul, Millar, Tom, Grance, Tim, and Scarfone, Karen (2012) NIST SP , Rev. 1 Volume 2, Computer Security Incident Handling Guide [NIST Publication] iii, iv Peter Mell, Timothy Grance, The NIST Definition of Cloud Computing, September 2011 v GSA (2012) Guide to Understanding FedRAMP. Guide_to_Understanding_FedRAMP_ pdf iv Fang Liu, Jin Tong, others, NIST Cloud Computing Reference Architecture, > James Leach is the Vice-President, Strategic Operations, of Veris Group, LLC, a Vienna, VA-based cybersecurity firm. > Veris Group, LLC Attn: FedRAMP 8229 Boone Blvd., Suite 750 Vienna, VA (703) > fedramp@verisgroup.com
Seeing Though the Clouds
Seeing Though the Clouds A PM Primer on Cloud Computing and Security NIH Project Management Community Meeting Mark L Silverman Are You Smarter Than a 5 Year Old? 1 Cloud First Policy Cloud First When evaluating
More informationOverview. FedRAMP CONOPS
Concept of Operations (CONOPS) Version 1.0 February 7, 2012 Overview Cloud computing technology allows the Federal Government to address demand from citizens for better, faster services and to save resources,
More informationDISA releases updated DoD Cloud Requirements What are the impacts? James Leach January 2015
DISA releases updated DoD Cloud Requirements What are the impacts? James Leach January 2015 New leadership breeds new policies and different approaches to a more rapid adoption of cloud services for the
More informationITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS
ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS Shirley Radack, Editor Computer Security Division Information
More informationGuide to Understanding FedRAMP. Guide to Understanding FedRAMP
Guide to Understanding FedRAMP Version 1.0 June 5, 2012 Executive Summary This document provides helpful hints and guidance to make it easier to understand FedRAMP s requirements. The primary purpose of
More informationCloud Security for Federal Agencies
Experience the commitment ISSUE BRIEF Rev. April 2014 Cloud Security for Federal Agencies This paper helps federal agency executives evaluate security and privacy features when choosing a cloud service
More informationEsri Managed Cloud Services and FedRAMP
Federal GIS Conference February 9 10, 2015 Washington, DC Esri Managed Cloud Services and FedRAMP Erin Ross & Michael Young Agenda Esri Managed Services Program Overview Example Deployments New FedRAMP
More informationFederal Risk and Authorization Management Program (FedRAMP)
Federal Risk and Authorization Management Program (FedRAMP) NIST June 5, 2013 Matt Goodrich, JD FedRAMP, Program Manager Federal Cloud Computing Initiative OCSIT GSA What is FedRAMP? FedRAMP is a government-wide
More informationIBM Cloud Security Draft for Discussion September 12, 2011. 2011 IBM Corporation
IBM Cloud Security Draft for Discussion September 12, 2011 IBM Point of View: Cloud can be made secure for business As with most new technology paradigms, security concerns surrounding cloud computing
More informationSecurity Authorization Process Guide
Security Authorization Process Guide Office of the Chief Information Security Officer (CISO) Version 11.1 March 16, 2015 TABLE OF CONTENTS Introduction... 1 1.1 Background... 1 1.2 Purpose... 2 1.3 Scope...
More informationCompTIA Cloud+ 9318; 5 Days, Instructor-led
CompTIA Cloud+ 9318; 5 Days, Instructor-led Course Description The CompTIA Cloud+ certification validates the knowledge and best practices required of IT practitioners working in cloud computing environments,
More informationCompTIA Cloud+ Course Content. Length: 5 Days. Who Should Attend:
CompTIA Cloud+ Length: 5 Days Who Should Attend: Project manager, cloud computing services Cloud engineer Manager, data center SAN Business analyst, cloud computing Summary: The CompTIA Cloud+ certification
More informationDoD Cloud Computing Security Requirements Guide (SRG) Overview
DoD Cloud Computing Security Requirements Guide (SRG) Overview 1 General SRG Information Released 12 January 2015 Version 1, release 1 Provides comprehensive security guidance for components (missions)
More informationCyber Security Symposium 2015 September 29,2015
Cyber Security Symposium 2015 September 29,2015 Introducing David Langston Branch Manager Security Management Department of Technology 2 About CalCloud Mission Offer cost-effective cloud solutions that
More informationISSUE BRIEF. Cloud Security for Federal Agencies. Achieving greater efficiency and better security through federally certified cloud services
ISSUE BRIEF Cloud Security for Federal Agencies Achieving greater efficiency and better security through federally certified cloud services This paper is intended to help federal agency executives to better
More informationRisk Management Framework (RMF): The Future of DoD Cyber Security is Here
Risk Management Framework (RMF): The Future of DoD Cyber Security is Here Authors: Rebecca Onuskanich William Peterson 3300 N Fairfax Drive, Suite 308 Arlington, VA 22201 Phone: 571-481-9300 Fax: 202-315-3003
More informationCloud Computing: Opportunities, Challenges, and Solutions. Jungwoo Ryoo, Ph.D., CISSP, CISA The Pennsylvania State University
Cloud Computing: Opportunities, Challenges, and Solutions Jungwoo Ryoo, Ph.D., CISSP, CISA The Pennsylvania State University What is cloud computing? What are some of the keywords? How many of you cannot
More informationHow to Use the Federal Risk and Authorization Management Program (FedRAMP) for Cloud Computing
How to Use the Federal Risk and Authorization Management Program (FedRAMP) for Cloud Computing Warren S. Udy, CISSP Senior Cyber Security Advisor Office of Cyber Security 301-903-5515 warren.udy@hq.doe.gov
More informationFederal Aviation Administration. efast. Cloud Computing Services. 25 October 2012. Federal Aviation Administration
efast Cloud Computing Services 25 October 2012 1 Bottom Line Up Front The FAA Cloud Computing Vision released in 2012 identified the agency's road map to meet the Cloud First Policy efast must provide
More informationRemote Voting Conference
Remote Voting Conference Logical Architecture Connectivity Central IT Infra NIST Best reachability in India for R-Voting Initiative 200+ Physical MPLS POPs across India 5 Regional Data Centre at Pune,
More informationCloud Computing; What is it, How long has it been here, and Where is it going?
Cloud Computing; What is it, How long has it been here, and Where is it going? David Losacco, CPA, CIA, CISA Principal January 10, 2013 Agenda The Cloud WHAT IS THE CLOUD? How long has it been here? Where
More informationSecuring and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer
Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer What is Cloud Computing A model for enabling convenient, on-demand network access to a shared pool of configurable
More informationStrategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security
Strategic Compliance & Securing the Cloud Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security Complexity and Challenges 2 Complexity and Challenges Compliance Regulatory entities
More informationCloud Security: Evaluating Risks within IAAS/PAAS/SAAS
Cloud Security: Evaluating Risks within IAAS/PAAS/SAAS Char Sample Security Engineer, Carnegie Mellon University CERT Information Security Decisions TechTarget Disclaimer Standard Disclaimer - This talk
More informationNET ACCESS HIPAA COMPLIANT FLEXCloud
Page 0 2015 SOLUTION BRIEF NET ACCESS HIPAA COMPLIANT FLEXCloud A Managed Infrastructure Solution that Meets the Regulatory Demands of the Health Care Industry NET ACCESS LLC 9 Wing Drive Cedar Knolls,
More informationCisco Prime Network Services Controller. Sonali Kalje Sr. Product Manager Cloud and Virtualization, Cisco Systems
Cisco Prime Network Services Controller Sonali Kalje Sr. Product Manager Cloud and Virtualization, Cisco Systems Agenda Cloud Networking Challenges Prime Network Services Controller L4-7 Services Solutions
More informationCisco Unified Data Center
Solution Overview Cisco Unified Data Center Simplified, Efficient, and Agile Infrastructure for the Data Center What You Will Learn The data center is critical to the way that IT generates and delivers
More informationSecurity Issues in Cloud Computing
Security Issues in Computing CSCI 454/554 Computing w Definition based on NIST: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources
More informationDecember 8, 2011. Security Authorization of Information Systems in Cloud Computing Environments
December 8, 2011 MEMORANDUM FOR CHIEF INFORMATION OFFICERS FROM: SUBJECT: Steven VanRoekel Federal Chief Information Officer Security Authorization of Information Systems in Cloud Computing Environments
More informationA COALFIRE PERSPECTIVE. Moving to the Cloud. NCHELP Spring Convention Panel May 2012
A COALFIRE PERSPECTIVE Moving to the Cloud A Summary of Considerations for Implementing Cloud Migration Plans into New Business Platforms NCHELP Spring Convention Panel May 2012 DALLAS DENVER LOS ANGELES
More informationOCR LEVEL 3 CAMBRIDGE TECHNICAL
Cambridge TECHNICALS OCR LEVEL 3 CAMBRIDGE TECHNICAL CERTIFICATE/DIPLOMA IN IT CLOUD COMPUTING IN BUSINESS M/505/5384 LEVEL 3 UNIT 40 GUIDED LEARNING HOURS: 60 UNIT CREDIT VALUE: 10 CLOUD COMPUTING IN
More informationCloud Courses Description
Courses Description 101: Fundamental Computing and Architecture Computing Concepts and Models. Data center architecture. Fundamental Architecture. Virtualization Basics. platforms: IaaS, PaaS, SaaS. deployment
More informationCloud Architecture and Management. M.I. Deen General Manager (Enterprise Solutions) Sri Lanka Telecom
Cloud Architecture and Management M.I. Deen General Manager (Enterprise Solutions) Sri Lanka Telecom Cloud Computing Architecture Reference Architecture, Terminology and Definitions Akaza Cloud Architecture
More informationSecurity & Trust in the Cloud
Security & Trust in the Cloud Ray Trygstad Director of Information Technology, IIT School of Applied Technology Associate Director, Information Technology & Management Degree Programs Cloud Computing Primer
More informationAWS Security. Security is Job Zero! CJ Moses Deputy Chief Information Security Officer. AWS Gov Cloud Summit II
AWS Security CJ Moses Deputy Chief Information Security Officer Security is Job Zero! Overview Security Resources Certifications Physical Security Network security Geo-diversity and Fault Tolerance GovCloud
More informationCloud Computing: The atmospheric jeopardy. Unique Approach Unique Solutions. Salmon Ltd 2014 Commercial in Confidence Page 1 of 5
Cloud Computing: The atmospheric jeopardy Unique Approach Unique Solutions Salmon Ltd 2014 Commercial in Confidence Page 1 of 5 Background Cloud computing has its place in company computing strategies,
More informationHosting Services VITA Contract VA-120416-AISN (Statewide contract available to any public entity in the Commonwealth)
Hosting Services VITA Contract VA-120416-AISN (Statewide contract available to any public entity in the Commonwealth) March 2014 Premier Provider of egov Services to the Commonwealth of Virginia Virginia
More informationHow To Write The Jab P-Ato Vulnerability Scan Requirements Guide
FedRAMP JAB P-ATO Vulnerability Scan Requirements Guide Version 1.0 May 27, 2015 JAB P-ATO Vulnerability Scan Requirements Guide Page 1 Revision History Date Version Page(s) Description Author May 27,
More informationNETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015
NETWORK ACCESS CONTROL AND CLOUD SECURITY Tran Song Dat Phuc SeoulTech 2015 Table of Contents Network Access Control (NAC) Network Access Enforcement Methods Extensible Authentication Protocol IEEE 802.1X
More informationJohn Essner, CISO Office of Information Technology State of New Jersey
John Essner, CISO Office of Information Technology State of New Jersey http://csrc.nist.gov/publications/nistpubs/800-144/sp800-144.pdf Governance Compliance Trust Architecture Identity and Access Management
More informationBuilding Blocks of the Private Cloud
www.cloudtp.com Building Blocks of the Private Cloud Private clouds are exactly what they sound like. Your own instance of SaaS, PaaS, or IaaS that exists in your own data center, all tucked away, protected
More informationCommercial Software Licensing
Commercial Software Licensing CHAPTER 12: Prepared by DoD ESI January 2013 Chapter Overview Most software licenses today are either perpetual or subscription. Perpetual licenses involve software possession
More informationCloud Computing Security. Belmont Chia Data Center Solutions Architect
Cloud Computing Security Belmont Chia Data Center Solutions Architect 1 Cloud Computing Security What is this Cloud stuff? Security in Public Clouds Security in Private Clouds 2 Defining Cloud Computing
More informationThe Magical Cloud. Lennart Franked. Department for Information and Communicationsystems (ICS), Mid Sweden University, Sundsvall.
The Magical Cloud Lennart Franked Department for Information and Communicationsystems (ICS), Mid Sweden University, Sundsvall. 2014-10-20 Lennart Franked (MIUN IKS) The Magical Cloud 2014-10-20 1 / 35
More informationPerspectives on Moving to the Cloud Paradigm and the Need for Standards. Peter Mell, Tim Grance NIST, Information Technology Laboratory 7-11-2009
Perspectives on Moving to the Cloud Paradigm and the Need for Standards Peter Mell, Tim Grance NIST, Information Technology Laboratory 7-11-2009 2 NIST Cloud Computing Resources NIST Draft Definition of
More informationPCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By:
PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By: Peter Spier Managing Director PCI and Risk Assurance Fortrex Technologies Agenda Instructor Biography Background On
More informationVMware vcloud Networking and Security Overview
VMware vcloud Networking and Security Overview Networks and Security for Virtualized Compute Environments WHITE PAPER Overview Organizations worldwide have gained significant efficiency and flexibility
More informationHow To Extend Security Policies To Public Clouds
What You Will Learn Public sector organizations without the budget to build a private cloud can consider public cloud services. The drawback until now has been tenants limited ability to implement their
More informationPCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP
solution brief PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP AWS AND PCI DSS COMPLIANCE To ensure an end-to-end secure computing environment, Amazon Web Services (AWS) employs a shared security responsibility
More informationFlying into the Cloud: Do You Need a Navigator? Services. Colin R. Chasler Vice President Solutions Architecture Dell Services Federal Government
Services Flying into the Cloud: Do You Need a Navigator? Colin R. Chasler Vice President Solutions Architecture Dell Services Federal Government Table of Contents Executive Summary... 3 Current IT Challenges...
More informationManaged Cloud Services
Managed Services From Data Centre to Managed Public Traditional data centre Virtual Data Centre In-house Dedicated External Multi-tenant External Managed Public Consulting approach: Breakdown of Business
More informationThe Cloud in Regulatory Affairs - Validation, Risk Management and Chances -
45 min Webinar: November 14th, 2014 The Cloud in Regulatory Affairs - Validation, Risk Management and Chances - www.cunesoft.com Rainer Schwarz Cunesoft Holger Spalt ivigilance 2014 Cunesoft GmbH PART
More informationU.S. HOUSE OF REPRESENTATIVES SUBCOMMITTEE ON TECHNOLOGY AND INNOVATION COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY HEARING CHARTER
U.S. HOUSE OF REPRESENTATIVES SUBCOMMITTEE ON TECHNOLOGY AND INNOVATION COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY HEARING CHARTER The Next IT Revolution?: Cloud Computing Opportunities and Challenges
More informationITL BULLETIN FOR JANUARY 2011
ITL BULLETIN FOR JANUARY 2011 INTERNET PROTOCOL VERSION 6 (IPv6): NIST GUIDELINES HELP ORGANIZATIONS MANAGE THE SECURE DEPLOYMENT OF THE NEW NETWORK PROTOCOL Shirley Radack, Editor Computer Security Division
More informationOverview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin
Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin Best Practices for Security in the Cloud John Essner, Director
More informationCloudLink - The On-Ramp to the Cloud Security, Management and Performance Optimization for Multi-Tenant Private and Public Clouds
- The On-Ramp to the Cloud Security, Management and Performance Optimization for Multi-Tenant Private and Public Clouds February 2011 1 Introduction Today's business environment requires organizations
More informationCloud Courses Description
Cloud Courses Description Cloud 101: Fundamental Cloud Computing and Architecture Cloud Computing Concepts and Models. Fundamental Cloud Architecture. Virtualization Basics. Cloud platforms: IaaS, PaaS,
More informationA Survey on Cloud Security Issues and Techniques
A Survey on Cloud Security Issues and Techniques Garima Gupta 1, P.R.Laxmi 2 and Shubhanjali Sharma 3 1 Department of Computer Engineering, Government Engineering College, Ajmer Guptagarima09@gmail.com
More informationCloud Computing Best Practices. Creating Effective Cloud Computing Contracts for the Federal Government: Best Practices for Acquiring IT as a Service
Cloud Computing Best Practices Cloud Computing Best Practices Creating Effective Cloud Computing Contracts for the Federal Government: Best Practices for Acquiring IT as a Service Overview Cloud Computing
More informationPurpose. Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public.
Federal CIO Council Information Security and Identity Management Committee (ISIMC) Guidelines for the Secure Use of Cloud Computing by Federal Departments and Agencies DRAFT V0.41 Earl Crane, CISSP, CISM
More informationCisco Intelligent Automation for Cloud
Product Data Sheet Cisco Intelligent Automation for Cloud Early adopters of cloud-based service delivery were seeking additional cost savings beyond those achieved with server virtualization and abstraction.
More informationCloud Security. Peter Jopling joplingp@uk.ibm.com IBM UK Ltd Software Group Hursley Labs. peterjopling. 2011 IBM Corporation
Cloud Security Peter Jopling joplingp@uk.ibm.com IBM UK Ltd Software Group Hursley Labs peterjopling 2011 IBM Corporation Cloud computing impacts the implementation of security in fundamentally new ways
More informationConcurrent Technologies Corporation (CTC) is an independent, nonprofit, applied scientific research and development professional services
Concurrent Technologies Corporation (CTC) is an independent, nonprofit, applied scientific research and development professional services organization providing innovative management and technology-based
More informationThe NIST Definition of Cloud Computing (Draft)
Special Publication 800-145 (Draft) The NIST Definition of Cloud Computing (Draft) Recommendations of the National Institute of Standards and Technology Peter Mell Timothy Grance NIST Special Publication
More informationWhy Migrate to the Cloud. ABSS Solutions, Inc. 2014
Why Migrate to the Cloud ABSS Solutions, Inc. 2014 ASI Cloud Services Information Systems Basics Cloud Fundamentals Cloud Options Why Move to the Cloud Our Service Providers Our Process Information System
More informationINTRODUCTION TO CLOUD COMPUTING CEN483 PARALLEL AND DISTRIBUTED SYSTEMS
INTRODUCTION TO CLOUD COMPUTING CEN483 PARALLEL AND DISTRIBUTED SYSTEMS CLOUD COMPUTING Cloud computing is a model for enabling convenient, ondemand network access to a shared pool of configurable computing
More informationFISMA Cloud GovDataHosting Service Portfolio
FISMA Cloud Advanced Government Oriented Cloud Hosting Solutions Cyber FISMA Security Cloud Information Security Management Compliance Security Compliant Disaster Recovery Hosting Application Cyber Security
More informationWhat Cloud computing means in real life
ITU TRCSL Symposium on Cloud Computing Session 2: Cloud Computing Foundation and Requirements What Cloud computing means in real life Saman Perera Senior General Manager Information Systems Mobitel (Pvt)
More informationSECURITY CONTROLS AND RISK MANAGEMENT FRAMEWORK
SECURITY CONTROLS AND RISK MANAGEMENT FRAMEWORK BACKGROUND The National Institute of Standards and Technology (NIST) Special Publication 800-53 defines a comprehensive set of controls that is the basis
More informationPerspectives on Cloud Computing and Standards. Peter Mell, Tim Grance NIST, Information Technology Laboratory
Perspectives on Cloud Computing and Standards Peter Mell, Tim Grance NIST, Information Technology Laboratory Caveats and Disclaimers This presentation provides education on cloud technology and its benefits
More informationMicrosoft SharePoint Architectural Models
Microsoft SharePoint This topic is 1 of 5 in a series Introduction to Fundamental SharePoint This series is intended to raise awareness of the different fundamental architectural models through which SharePoint
More informationDeploying Public, Private, and Hybrid Storage Clouds. Marty Stogsdill, Oracle
Deploying Public, Private, and Hybrid Storage Clouds Marty Stogsdill, Oracle SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA unless otherwise noted. Member companies
More informationIBM 000-281 EXAM QUESTIONS & ANSWERS
IBM 000-281 EXAM QUESTIONS & ANSWERS Number: 000-281 Passing Score: 800 Time Limit: 120 min File Version: 58.8 http://www.gratisexam.com/ IBM 000-281 EXAM QUESTIONS & ANSWERS Exam Name: Foundations of
More informationFedRAMP Online Training Security Assessment Plan (SAP) Overview 12/9/2015 Presented by: FedRAMP PMO
FedRAMP Online Training Security Assessment Plan (SAP) Overview 12/9/2015 Presented by: FedRAMP PMO www.fedramp.gov www.fedramp.gov 1 Today s Training Welcome to Part Four of the FedRAMP Training Series:
More informationITL BULLETIN FOR MARCH 2012 GUIDELINES FOR IMPROVING SECURITY AND PRIVACY IN PUBLIC CLOUD COMPUTING
ITL BULLETIN FOR MARCH 2012 GUIDELINES FOR IMPROVING SECURITY AND PRIVACY IN PUBLIC CLOUD COMPUTING Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute
More informationWhat Every User Needs To Know Before Moving To The Cloud. LawyerDoneDeal Corp.
What Every User Needs To Know Before Moving To The Cloud LawyerDoneDeal Corp. What Every User Needs To Know Before Moving To The Cloud 1 What is meant by Cloud Computing, or Going To The Cloud? A model
More informationEvaluating the Cisco ASA Adaptive Security Appliance VPN Subsystem Architecture
Deploying Cisco ASA VPN Solutions Volume 1 Course Introduction Learner Skills and Knowledge Course Goal and Course Flow Additional Cisco Glossary of Terms Your Training Curriculum Evaluation of the Cisco
More informationGUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENT
GUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENT Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute of Standards and Technology A comprehensive approach
More informationSimone Brunozzi, AWS Technology Evangelist, APAC. Fortress in the Cloud
Simone Brunozzi, AWS Technology Evangelist, APAC Fortress in the Cloud AWS Cloud Security Model Overview Certifications & Accreditations Sarbanes-Oxley (SOX) compliance ISO 27001 Certification PCI DSS
More informationChapter 11 Cloud Application Development
Chapter 11 Cloud Application Development Contents Motivation. Connecting clients to instances through firewalls. Chapter 10 2 Motivation Some of the questions of interest to application developers: How
More informationLearn the Essentials of Virtualization Security
Learn the Essentials of Virtualization Security by Dave Shackleford by Dave Shackleford This paper is the first in a series about the essential security issues arising from virtualization and the adoption
More informationWhere in the Cloud are You? Session 17032 Thursday, March 5, 2015: 1:45 PM-2:45 PM Virginia (Sheraton Seattle)
Where in the Cloud are You? Session 17032 Thursday, March 5, 2015: 1:45 PM-2:45 PM Virginia (Sheraton Seattle) Abstract The goal of this session is to understanding what is meant when we say Where in the
More informationSANS Top 20 Critical Controls for Effective Cyber Defense
WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a
More informationIS PRIVATE CLOUD A UNICORN?
IS PRIVATE CLOUD A UNICORN? With all of the discussion, adoption, and expansion of cloud offerings there is a constant debate that continues to rear its head: Public vs. Private or more bluntly Is there
More informationRequirements Checklist for Choosing a Cloud Backup and Recovery Service Provider
Whitepaper: Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider WHITEPAPER Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider Requirements Checklist
More informationHow To Protect Your Cloud From Attack
A Trend Micro White Paper August 2015 Trend Micro Cloud Protection Security for Your Unique Cloud Infrastructure Contents Introduction...3 Private Cloud...4 VM-Level Security...4 Agentless Security to
More information10 Considerations for a Cloud Procurement. Anthony Kelly Erick Trombley David DeBrandt Carina Veksler January 2015
10 Considerations for a Cloud Procurement Anthony Kelly Erick Trombley David DeBrandt Carina Veksler January 2015 www.lbmctech.com info@lbmctech.com Purpose: Cloud computing provides public sector organizations
More informationAppendix C Pricing Index DIR Contract Number DIR-TSO-2724
Appendix C Pricing Index DIR Contract Number DIR-TSO-2724 Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) Amazon Web Services (AWS) is a comprehensive cloud services platform that offers
More informationRunning Oracle Applications on AWS
Running Oracle Applications on AWS Bharath Terala Sr. Principal Consultant Apps Associates LLC June 09, 2014 Copyright 2014. Apps Associates LLC. 1 Agenda About the Presenter About Apps Associates LLC
More informationNET ACCESS VOICE PRIVATE CLOUD
Page 0 2015 SOLUTION BRIEF NET ACCESS VOICE PRIVATE CLOUD A Cloud and Connectivity Solution for Hosted Voice Applications NET ACCESS LLC 9 Wing Drive Cedar Knolls, NJ 07927 www.nac.net Page 1 Table of
More informationDEPARTMENT OF VETERANS AFFAIRS VA DIRECTIVE 6517 CLOUD COMPUTING SERVICES
DEPARTMENT OF VETERANS AFFAIRS VA DIRECTIVE 6517 Washington, DC 20420 Transmittal Sheet February 28, 2012 CLOUD COMPUTING SERVICES 1. REASON FOR ISSUE: This Directive establishes the Department of Veterans
More informationCloud Computing Cluster Introduction to Cloud Computing. Rick Martin, Co-chair, Cloud Computing Cluster August 26, 2013
From Science to Solutions Cloud Computing Cluster Introduction to Cloud Computing Rick Martin, Co-chair, Cloud Computing Cluster August 26, 2013 Senior IT Strategist SAIC What is Cloud Computing? Cloud
More informationPlanning the Migration of Enterprise Applications to the Cloud
Planning the Migration of Enterprise Applications to the Cloud A Guide to Your Migration Options: Private and Public Clouds, Application Evaluation Criteria, and Application Migration Best Practices Introduction
More informationVMware vcloud Air Security TECHNICAL WHITE PAPER
TECHNICAL WHITE PAPER The Shared Security Model for vcloud Air The end-to-end security of VMware vcloud Air (the Service ) is shared between VMware and the customer. VMware provides security for the aspects
More informationEMC ENCRYPTION AS A SERVICE
White Paper EMC ENCRYPTION AS A SERVICE With CloudLink SecureVSA Data security for multitenant clouds Transparent to applications Tenant control of encryption keys EMC Solutions Abstract This White Paper
More informationBuilding YOURcloud: The Federal Government s first Secure Hybrid Community Cloud
Building YOURcloud: The Federal Government s first Secure Hybrid Community Cloud Anil Karmel, Deputy Chief Technology Officer National Nuclear Security Administration A Partnership between the Office of
More informationThe Cloud is Not Enough Why Hybrid Infrastructure is Shaping the Future of Cloud Computing
Your Platform of Choice The Cloud is Not Enough Why Hybrid Infrastructure is Shaping the Future of Cloud Computing Mark Cravotta EVP Sales and Service SingleHop LLC Talk About Confusing? Where do I start?
More informationVirtualized Network Services SDN solution for service providers
Virtualized Network Services SDN solution for service providers Nuage Networks Virtualized Network Services (VNS) is a fresh approach to business networking that seamlessly links your enterprise customers
More informationThe Hybrid Cloud: Bringing Cloud-Based IT Services to State Government
The Hybrid Cloud: Bringing Cloud-Based IT Services to State Government October 4, 2009 Prepared By: Robert Woolley and David Fletcher Introduction Provisioning Information Technology (IT) services to enterprises
More informationCloud Computing and Data Center Consolidation
Cloud Computing and Data Center Consolidation Charles Onstott, PMP Chief Technology Officer, Enterprise IT Services SAIC Steven Halliwell General Manager for State and Local and Education Sales Amazon
More information