Making Sure Cloud Security is Not Up in Smoke: Integrating Protection in the Acquisition Process Digital Government Institute Cloud-Enabled

Transcription

1 Making Sure Cloud Security is Not Up in Smoke: Integrating Protection in the Acquisition Process Digital Government Institute Cloud-Enabled Government Conference & Expo September 22, 2011

2 Disclaimer This presentation is not an endorsement of any product, technology or vendor it is solely a discussion of applying security requirements to acquisition of cloud services.

3 Points of Discussion What is Federal cloud computing? What are the threats to cloud computing? How do we secure use of cloud services with FedRAMP? How do we show compliance with FISMA? How do we balance benefits from the cloud with protection of those benefits? How do we meet Federal Cloud objectives and really save on costs?

4 By design, computer use with or without cloud computing come with risks.

5 Government agencies face three challenges to dealing with the dark-side of new technologies: Cloud computing; Social media; and, The proliferation of mobile devices.

6 What are the threats to cloud computing? Are there any flaws to cloud computing for us to examine?

7 Top threats to cloud computing* Abuse and nefarious use of cloud computing Insecure interfaces and APIs Malicious Insiders Shared technology issues Data loss or leakage Account or service hijacking Unknown risk profile * Source: Cloud Security Alliance -

8 In the cloud, step one is trusting, and that s not security that s hope. Andrew Walls, Gartner Group You cannot outsource responsibility or blame, especially when you omit due diligence

9 Uncle Sam: I want you to use cloud computing. To harness the benefits of cloud computing, we have instituted a Cloud First policy. This policy is intended to accelerate the pace at which the government will realize the value of cloud computing by requiring agencies to evaluate safe, secure cloud computing options before making any new investments. - Federal Cloud Computing Strategy

10 What is Federal Cloud Computing? What access controls are implemented? What physical controls are implemented? How is data center security maintained? NIST defines cloud computing as SP pdf

11

12 What is FedRAMP? Federal Risk and Authorization Management Program (FedRAMP) designed to meet security authorization challenges associated with Federal cloud computing. FedRAMP proposes a methodology of assessment and authorization to replace the certification and accreditation (C&A) progress for Authority to Operate (ATO) government systems for cloud computing. Cloud Computing Security Requirements Baseline Continuous Monitoring Assessment and Authorization Approach

13

14 Federal Cloud Computing Strategy: FISMA Security Requirements The Federal Information Security Management Act (FISMA) has a wide range of security requirements that include, but are not limited to: compliance with Federal Information Processing Standards agency specific policies; Authorization to Operate requirements; and vulnerability and security event monitoring, logging, and reporting It is essential that the decision to apply a specific cloud computing model to support mission capability considers these requirements. Agencies have the responsibility to ensure that a safe, secure cloud solution is available to provide a prospective IT service, and should carefully consider agency security needs across a number of dimensions, including but not limited to: Statutory compliance to laws, regulations, and agency requirements; Data characteristics to assess which fundamental protections an application s data set requires; Privacy and confidentiality to protect against accidental and nefarious access to information; Integrity to ensure data is authorized, complete, and accurate; Data controls and access policies to determine where data can be stored and who can access physical locations; Governance to ensure that cloud computing service providers are sufficiently transparent, have adequate security and management controls, and provide the information necessary for the agency to appropriately and independently assess and monitor the efficacy of those controls. For additional discussion and considerations regarding trust and security in the context of cloud computing, please refer to the online NIST cloud computing resources* and

15 It is not FISMA-compliant. Take it back!

16 How do we balance benefits from the cloud with protection of those benefits?

17 Security controls do not have one size fits all for safeguarding cloud computing.

18 Cloud security is so easy, that even a

19 Would you prefer a false sense of security instead of real measures?

20 There are always threats to using cloud services.

21 Someone is always wanting to steal your data.

22 We evaluate the potential levels of threats and vulnerabilities to determine the impact of risk.

23 We must understand how cloud technology protects the privacy of personally identifiable information (PII) and other sensitive information?

24 How do I measure assurance in the cloud for compliance with FISMA???

25 NIH works to ensure the confidentiality, integrity, and availability of our medical data and patient privacy as required by legislation such as HIPAA and the E-Government Act of 2002.

26 Our first step: put FISMA compliant language into acquisition contracts for cloud services.

27 The devil is in the details of security requirements in service level agreements.

28 Enabling cloud computing requires collaboration with acquisition staffs to help them understand about the need for protective measures to incorporate into contracts, MOA/MOU and other acquisition mechanisms.

29 Monitor security requirements for cloud services as a continuous process.

30 Traditional remedies to security requirements The dip in security requirements seems to coincide with the decision to eliminate the security staff.

31 Finding a practical solution Efficient applications for using cloud services; Virtual machine provisioning; Continuity and availability of critical components; Reduced costs in virtualization for more cost-effective operations; Measures to actually protect data stored, processed and transmitted through the cloud ; Meet the goals of the Federal Cloud First policy and requirements of FISMA; Use of FedRAMP and SLA requirements.

32 John Johnson, CISSP Information Systems Security Officer (ISSO) NIDDK/NIH/HHS