Cloud Security. A Sales Guy Talks About DoD s Cautious Journey to the Public Cloud. Sean Curry Sales Executive, Aquilent

Transcription

1 Cloud Security A Sales Guy Talks About DoD s Cautious Journey to the Public Cloud Sean Curry Sales Executive, Aquilent

2 The first in a series of audits DoD did not fully execute elements of the July 2012 DoD Cloud Computing Strategy For the three cloud computing contracts reviewed, no waivers from the designated review authority to use a non-dod approved CSP DoD CIO had not developed an implementation plan (as of June 2014) nor a detailed written process for obtaining a GIG waiver Greater risk of not preserving the security of DoD information against cyber threats 2

3 Cloud First Requires Federal Government shift to a Cloud First policy Cites benefits of cloud Economical Flexible Fast When evaluating options for new IT, agencies should default to cloud-based solutions whenever a secure, reliable, costeffective cloud option exists NIST to lead the development of standards for security, interoperability, and portability SP Guide to Security for Full Virtualization Technologies, January 2011 SP NIST Definition of Cloud Computing, September 2011 SP Guidelines on Security and Privacy in Public Cloud, November 2011 SP NIST Cloud Computing Synopsis and Recommendations, May 2012 Scaling to larger sets of consumers and resources is one of the important strategies for public clouds to achieve low costs and elasticity; if this scaling is achieved, however, it also implies a large collection of potential attackers. 3

4 Federal Risk and Authorization Management Program (FedRAMP) Developed in collaboration with NIST, GSA, DoD and DHS Ensures cloud based services have adequate information security Eliminates duplication of effort and reduce risk management costs Enables rapid and cost-effective procurement of information systems/services for Federal agencies Tools Developed a list of NIST controls CSPs must meet for Low and Moderate Impact levels Developed Security Assessment Framework (SAF) which details the security assessment process Cloud Service Providers (CSPs) must use to achieve compliance with FedRAMP. Developed a security contract clause template to assist federal agencies in procuring cloud-based services Maintains a Security Repository of CSP compliant providers who have obtained Provisional ATOs 4

5 DoD Cloud Strategy June 26, 2012 DoD CIO designated DISA to perform cloud brokerage functions to achieve IT efficiencies, reliability, interoperability and improve security and end-to-end performance by using cloud service offerings. IOC as Enterprise Cloud Service Broker (ECSB) on April 16, 2013 DoD Cloud Security Model (CSM) established security guidelines for hosting DoD data/mission/ applications in a cloud environment. Continuous updates, current version is ECSB CSM v2.1 dated March 13, 2014 Establishes the DoD security requirements for CSPs to host DoD mission up to and including Secret In July 2012, the DoD CIO issued the DoD Cloud Computing Strategy to accelerate the DoD adoption of cloud computing and take advantage of its benefits. The strategy provides elements intended to foster adoption of cloud computing and establish a DoD cloud infrastructure. Elements in the strategy include, but are not limited to, the establishment of broker services, training, contract clauses, and broker management capabilities such as: providing an integrated billing and contracting interface; managing integrated service delivery from DoD and commercial cloud service providers (CSPs); controlling usage and optimizing cloud computing workload distribution; and providing a common, integrated helpdesk. 5

6 Transitioning to the Cloud The DoD Enterprise Cloud Environment will facilitate consolidating and optimizing the Department s IT infrastructure, including data centers and network operations, and standardizing IT platforms that ensure a secure cyber environment and leverage Agile development. The Department will also adopt commercial cloud computing solutions to the greatest extent possible in support of the Department s mission. 6

7 Commercial Cloud Process FedRAMP Authority to Operate CSM ATO Levels 1-2 (Public) CSM ATO Levels 3-5 (NIPR) CSM ATO Level 6 (SIPR) System-Specific ATO John Doe DoD DAA 100 s of Cloud Service Providers (CSP) 1 Provisional Authorization granted 2 2 Increasing Security and Operating Requirements The DoD provisionally authorized commercial CSP offering is eligible to be included in the Enterprise Cloud Service Catalog Providers are a mix of IaaS, PaaS, SaaS (Initial Focus is on IaaS) 18 FedRAMP Compliant CSP Offerings 1 Provisional Authorization granted 3 1 Source: 2 Provisional ATO granted to 3 CSPs by February AWS GovCloud Provisional ATO granted 8/8/2014 to deploy pilot applications DoD Cloud Security Process and Requirements (Administered via DISA) 7

8 Moves and Countermoves Broker concept is still being developed by DoD and not fully in place DON will ensure systems are properly certified and formally approved by the appropriate DAA and ensure commercial CSPs are used to support low-impact systems and missions functions, unless a more cost effective DoD solution is identified Enterprise Cloud Service Broker (ECSB) IOC on April 16, 2013 DON CIO 04 June 2013 Update to DON Approach to Cloud Computing Cancels 01 April 2013 memo DON CIO will use the Broker to: arrange for offerings via the Enterprise Cloud Service Catalog or other contract vehicles approved by the Broker Identify and vet commercial CSP s to host low impact systems DOD CIO 16 December 2013 Update to DON Approach to Cloud Computing All commercial cloud requests proceed through the DoD Cloud Broker DoD PA or DISN GIG Flag Panel approval prior to acquisition and use Suspension of deployments not having DOD PA or not hosted with DoD s infrastructure 8

9 Catching Fire February CSPs have DOD PAs for Impact Levels 1 and 2 21 May 2014 Terry Halvorsen becomes acting DoD CIO 8 August AWS GovCloud PA granted for Levels 3-5 Conditional upon establishing NIPRNet connectivity to GovCloud, with CND Leveraging the PA, system owner DAAs (not DISA) responsible for system accreditation 11 November 2014 DoD Cloud Way Forward Comprehensive cloud guidance to CSPs and DoD customer organizations Requires physical separation from non-dod tenants for impact levels 3-5 Outlines process for requirements that cannot be met by a DoD provisionally authorized cloud service 9

10 The first in a series of audits DoD did not fully execute elements of the July 2012 DoD Cloud Computing Strategy For the three cloud computing contracts reviewed, no waivers from the designated review authority to use a non-dod approved CSP DoD CIO had not developed an implementation plan (as of June 2014) nor a detailed written process for obtaining a GIG waiver Greater risk of not preserving the security of DoD information against cyber threats 10

11 Breaking News 7 December Draft Cloud Computing Security Requirements Guide (SRG) V1 Incorporates, supersedes, and rescinds the previous Cloud Security Model A Technical Interchange Meeting (TIM) held 12/18 to discuss the SRG Impact Levels 1 (public information) and 3 (low impact Controlled Unclassified Information (CUI) were merged with the next higher impact levels DISA is considering accepting FedRAMP Provisional Authorization as the basis for granting a DOD P-ATO for Impact Level 2 15 December DoD CIO Updated Guidance on the Acquisition and Use of Commercial Cloud Services Cancels 2 key DoD Cloud Memos: Designation of the Defense Information Systems Agency as the Department of Defense Enterprise Cloud Service Broker, 26 June 2012 Supplemental Guidance on the Use of Commercial Cloud Computing Services, 16 December 2013 DoD components may acquire cloud services directly Requires Business Case Analysis (BCA) and cloud services offered by DISA must be considered Components may host unclassified DoD data that has been publicly released on FedRAMP approved cloud services Cloud services used for Sensitive Data must be connected to customers through a DoD CIO approved Cloud Access Point (CAP) provided by DISA or another DoD Component 11