ISSUE BRIEF Cloud Security for Federal Agencies Achieving greater efficiency and better security through federally certified cloud services This paper is intended to help federal agency executives to better address federal security and privacy requirements when choosing cloud computing services. We explain how using a cloud provider that is certified through the Federal Risk and Authorization Management Program (FedRAMP) and the General Services Administration s Blanket Purchase Agreement (BPA) for Infrastructure as a Service (IaaS) offers agencies real potential for improving efficiency and risk management in establishing their IT infrastructure in the cloud. We also delineate the FedRAMP lines of responsibility between agencies and cloud providers, and provides guidance for evaluating cloud providers to maximize benefits and minimize delivery risk. A critical issue, but not a barrier Cloud computing offers federal agencies a powerful means to reduce costs, deliver more timely services, and significantly reduce burdens on internal IT resources. While the promised value is compelling, agency managers cite security and data privacy concerns as primary reasons for not migrating specific systems to the cloud. They are concerned about the loss of control from the multi-tenant nature of cloud computing which requires rigorous controls and continuous monitoring to prevent potential data leakage and unauthorized access. They also require visibility into potential security incidents and must be able to respond to security audit findings and obtain support for investigations. It is not sufficient to consider only the potential value of moving to cloud services. Agencies should make risk-based decisions which carefully consider the readiness of commercial or government providers to fulfill their Federal needs. Vivek Kundra, U.S. Chief Information Officer Federal Cloud Computing Strategy February 8, 2011 As a result, security and data privacy were top priorities the General Services Administration s (GSA s) Federal Cloud Computing Initiative sought to address to facilitate cloud adoption. GSA has collaborated with the Federal Chief Information Officer (CIO), the National Institute of Science and Technology (NIST), the CIO Council, and Senior Agency Information Security Officers to build a common cloud security Assessment and Authorization (A&A) framework called the Federal Risk Authorization Management Program (FedRAMP). GSA has also required cloud providers on its Blanket Purchase Agreement (BPA) for Infrastructure as a Service (IaaS) to receive A&A to support systems requiring Low or Moderate Risk Impact environments. In addition, these vendors must pass stringent National Agency Checks with Investigations according to HSPD-12 criteria. Prior to these initiatives, early movers to the cloud had to take on undue risk to meet desired timeframes.
Keys to minimizing risk and maximizing value The Federal Cloud Computing Strategy released February 8, 2011, recommends that agencies carefully consider their cloud security needs across a number of dimensions, including statutory compliance, data characteristics, privacy and confidentiality, integrity, data controls and access policies, and governance. In addition, NIST s recent draft publication Guidelines on Security and Privacy in Public Cloud Computing (SP 800-144) identifies nine security and privacy considerations for planning, reviewing, negotiating or initiating a public cloud service outsourcing arrangement. Agencies can fast track their realization of cloud savings and other benefits while simultaneously addressing the security and privacy challenges highlighted by NIST, by leveraging GSA s IaaS BPA. By choosing cloud providers on the GSA BPA for IaaS, agencies can confidently achieve: 2 Physical separation of software in federal clouds from commercial clouds Tenant and vendor administrators vetted by the federal government Data ownership and protection approaches clearly stating that agencies own their data and spelling out mutually agreed processes the agency and cloud provider will follow for Freedom of Information Act or other data requests Clear scope of security models and environments that are pre-tested by the government to meet FISMA Moderate Risk Impact requirements and provide continuous monitoring. Agencies with higher security requirements can work with certified cloud providers to design and deploy systems that meet more stringent specifications. Transparency into what security features are included in a cloud bid, and what additional services are available or desired by the agency to meet its specific needs Ability to solve many security challenges more efficiently than internal solutions by leveraging the significant investments made by providers to deliver superior controls and enterpriseclass production environments that are pre-tested and certified by the government Faster authorization of systems moving to the cloud by re-using existing security authorizations established via FedRAMP, and separately certifying only additional agency- and application-specific requirements Savings in time and money by using existing security authorizations, eliminating the need to visit data centers and pursue and justify separate infrastructure accreditations (typically 40% of the A&A level of effort) More time and resources to focus on application security. Ensuring data and systems security is one of the biggest and most important challenges for federal agencies moving to the cloud. FedRAMP s uniform set of security authorizations can eliminate the need for each agency to conduct duplicative, time-consuming, costly security reviews. 1 David McClure, GSA s Associate Administrator for Citizen Services and Innovative Technologies 1 Guidelines would speed certification of cloud products, services, November 2, 2010, Government Computer News
FedRAMP Highlights FedRAMP offers a common security A&A framework for cloud infrastructure; defines requirements for controls such as vulnerability scanning and incident monitoring, logging and reporting; and provides continuous monitoring services for certified government and commercial cloud computing systems that are intended for multi-agency use, improving risk management. An agency can leverage an existing authorization by accepting the findings in that FedRAMP package. The authorization remains in effect as long as the related security risks are accepted by the agency and the authorization complies with relevant policies. Realizing greater security in the cloud By using the IaaS BPA for cloud solutions, federal agencies can readily comply with the Federal Information Security Management Act s (FISMA s) comprehensive framework for securing their IT for a large majority of agency systems. The basis for determining the level of risk impact is the Federal Information Processing Standard (FIPS) 199. Figure 1 shows that 88% of categorized federal systems are classified as FIPS Low or Moderate Risk Impact. By using cloud environments that have been certified to meet Moderate Risk Impact requirements, agency applications in fact can be more secure in the cloud than they are in many existing infrastructures, especially those based on legacy platforms using legacy controls. Figure 1: FIPS Risk Impact of Categorized Federal Systems High 12% Low 40% 3 Moderate 48% Source: Fiscal Year 2009 Report to Congress on the Implementation of The Federal Information Security Management Act of 2002 40% of categorized systems are classified as Low Risk Impact. Examples include public-facing websites with non-sensitive data as well as applications such as inventory systems. Systems with public data that is subject to transparency requirements have been among the first to leverage the cloud. For example, the Recovery Accountability and Transparency Board deployed Recovery.gov in the cloud, and NASA has also leveraged the cloud for public information. When considering the public cloud for such systems, agencies should ensure that cloud providers can provide a security level that prevents data tampering or disruption of service. 48% of categorized systems are classified as Moderate Risk Impact. These include systems supporting operations and those processing sensitive data such as personally identifiable information (PII), Confidential Business Information (CBI), and personal health information. Federal financial systems that process budget and procurement information, purchase card numbers, banking information for payments, or Social Security Numbers would be categorized as Moderate Risk Impact. Often, such financial systems are better suited to Virtual Private Clouds for which agencies can dictate their required levels of security. Virtual Private Clouds give agencies exclusive use of computing infrastructure and allow them to prescribe specific security measures without requiring infrastructure investment.
Inherent security advantages of cloud technology Automated security management Greater redundancy Improved disaster recovery (no matter what happens to a desktop or laptop, data is backed up in the cloud) Simplified security auditing and testing Shifting public data to an external cloud reduces risk of exposing internal, sensitive data Centralizing data allows skilled experts to ensure that all security measures are taken, eliminating risks posed by employees with less technical skill Agency security responsibilities vs. certified cloud provider responsibilities When determining additional agency security requirements to deploy as part of their move to the cloud, per the NIST model, it is the agency s responsibility to address the security and risk management of its own major applications. Security controls can be provided by the application owner or can be secured from a qualified vendor (See Figure 2). Figure 2: Examples of Available Security Controls Governance, Risk and Compliance Data Risk Management Infrastructure Protection Management 4 Compliance reporting services Vulnerability management Security event and incident management System operational risk management System security measures and configurations Application activity management Strong authentication Identity management Web policy management Data loss prevention Intrusion protection services Endpoint protection Log management services Firewalls management System antivirus software configuration Secure messaging services Anti-DDoS Operating System related security, patching and vulnerability scanning Configuration management Policies and procedures For agencies preferring that their cloud provider perform continuous monitoring, backup and restore data, and/or guarantee that data centers are located on U.S. soil, certified providers on GSA s BPA for IaaS will meet these requirements.
Figure 3: Comparison of Agency and Certified Cloud Provider Responsibilities shows the security responsibility boundaries between agencies and certified cloud providers for virtual machines and web hosting services offered on the BPA for IaaS. For virtual machines, agencies are responsible for securing the O/S, hosting software and major application. With web hosting, the cloud provider handles the O/S-related security and some hosting software security. Any responsibility gaps can be identified clearly so that agencies can decide what additional security controls, performance reporting, or other standards of compliance are needed, and whether to address those internally or through their cloud provider. Figure 3: Comparison of Agency and Certified Cloud Provider Security Responsibilities Virtual Machines Web Hosting Major Application Major Application Agency Responsibility Web Hosting Software Web Hosting Software Operating System Operating System Boundary Cloud Service Provider Responsibility Hypervisor Physical Hypervisor Physical 5 Note: Agencies must provide the Disaster Recovery (DR) testing and planning for their own cloud-based applications. This is unlike a typical managed hosting offering that includes the recovery plans and testing. As a result, agencies may require DR services beyond the cloud offering to complete their needs. Next steps CGI offers a disciplined transition process to get you to the cloud with confidence. We are one of the 12 awardees under GSA s BPA for Infrastructure as a Service. One of our expert executive consultants also chairs TechAmerica s public sector task group which is providing industry input into FedRAMP. CGI s cloud offerings compel the development of well-managed cloud initiatives because processes, governance, security and compliance are all embedded in our solutions. In addition, as a full-service cloud and security partner, CGI helps protect operations at the infrastructure and data layers and provides advisory services designed to assess and strengthen security strategies. We offer the full range of security services, including security governance and engineering, cybersecurity and managed security services (e.g. program, configuration, incident and event management and business continuity services). Our certified, accredited and security-cleared experts use proven industry best practices such as ITIL and SANS, continuous monitoring, real-time reporting and immediate action on suspicious activity. To learn how to find greater security in the cloud for your agency, or to talk to a CGI cloud expert about your specific situation, contact your CGI Federal program manager or visit us at. ITIL is a registered trade mark of AXELOS Limited Axelos is a registered trade mark of AXELOS Limited
Why CGI Nearly 35 years of experience in managing infrastructure, security and other business and IT services for complex organizations Trusted by more than 180 CIO s to manage their IT infrastructure Experience providing infrastructure support for 50+ federal agencies Major cybersecurity practice and significant percentage of federal practice professionals with security clearances Rigorous service management and governance processes that are proven against the most demanding requirements, with Service Level Agreements that are 98+% exceeded or met Ability to deliver entire applications to meet critical needs faster than agency data centers could deliver just the infrastructure, for example: In just six weeks, built and deployed FederalReporting.gov in a virtualized hosting environment to handle Recovery Act funding recipient reporting In just six weeks, built and deployed a cloud-based portal to support a major health reform initiative. The portal, which includes data from more than 3,000 commercial and public sector organizations, enables citizens to conduct real-time comparisons so they can make more informed healthcare decisions. Flexible cloud approaches that can include blending with traditional hosting, ability to transfer customer data back in-house, and access to robust common services Vulnerability scanning and patch management for web hosting that provides embedded security to close the most common exploits. 6 About CGI A global leader in IT, business process and professional services, CGI partners with federal agencies to provide end-to-end solutions for defense, civilian and intelligence missions. For 35 years, we have delivered quality services to help clients achieve results at every stage of the program, product, and business lifecycle. We deliver end-to-end solutions in application and technology management, systems integration and consulting, business process management and services, advanced engineering and technology services, and operational support services. Our proven capabilities in high-demand areas include cloud, cybersecurity, biometrics, citizen services, data exchange, health IT and energy/environment. CGI has 31,000 employees in 125+ offices worldwide.