Securing Government Clouds Preparing for the Rainy Days

Similar documents
Seeing Though the Clouds

How To Use Cloud Computing For Federal Agencies

Federal Aviation Administration. efast. Cloud Computing Services. 25 October Federal Aviation Administration

Overview. FedRAMP CONOPS

Cloud Security for Federal Agencies

Cloud models and compliance requirements which is right for you?

Expert Reference Series of White Papers. Understanding NIST s Cloud Computing Reference Architecture: Part II

Securing the Microsoft Cloud Infrastructure. Reto Häni Chief Security Officer Microsoft Western Europe MEET SWISS INFOSEC!

Concurrent Technologies Corporation (CTC) is an independent, nonprofit, applied scientific research and development professional services

AWS Security. Security is Job Zero! CJ Moses Deputy Chief Information Security Officer. AWS Gov Cloud Summit II

Cloud Security Strategies. Fabio Gianotti, Head of Cyber Security and Enterprise Security Systems

Cloud Services The Path Forward. Mr. Stan Kaczmarczyk Acting Director - Strategic Solutions and Security Services FAS/ ITS, GSA

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

Corporate Overview. MindPoint Group, LLC 8078 Edinburgh Drive, Springfield, VA Office: Fax:

Esri Managed Cloud Services and FedRAMP

Payment Card Industry Data Security Standard

Managing Cloud Computing Risk

IT-CNP, Inc. Capability Statement

Written Testimony. Mark Kneidinger. Director, Federal Network Resilience. Office of Cybersecurity and Communications

December 8, Security Authorization of Information Systems in Cloud Computing Environments

ISSUE BRIEF. Cloud Security for Federal Agencies. Achieving greater efficiency and better security through federally certified cloud services

Cloud Security. A Sales Guy Talks About DoD s Cautious Journey to the Public Cloud. Sean Curry Sales Executive, Aquilent

Cloud Security and Managing Use Risks

BMC s Security Strategy for ITSM in the SaaS Environment

Security Controls What Works. Southside Virginia Community College: Security Awareness

Vendor Risk Management Financial Organizations

STATEMENT OF. Dr. David McClure Associate Administrator Office of Citizen Services and Innovative Technologies General Services Administration

The Protection Mission a constant endeavor

Security from a customer s perspective. Halogen s approach to security

Anypoint Platform Cloud Security and Compliance. Whitepaper

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC

Security Issues in Cloud Computing

The Convergence of IT Security and Compliance with a Software as a Service (SaaS) approach

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector

DEPARTMENT AGENCY STATEMENT OF OBJECTIVES FOR CLOUD MIGRATION SERVICES: INVENTORY, APPLICATION MAPPING, AND MIGRATION PLANNING MONTH YYYY TEMPLATE

IT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014

Secure Cloud Computing

VA Office of Inspector General

HP and netforensics Security Information Management solutions. Business blueprint

BRIDGE. the gaps between IT, cloud service providers, and the business. IT service management for the cloud. Business white paper

How To Cloud Compute At The Cloud At The Cyclone Center For Cnc

SECURITY MODELS FOR CLOUD Kurtis E. Minder, CISSP

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

STATEMENT OF. Dr. David McClure Associate Administrator Office of Citizen Services and Innovative Technologies General Services Administration

STATE OF MARYLAND 2017 INFORMATION TECHNOLOGY MASTER PLAN (ITMP) Department of Information Technology David Garcia; State CIO

Reliable, Repeatable, Measurable, Affordable

Federal Risk and Authorization Management Program (FedRAMP)

Risk Management Framework (RMF): The Future of DoD Cyber Security is Here

Client Security Risk Assessment Questionnaire

NEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015

CLOUD COMPUTING SERVICES CATALOG

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Perspectives on Cloud Computing and Standards. Peter Mell, Tim Grance NIST, Information Technology Laboratory

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

CYBER AND IT SECURITY: CLOUD SECURITY FINAL SESSION. Architecture Framework Advisory Committee November 4, 2014

PCI Compliance for Cloud Applications

Caretower s SIEM Managed Security Services

OWASP Chapter Meeting June Presented by: Brayton Rider, SecureState Chief Architect

The Education Fellowship Finance Centralisation IT Security Strategy

Rethinking IT and IT Security Strategies in an Era of Advanced Attacks, Cloud and Consumerization

Cloud Security considerations for business adoption. Ricci IEONG CSA-HK&M Chapter

ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS

Cybersecurity The role of Internal Audit

Simone Brunozzi, AWS Technology Evangelist, APAC. Fortress in the Cloud

A COALFIRE PERSPECTIVE. Moving to the Cloud. NCHELP Spring Convention Panel May 2012

Using ArcGIS for Server in the Amazon Cloud

SOLUTION BRIEF Citrix Cloud Solutions Citrix Cloud Solution for Compliance

NCTA Cloud Architecture

Cloud Computing and Data Center Consolidation

Wasting Money on the Tools? Automating the Most Critical Security Controls. Mason Brown Director, The SANS Institute

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Professional Services Overview

How To Protect Yourself From A Hacker Attack

NERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice

AWS Worldwide Public Sector

Securing the Service Desk in the Cloud

CIP Supply Chain Risk Management (RM ) Statement of Jacob S. Olcott Vice President, BitSight Technologies January 28, 2016

Virginia Government Finance Officers Association Spring Conference May 28, Cloud Security 101

Run SAP for Savings and Speed in the Cloud Presentation for ASUG, September 28, 2011

Report via OMB s Integrated Data Collection (IDC), 10

Oracle Reference Architecture and Oracle Cloud

Cloud Security. DLT Solutions LLC June #DLTCloud

Cloud Essentials for Architects using OpenStack

Accelerate Your Enterprise Private Cloud Initiative

Threat and Vulnerability Management (TVM) Protecting IT assets through a comprehensive program. Chicago IIA/ISACA

Transcription:

Securing Government Clouds Preparing for the Rainy Days Majed Saadi Director, Cloud Computing Practice

Agenda 1. The Cloud: Opportunities and Challenges 2. Cloud s Potential for Providing Government Services 3. Strategizing for a Cloud-Based Government 4. Stratify: a Cloud Security Framework 5. Questions

Updated: 6/15/2012 SRA at a Glance Founded in 1978, SRA is dedicated to delivering innovative solutions to the US Federal Government. Approved FedRAMP 3PAO Assessor Current Cloud Vehicles Army Private Cloud (APC2) GSA Email as a Service (EaaS) GWAC FedRAMP 3PAO 90% of FY11 $1.7 billion in revenue generated as a prime contractor More than 6,300 employees across the country and around the world SRA Proprietary 3

4 SRA s Cyber Security Heritage SRA has always been focused on the protection of the Federal Government, beginning with Continuity of Operations work in the late 80s Developed the First Automated System Security Evaluation and Remediation Tracking Tool with the EPA (ASSERT) Received NSA IA-CMM Rating (Highest Rating Across Federal Contractors) Security Program Maturity Model Privacy Practice Established (DHS First Client) CyberRisk Compliance Process Developed Computer Network Exploitation Software and Services for the IC Cyber Security SOC Maturity Model Developed SecureElite SRA SDLC Finalized One of the First Federal ISO 27001 Certs for TSA SOC Congressional Scorecards (5 of the 7 A Scores are SRA Customers) Architect (Committers) of NSA Accumulo Secure Cloud Received Highest DoD CCRI Rating to Date (JSIN and EUCOM/ AFRICOM Projects) SRA Wins a Seat on the DHS CMaaS BPA Accredited FedRAMP Independent Third Party Assessment Organization (Type C) Cyber Security Practice Established moving to Critical Infrastructure Protection and cybersecurity in the 2000s, focusing on continuous diagnostics and mitigation, SOC operations, and cybersecurity preparedness Cybersecurity Big Data Capability using HADOOP 1998 2000 2002 2004 2006 2008 2010 2012

The Cloud: Opportunities and Challenges What do you need to know about government and the cloud? And why should you care?

Cloud & Cloud Security Trends

Government Cloud Computing Drivers Reduce infrastructure overhead (equipment & personnel) using cost controlled, easy to manage processing power Complying with federal mandates (Cloud First) Transfer infrastructure risks to contractors or service providers Satisfy short-term & short notice needs (Surges) Enhance service availability & remote accessibility options Increase agility in responding to infrastructure change requirements Facilitate proprietary application modernization, development and integration Improve business continuity & disaster recovery Improve the enterprise Green IT posture Why move to the Cloud? IT Efficiency Flexibility & Elasticity Compliance

Questions on Our Customer Minds How do I enable my agency to benefit from commodity cloud services while ensuring compliance and security??? How do I ensure that I have complete FISMA compliance with a FedRAMP cloud??? How do I transform my IT shop to allow my customers to consume cloud services from a centralized service catalog???

The US Government & The Cloud An Update Cloud First Initiative Potential Savings ~$20 Billion 25% of IT Budget Federal Data Center Consolidation Initiative (FDCCI) Close or consolidate ~1,200 of ~2,900 federal data centers Expected savings ~$2.4-$5 billion IaaS & EaaS BPAs Other Initiatives PortfolioStat Mobility Digital Government Strategy Source: FCW.com

Privacy and Security Legal Requirements Federal GLBA FTCA SOX FCRA/FACTA HIPAA FISMA, DIACAP FERPA 21 C.F.R. Part 11 (FDA Regulations) Executive Orders and Agency Memoranda COPPA Federal Risk and Authorization Management Program (FedRAMP) State Notice of Security Breach Other State Laws International EU Data Protection Directive Member Countries Canada PIPEDA Others (e.g., UK, Japan, Australia) Private Contractual Requirements and Standards PCI DSS Business Associate Agreements Service Provider Agreements NIST MPAA ISO 27001, 27002, etc. Cloud Security Association 10

FedRAMP s Purpose The Problem The Solution: FedRAMP A duplicative, inconsistent, time consuming, costly and inefficient cloud security risk management approach with little incentive to leverage existing Authorizations to Operate (ATOs) among agencies. Unified risk management approach Uniform set of approved, minimum security controls (FISMA Low and Moderate Impact) Consistent assessment process Provisional ATO 4/21/2014 Slide 11

FedRAMP Executive Sponsors Office of Management and Budget US-CERT Incident Coordination CyberScope Continuous Monitoring Data Analysis 4/21/2014 Slide 12

Cloud s Potential for Providing Government Services Is the cloud really the solution?

The Demand for Change is Great Sequestration Budget Cuts Mandates Shadow IT Mobile Workforce

Dad, What is This?

The Digital Natives are Here! Buy hardware for that I need an iron clad application License to own a product Build to last Expect it to be $$$ There is an app for that I need an app store License to use a service Build to replace $1.00 maybe?

A New Paradigm for a New IT Worker Designed for endurance Operated with a tech sense Service optional Designed to accept failure Operated with a business sense Service first

Is Cloud a Tipping Point? Cloud Computing is mature IT, but its also flexible IT, mission aligned IT and for some it s also cool IT Cloud Computing changes users expectations; and promises a simplified business oriented approach What IT organizations fear about the cloud is the potential of losing control. Cloud Computing does force IT organizations out of their comfort zone Cloud Computing will soon become IT as usual But it will surely impact all IT organizations

Strategizing for a Cloud-Based Government Yes. We do need a strategy!

Government Specific Considerations Procurement Vehicles Budget Cycles Security & Compliance Service Level Management Portability & Interoperability Organizational Change Management Politics

A Gap Example: The Power Grid Analogy One Metric = One SLA = Life is Simple

A Gap Example: The Power Grid Analogy Many Metrics = Many SLAs = Life is Complicated

The Power Grid Analogy Who reads the meters? Who trusts the readings? Who controls Spending? Who makes the decisions??

Developing a Realistic Cloud Plan Understand the Cloud Concepts Approach cloud as part of your strategy, but not as an ultimate solution! Identify the cloud solutions or technology components that make sense to your organization First envision, then architect Do not keep your strategy a secret Visualize Communicate Publicize Use proven framework to reduce risks TOGAF, DODAF, FEAF, ITIL

SRA s Cloud Computing Support Services Strategy Readiness Engineering Modernization Management Cloud Migration Planning and Execution Cloud Service Management & Governance Cloud Strategy Development Cloud Readiness Assessment Cloud Architecture Cloud Software Modernization Cloud Software & Services Integration Cloud Security Management SRA Cloud Computing Support Services cover the complete cloud lifecycle to ensure comprehensive alignment of Cloud Services with our customers business and mission objectives

SRA s Cloud Brokerage CONOPS Architectural Options Unified Service, Performance & Financial Reporting Trend & Predictive Analysis Program & Portfolio Management Federal Cloud Consumers Project Management Cloud Service Enabler (Full Broker) Application Management and Oversight Mission and Architectural Requirements and Objectives Requirements Changes Pre-negotiated SLAs & Pricing Cloud APIs Service Management Cloud Lifecycle Management Portability & Interoperability Management Security & Compliance Service Levels Warranty Support Response Support Discovery Support Cloud Service Orchestration Cloud On- Boarding & Off- Boarding Cloud Assessment Initial & Periodic Security Control Assessment Cloud Backbone Management (IaaS, PaaS, SaaS) Cloud Service Providers (AWS) FedRAMP 3PAOs Security Control Documentation Auditing Security Controls Documentation

Cloud Security is a Shared Responsibility SRA s Stratify allows federal CIOs and CSOs to address cloud security and compliance gaps by bridging FedRAMP and FISMA moderate controls with a realistic, practical and cloud-centric architecture Stratify Customer and Cloud Systems Integrator Responsibility Joint Responsibility Engineering & Administration Personnel Applications Data Operating Systems Service Management Transport Systems Hypervisors Cloud Service Provider Responsibility Physical Servers Physical Infrastructure Datacenter Personnel 27

The Stratify Reference Architecture Model 28

Anatomy of a Cloud A successful cloud implementation requires providing solution(s) for all required components as well as all the optional components required by the environment.

Security Reporting Anatomy of a Secure Cloud Compliance Validation Governance & Continual Improvement Security Technology To be able to call a cloud solution a Secure one, four elements should be introduced: Security Technology, Security Reporting, Governance & Continual Improvement, and Compliance Validation

Alerts Management Security Reporting Compliance Dashboards Stratify a Reference Architecture External Penetration Testing & Compliance Validation Incident Response, Notification and Remediation Application Software Security Security Audit Management Logs Collection & Analysis Configuration Management Asset Discovery & Control Configuration Control Image Management Baseline Compliance Identity & Access Management Multi-factor Authentication Authorization Management Single-Sign-On Continuous Vulnerability Monitoring & Remediation Malware Defense Managed Security Devices Network Access Controls Intrusion Detection & Prevention Network Behavioral Anomaly Detection Data Security Management Data-at-Rest Encryption Data-in-Transit Encryption Data Loss Prevention Data Resilience Perimeter Defense Personnel Security Training & Talent Management Governance & Continual Improvement Physical Security

Alerts Management Security Reporting Compliance Dashboards Reference Architecture Applicability Example External Penetration Testing & Compliance Validation Incident Response, Notification and Remediation Application Software Security Security Audit Management Logs Collection & Analysis Configuration Management Asset Discovery & Control Configuration Control Image Management Baseline Compliance Identity & Access Management Multi-factor Authentication Authorization Management Single-Sign-On Continuous Vulnerability Monitoring & Remediation Malware Defense Managed Security Devices Network Access Controls Intrusion Detection & Prevention Network Behavioral Anomaly Detection Data Security Management Data-at-Rest Encryption Data-in-Transit Encryption Data Loss Prevention Data Resilience Perimeter Defense Personnel Security Training & Talent Management Governance & Continual Improvement The applicability of certain architectural components to a specific environment is highly influenced by SRA s customer intimacy, understanding of strategic goals, and the applied use case Physical Security Key Must Have Good to Have

Alerts Management Security Reporting Compliance Dashboards Reference Architecture Responsibilities & Ownership Example External Penetration Testing & Compliance Validation Incident Response, Notification and Remediation Application Software Security Security Audit Management Logs Collection & Analysis Configuration Management Asset Discovery & Control Configuration Control Image Management Baseline Compliance Identity & Access Management Multi-factor Authentication Authorization Management Single-Sign-On Continuous Vulnerability Monitoring & Remediation Malware Defense Managed Security Devices Network Access Controls Intrusion Detection & Prevention Network Behavioral Anomaly Detection Data Security Management Data-at-Rest Encryption Data-in-Transit Encryption Data Loss Prevention Data Resilience Perimeter Defense Physical Security Personnel Security Training & Talent Management Governance & Continual Improvement Understanding the scope of ownership and responsibility for each of the architectural components is essential, as Cloud Security cannot be successful unless its underlining responsibilities are well defined and communicated to each of the players Key CSP Enabler Joint Customer/SI

Security Reporting Security Reporting Modular Implementations Approach Stratify can be applied as a blueprint architecture where an agency would map each of the architectural components to existing and road-mapped investments in security products External Penetration Testing & Compliance Validation Incident Response, Notification and Remediation Application Software Security Security Audit Management Logs Collection & Analysis Configuration Management Identity & Access Management Continuous Vulnerability Monitoring & Remediation Malware Defense Managed Security Devices Network Access Controls Intrusion Detection & Prevention Network Behavioral Anomaly Detection Data Security Management Governance & Continual Improvement It could also be applied holistically as a turnkey packaged solution (with all its recommended products). Especially when new programs or green field initiatives are commenced in the cloud External Penetration Testing & Compliance Validation Incident Response, Notification and Remediation Perimeter Defense Physical Security The modular Stratify architecture enables government agencies to utilize their existing security product investments to secure their cloud implementations. Using it as a target integration architecture also highlights any gaps that could be remediated using proven technology Application Software Security Security Audit Management Logs Collection & Analysis Configuration Management Identity & Access Management Continuous Vulnerability Monitoring & Remediation Malware Defense Managed Security Devices Network Access Controls Intrusion Detection & Prevention Network Behavioral Anomaly Detection Data Security Management Perimeter Defense Physical Security Governance & Continual Improvement 34

Mapping to Key Security Frameworks 35

Partner & Product Selection Criteria Integration Capabilities (APIs) Cloud Offerings and Licensing Model Stable Business Model Gartner/Forrester Assessment Tool Areas Mapping Proven in Government Thought Leader Comprehensive Cost Effective Feasible Practical Stratify Partner 36

Partner Mapping to Reference Architecture 37

My Final Message The Cloud is here, and the government is starting to consider it in its strategy With new opportunities come new challenges The Cloud will have an impact on the way the government supports its mission It will also have an impact on how commercial venders and FSI conduct business with the government The impact should not be overlooked!!!

Questions & Contact Information Majed Saadi Director, Cloud Computing Practice SRA International Email: majed_saadi@sra.com LinkedIn: http://www.linkedin.com/in/majedsaadi Twitter: @majedsaadi ohcloud Blog: http://ohcloud.blogspot.com

Key Stratify Outputs Security Reference Architecture Model Mapping to Key Security Frameworks and Controls Technology Recommendations Compliancy Dashboards details the different technology components that constitute secure cloud environments and their interrelationships. Focus on common IaaS use scenarios and provide the blueprints for employing them. to assist CIOs and CSOs in making the cloud migration decision in the context of the proven models (FISMA, SAN s 20, FedRAMP, etc.) lists proven best-ofbreed technical solutions along with their associated vendors and aligns them with the architectural components detailed in the Security Reference Architecture Models provides CSOs with the ability to monitor their cloud environments with government-oriented security metrics 40

Stratify Demo 41

Availability Zone B Security VPC Subnet Vulnerability Scanning & Monitoring Tool Configuration Control Tool Logs Correlation Tool Aggregation Dashboards Secure AMI Library Simulated Attack Internet Gateway Penetration Testing Tool Auto scaling Group DB VPC Subnet Auto scaling Group App VPC Subnet Advanced Firewall Tool VPN Gateway Availability Zone A Anti-Virus Tool Elastic Load Balancing GovCloud Region Agency Data center 42

Availability Zone B Security VPC Subnet Vulnerability Scanning & Monitoring Tool Configuration Control Tool Logs Correlation Tool Aggregation Dashboards Secure AMI Library Simulated Attack Internet Gateway Penetration Testing Tool Auto scaling Group DB VPC Subnet Auto scaling Group App VPC Subnet Advanced Firewall Tool VPN Gateway Availability Zone A Anti-Virus Tool Elastic Load Balancing GovCloud Region Agency Data center 43

Availability Zone B Security VPC Subnet Vulnerability Scanning & Monitoring Tool Configuration Control Tool Logs Correlation Tool Aggregation Dashboards Secure AMI Library Simulated Attack Internet Gateway Penetration Testing Tool Auto scaling Group DB VPC Subnet Auto scaling Group App VPC Subnet Advanced Firewall Tool VPN Gateway Availability Zone A Anti-Virus Tool Elastic Load Balancing GovCloud Region Agency Data center 44

Availability Zone B Security VPC Subnet Vulnerability Scanning & Monitoring Tool Configuration Control Tool Logs Correlation Tool Aggregation Dashboards Secure AMI Library Simulated Attack Internet Gateway Penetration Testing Tool Auto scaling Group DB VPC Subnet Auto scaling Group App VPC Subnet Advanced Firewall Tool VPN Gateway Availability Zone A Anti-Virus Tool Elastic Load Balancing GovCloud Region Agency Data center 45

Availability Zone B Security VPC Subnet Vulnerability Scanning & Monitoring Tool Configuration Control Tool Logs Correlation Tool Aggregation Dashboards Secure AMI Library Simulated Attack Internet Gateway Penetration Testing Tool Auto scaling Group DB VPC Subnet Auto scaling Group App VPC Subnet Advanced Firewall Tool VPN Gateway Availability Zone A Anti-Virus Tool Elastic Load Balancing GovCloud Region Agency Data center 46

Clean Results Attack Initiated How Vulnerable Systems will show

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information