What should go to the Cloud and When. What should NOT go to the Cloud and Why

Similar documents
DISA releases updated DoD Cloud Requirements What are the impacts? James Leach January 2015

DoD Cloud Computing Security Requirements Guide (SRG) Overview

Cloud Security. A Sales Guy Talks About DoD s Cautious Journey to the Public Cloud. Sean Curry Sales Executive, Aquilent

December 8, Security Authorization of Information Systems in Cloud Computing Environments

Seeing Though the Clouds

Federal Risk and Authorization Management Program (FedRAMP)

AWS Worldwide Public Sector

DEPARTMENT OF DEFENSE (DoD) CLOUD COMPUTING SECURITY REQUIREMENTS GUIDE (SRG) Version 1, Release January 2015

DoD ENTERPRISE CLOUD SERVICE BROKER CLOUD SECURITY MODEL

10 Considerations for a Cloud Procurement. Anthony Kelly Erick Trombley David DeBrandt Carina Veksler January 2015

How To Write The Jab P-Ato Vulnerability Scan Requirements Guide

Overview. FedRAMP CONOPS

HyTrust Addendum to the VMware Product Applicability Guide. For. Federal Risk and Authorization Management Program (FedRAMP) version 1.

STATEMENT OF. Dr. David McClure Associate Administrator Office of Citizen Services and Innovative Technologies General Services Administration

Risk Management Framework (RMF): The Future of DoD Cyber Security is Here

Cloud Security for Federal Agencies

FedRAMP Standard Contract Language

Best Practices Guide for DoD Cloud Mission Owners

Security Authorization Process Guide

Esri Managed Cloud Services and FedRAMP

FISMA Cloud GovDataHosting Service Portfolio

Capabilities Overview

FedRAMP Online Training Security Assessment Plan (SAP) Overview 12/9/2015 Presented by: FedRAMP PMO

The Benefits of FedRAMP. Shamun Mahmud, DLT Cloud Advisory Group

Written Testimony. Mark Kneidinger. Director, Federal Network Resilience. Office of Cybersecurity and Communications

NGEN Re-compete Industry Day Navy Data Center Consolidation

Department of Defense Use of Commercial Cloud Computing Capabilities and Services

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask

VA Enterprise Design Patterns: 6. Cloud Computing 6.1 Enterprise Cloud Services Broker

Dell Cloud Solutions. The simplest path to your cloud. Marian Kovacik. Solution Engineer

NIST Cloud Computing Security Reference Architecture (SP draft)

Hybrid Cloud Identity and Access Management Challenges

Security Control Standard

Securing the Microsoft Cloud

INDUSTRY PERSPECTIVE


How To Cloud Compute At The Cloud At The Cyclone Center For Cnc

Using ArcGIS for Server in the Amazon Cloud

Solution White Paper Build the Right Cloud, Quickly

Securing Government Clouds Preparing for the Rainy Days

FedRAMP Government Discussion Matt Goodrich, FedRAMP Director

DoD Cloud Computing Strategy Needs Implementation Plan and Detailed Waiver Process

Microsoft SharePoint Architectural Models

Status of Cloud Computing Environments within OPM (Report No. 4A-CI )

Cloud and Data Center Security

Clouds on the Horizon Cloud Security in Today s DoD Environment. Bill Musson Security Analyst

DoD Needs an Effective Process to Identify Cloud Computing Service Contracts

Monetizing the Business Edge with Hosted Private Cloud Services

Key differences between virtualization and cloud computing

Trend Micro. Secure virtual, cloud, physical, and hybrid environments easily and effectively INTRODUCTION

HP Converged Cloud Cloud Platform Overview. Shane Pearson Vice President, Portfolio & Product Management

Federal Cloud Security

ISSUE BRIEF. Cloud Security for Federal Agencies. Achieving greater efficiency and better security through federally certified cloud services

IT-CNP, Inc. Capability Statement

How to Use the Federal Risk and Authorization Management Program (FedRAMP) for Cloud Computing

Information Security ISO Standards. Feb 11, Glen Bruce Director, Enterprise Risk Security & Privacy

The Council of the Inspectors General on Integrity and Efficiency s Cloud Computing Initiative

Incident Management. Verdis Spearman

How To Understand Cloud Computing

System Center 2012 R2 Licensing Datasheet

CLOUD COMPUTING. Agencies Need to Incorporate Key Practices to Ensure Effective Performance

Solicitation Addendum

Information Security. Rick Aldrich, JD, CISSP Booz Allen Hamilton

ForeScout CounterACT and Compliance June 2012 Overview Major Mandates PCI-DSS ISO 27002

locuz.com A comprehensive orchestration tool for setting up private and hybrid clouds

GAO INFORMATION TECHNOLOGY REFORM. Progress Made but Future Cloud Computing Efforts Should be Better Planned

HyTrust Logging Solution Brief: Gain Virtualization Compliance by Filling Log Data Gaps

Cloud Computing Flying High (or not) Ben Roper IT Director City of College Station

Session 5. Mixing and matching Public, Private and Hybrid Clouds for maximum benefits

Cloud Computing Best Practices. Creating Effective Cloud Computing Contracts for the Federal Government: Best Practices for Acquiring IT as a Service

Guide to Understanding FedRAMP. Guide to Understanding FedRAMP

Hybrid Clouds. Krishnan Subramanian Analyst & Researcher Krishworld.com. A whitepaper sponsored by Trend Micro Inc.

The role of certification and standards for trusted Cloud solutions

Hybrid Cloud Architecture: How to Streamline Hybrid Cloud Migration

Journey to Cloud 10 Questions

DoD-Compliant Implementations in the AWS Cloud

Solving the Security Puzzle

Securing the Microsoft Cloud

Transcription:

What should go to the Cloud and When What should NOT go to the Cloud and Why

Cloud a New Business Model for IT delivery in Federal Programmatic approach to Cloud Security (FedRAMP, DISA SRG) Cloud Service Providers have built and had their infrastructure audited (via a 3PAO) to the required baselines Now possible to deliver some IT workloads from the Cloud The Question is Which IT workloads? The answer is different for each agency (or company) Civilian agencies follow the FedRAMP baseline (moderate systems = 325 baseline security controls from NIST SP 800-53 v4) DoD agencies based on DoD Impact Levels

DoD Impact Levels Originally 6 levels, there are now 4 (level 1 was moved into 2, and level 3 was moved into 4) Impact Level-2 = uncontrolled Unclass information (public facing information) Impact Level-4 = Controlled Unclass information PII, PHI, mission sensitive Impact Level-5 = Unclass National Security Systems Impact Level-6 = information upto Secret level DoD Cloud Service Provider requirements begin with FedRAMP Impact Level-2 requires FedRAMP Impact Levels 4, 5, 6 require FedRAMP + All FedRAMP controls PLUS additional security controls for the specific Impact Level plus any additional controls required of the mission

Responsibilities of Agencies/Missions Use Cloud Services for IT Delivery when: It is mission-effective and It is cost-effective Only use approved FedRAMP or DISA Cloud Service Providers Those with FedRAMP/DISA P-ATO (Provisional Authority To Operate) In DoD cloud service must be approved to appropriate Impact Level Perform a security controls gap analysis to determine if a given application/service requires additional security controls beyond those accounted for in the FedRAMP and FedRAMP + baselines. Grant an ATO to the Cloud Service Provider if appropriate

Typical Data Center, all IT services delivered on premise from the data center, important to know the TCO for this model Existing Apps/infrastructure New IT initiative Typical Data Centers Retired infrastructure now Test/Dev

Challenges with TCO calculations in agencies Primary measures: Cloud should be used when it s the most missioneffective and cost-effective means of IT delivery Determining the most cost-effective business model means knowing what it costs you (the agency), to deliver an IT service Can be difficult for agencies to determine their TCO because TCO calculations can span multiple budgets in Federal In Federal the infrastructure, network and facilities can all be different budget owners A net spending increase in one area could bring big savings in another so TCO is really important

Cloud brings New Possibilities for IT delivery AWS Azure VMware Existing Apps/infrastructure New IT initiative Retired Infrastructure Test/Dev

Cloud is a new Business Model Of your current IT, what could be more cost effective and/or efficient if delivered from a Cloud provider? Which is the best Cloud provider for a given IT app/service? AWS Azure VMware

How we determine what should or should not be delivered from a Cloud provider Some things to review: Characteristics of the application App cloud ready? Existing investment been realized? Licensing issues? (processor based) Data transfer Dependent systems First inspect each IT workload through a Business lens 3 Outputs List of workloads that should NOT go to the Cloud List of workloads that can not go to the Cloud now, but could be made to List of workloads that should be considered for delivery from a Cloud provider

Next review the Cloud ready list from the business review through a Security lens Review System Security Plans Compare against FedRAMP controls Determine if security control gaps can be accommodated by one or more CSPs Review first through a business lens and then through a security lens because the security review is tedious, specific and very important. It requires a very specific skill set. 3 Outputs List of IT Workloads that should NOT go to any Cloud provider List of IT workloads that can not currently go to any Cloud provider but could be made to List of IT workloads that CAN go to a Cloud provider Mission Effective

Review the Cloud candidate list to determine which Cloud service provider would be best for a given IT service. Determine if it is cost-effective to deliver that IT service from a Cloud Provider AWS Azure VMware Although each Cloud Provider builds their infrastructure to the same FedRAMP/DISA security controls, how they deliver services and how they charge for services can differ greatly

Final Points: Utilize Cloud when mission-effective and cost-effective Cloud is not the best delivery model for everything The cost of Cloud and the savings from Cloud can span multiple budgets so TCO is important A cost in one budget activity can lead to tremendous savings in a different budget activity Business considerations and security considerations, rule an IT app/service in or out as a cloud candidate first from business standpoint, then from a security standpoint Determine the best approved Cloud Provider for your particular needs/workloads What is best for one agency, could be very wrong for another

Thank You!

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information