Purpose. Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public.



Similar documents
Security Issues in Cloud Computing

Cloud Security for Federal Agencies

Security Considerations for the Cloud

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

John Essner, CISO Office of Information Technology State of New Jersey

SECURITY MODELS FOR CLOUD Kurtis E. Minder, CISSP

Identity, Credential, and Access Management. Open Solutions for Open Government

ISSUE BRIEF. Cloud Security for Federal Agencies. Achieving greater efficiency and better security through federally certified cloud services

Overview of the HIPAA Security Rule

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

STORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM

Seeing Though the Clouds

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM

CYBER AND IT SECURITY: CLOUD SECURITY FINAL SESSION. Architecture Framework Advisory Committee November 4, 2014

Assessing Risks in the Cloud

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

Cloud Security. Peter Jopling IBM UK Ltd Software Group Hursley Labs. peterjopling IBM Corporation

Clouds on the Horizon Cloud Security in Today s DoD Environment. Bill Musson Security Analyst

Information Security Program Management Standard

Cloudy with Showers of Business Opportunities and a Good Chance of. Security. Transforming the government IT landscape through cloud technology

When Security, Privacy and Forensics Meet in the Cloud

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin

Written Testimony. Mark Kneidinger. Director, Federal Network Resilience. Office of Cybersecurity and Communications

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

A Strawman Model. NIST Cloud Computing Reference Architecture and Taxonomy Working Group. January 3, 2011

Cloud Computing Security Issues

Information Security Program CHARTER

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

ARRA HITECH Stimulus HIPAA Security Compliance Reporter. White Paper

Big Data, Big Risk, Big Rewards. Hussein Syed

IT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014

Cloud Security Introduction and Overview

Cloud Computing Best Practices. Creating Effective Cloud Computing Contracts for the Federal Government: Best Practices for Acquiring IT as a Service

Key Considerations of Regulatory Compliance in the Public Cloud

Cloud Security and Managing Use Risks

Cloud-Security: Show-Stopper or Enabling Technology?

Cloud Security. DLT Solutions LLC June #DLTCloud

Addressing Cloud Computing Security Considerations

Creating Effective Cloud Computing Contracts for the Federal Government

Managing Cloud Computing Risk

A COALFIRE PERSPECTIVE. Moving to the Cloud. NCHELP Spring Convention Panel May 2012

Perspectives on Cloud Computing and Standards. Peter Mell, Tim Grance NIST, Information Technology Laboratory

Visions of Clouds and Cloud Security. Rob Randell, CISSP Senior Security and Compliance Specialist VMware, Inc.

Recommendations for the PIA. Process for Enterprise Services Bus. Development

How to Use the Federal Risk and Authorization Management Program (FedRAMP) for Cloud Computing

THE BLUENOSE SECURITY FRAMEWORK

Information Security for Managers

DEVELOPING A CYBERSECURITY POLICY ARCHITECTURE

Spillage and Cloud Computing

December 8, Security Authorization of Information Systems in Cloud Computing Environments

Cloud Security Strategies. Fabio Gianotti, Head of Cyber Security and Enterprise Security Systems

Customer-Facing Information Security Policy

UIIPA - Security Risk Management. June 2015

ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015

Contact: Henry Torres, (870)

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

Microsoft s Compliance Framework for Online Services

NARA s Information Security Program. OIG Audit Report No October 27, 2014

Fundamental Concepts and Models

Are You Prepared for the Cloud? Nick Kael Principal Security Strategist Symantec

Best Practices at Research Level

Identity, Credential, and Access Management. An information exchange For Information Security and Privacy Advisory Board

Securing the Microsoft Cloud

IAPP Global Privacy Summit Protecting Privacy Under the Cybersecurity Microscope

Cloud Courses Description

Securing The Cloud With Confidence. Opinion Piece

Privacy Impact Assessment (PIA) Consular Affairs Enterprise Service Bus (CAESB) Last Updated: May 1, 2015

FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES

Logging In: Auditing Cybersecurity in an Unsecure World

Securing and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer

Information Technology: This Year s Hot Issue - Cloud Computing

IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach.

Virginia Government Finance Officers Association Spring Conference May 28, Cloud Security 101

Adopting Cloud Computing with a RISK Mitigation Strategy

Cybersecurity for Nonprofits: How to Protect Your Organization's Data While Still Fulfilling Your Mission. June 25, 2015

Transcription:

Federal CIO Council Information Security and Identity Management Committee (ISIMC) Guidelines for the Secure Use of Cloud Computing by Federal Departments and Agencies DRAFT V0.41 Earl Crane, CISSP, CISM Director, Cybersecurity Strategy Office of the Chief Information Officer Department of Homeland Security ISIMC Cloud Security Working Group Chair DRAFT V0.41 1

Purpose Guidelines provide a risk-based cloud security decision framework Assists program managers to select cloud deployment and service models Cloud Deployment and Service Models have varying security characteristics Security Capabilities differ based on characteristics Fully supports and coordinates with NIST cloud definition, FedRAMP, and other USG efforts Deployment Model Public Private (Government Dedicated) Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public SaaS Public PaaS IaaS Use Case 4: Private Use Case 5: Use Case 6: Private SaaS Private PaaS IaaS DRAFT V0.41 2

FedRAMP/NIST/ISIMC Coordination (E)xplicity or (I)mplicitly addressed DRAFT V0.41 3

Threat DRAFT V0.41 4

Sixteen Cloud Security Domains 1. Architectural Framework for Government Cloud Computing 2. Encryption, Key Management, and Media Protection 3. Identification, Authentication, and Access Control Management 4. Virtualization and Resource Abstraction 5. Portability and Interoperability 6. Application Security 7. Security Risk Assessment, Authorization, and Management 8. Privacy, Electronic Discovery, and other Legal Issues 9. Contingency Planning 10. Data Center Operations, Maintenance, Configuration, Physical, and Personnel Security 11. Incident Response 12. Compliance, Audit, and Accountability 13. Cloud Lifecycle Management 14. Awareness and Training 15. System and Communication Protection 16. System and Information Integrity DRAFT V0.41 5

1. Different cloud architectures (SaaS/PaaS/IaaS) have different levels of security visibility and responsibility 2. Data Element Encryption for confidentiality and separation 3. Key management in coordination with Identity, Credentialing, and Access Management (ICAM) 4. Strong authentication, including the use of PIV and PIV-Interoperable 5. Virtualization and resource abstraction. Challenges are specific to the deployed technology, architecture, and Service Models. 6. Cloud portability and interoperability standards. 7. Application security controls including code reviews, vulnerability assessments and independent validation. 8. Utilize the FedRAMP process for risk assessment and authorization for shared resources such as cloud computing. 9. Control data and access for privacy compliance, audit and redress requirements, and breach notification issues. 10. Contingency Planning still required to meet agency requirements 11. Shared capability complicates ownership and governance 12. Government system boundary definitions, compartmentalization, and inventory identification 13. Some government-specific security requirements may not be met today in certain public cloud environments 14. Incident response and computer forensics in a cloud environment require fundamentally different tools, techniques, and training. 15. Accountability can never be outsourced from the Authorizing Official (AO). 16. New opportunities exist for real-time audit capabilities, but requires new continuous monitoring and audit technologies. 17. The System Development Life Cycle (SDLC) in a cloud requires ownership of information throughout the lifecycle. 18. Awareness and Training focusing on risks of information disclosure and data protection. 19. Cloud compartmentalization, isolation, and system boundaries. Use of security services like Trusted Internet Connections (TIC) and DNSSEC. 20. Integrity controls vary by Service Models DRAFT V0.41 6

Earl.Crane@DHS.gov DRAFT V0.41 7

#1. Different cloud architectures (SaaS/PaaS/IaaS) have different levels of security visibility and responsibility (Domain 1: Architectural Framework for Government Cloud Computing) IaaS Stack PaaS Stack SaaS Stack DRAFT V0.41 8

#2. Data Element Encryption for confidentiality and separation #3. Key management in coordination with Identity, Credentialing, and Access Management (ICAM) (Domain 2: Encryption, Key Management, and Media Protection) DRAFT V0.41 9

#4. Strong authentication, including the use of PIV and PIV- Interoperable (Domain 3: Identification, Authentication, and Access Control Management) Assurance Level Impact Profiles Potential Impact Categories for Authentication Errors 1 2 3 4 Inconvenience, distress or damage to standing or reputation Low Mod Mod High Financial loss or agency liability Low Mod Mod High Harm to agency programs or public interests N/A Low Mod High Unauthorized release of sensitive information N/A Low Mod High Personal Safety N/A N/A Low Mod High Civil or criminal violations N/A Low Mod High DRAFT V0.41 10

#5. Virtualization and resource abstraction. Challenges are specific to the deployed technology, architecture, and Service Models. (Domain 4: Virtualization and Resource Abstraction) #6. Cloud portability and interoperability standards. (Domain 5: Portability and Interoperability) #7. Application security controls including code reviews, vulnerability assessments and independent validation. (Domain 6: Application Security) DRAFT V0.41 11

#8. Utilize the FedRAMP process for risk assessment and authorization for shared resources such as cloud computing. (Domain 7: Security Risk Assessment, Authorization, and Management) #9. Control data and access for privacy compliance, audit and redress requirements, and breach notification issues. Review: Terms Of Service (TOS) Cloud provider privacy policies Privacy Impact Assessments (PIA) Fair Information Practice Principles (FIPPs) (Domain 8: Privacy, Electronic Discovery, and other Legal Issues) DRAFT V0.41 12

#10. Contingency Planning still required to meet agency requirements #11. Shared capability complicates ownership and governance (Domain 9: Contingency Planning) #12. Government system boundary definitions, compartmentalization, and inventory identification #13. Some government-specific security requirements may not be met today in certain public cloud environments, including: Least-functionality Personnel security with background and nationality restrictions Software development and change management (Domain 10: Data Center Operations, Maintenance, Configuration, Physical, and Personnel Security) DRAFT V0.41 13

#14. Incident response and computer forensics in a cloud environment require fundamentally different tools, techniques, and training. Response plan must address: Privacy breaches and data leakage Classified spills Impact to the cloud and shared cloud customers (Domain 11: Incident Response) DRAFT V0.41 14

#15. Accountability can never be outsourced from the Authorizing Official (AO). Requires: Visibility to perform audits Implementation robust evaluation criteria Evaluate cloud security controls #16. New opportunities exist for real-time audit capabilities, but requires new continuous monitoring and audit technologies. (Domain 12: Compliance, Audit, and Accountability) DRAFT V0.41 15

#17. The System Development Life Cycle (SDLC) in a cloud requires ownership of information throughout the lifecycle. (Domain 13: Cloud Lifecycle Management) System Lifecycle Management Phases Cloud SDLC and Information Lifecycle Management Phases DRAFT V0.41 16

#18. Awareness and Training focusing on risks of information disclosure and data protection. (Domain 14: Awareness and Training) #19. Cloud compartmentalization, isolation, and system boundaries. Use of security services like Trusted Internet Connections (TIC) and DNSSEC. (Domain 15: System and Communication Protection) #20. Integrity controls vary by Service Models: SaaS environments focus on application integrity and input validation PaaS environments focus on API validation IaaS environments focus on file system and data base integrity (Domain 16: System and Information Integrity) DRAFT V0.41 17

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information