DoD Cloud Computing Security Requirements Guide (SRG) Overview



Similar documents
DISA releases updated DoD Cloud Requirements What are the impacts? James Leach January 2015

DEPARTMENT OF DEFENSE (DoD) CLOUD COMPUTING SECURITY REQUIREMENTS GUIDE (SRG) Version 1, Release January 2015

Cloud Security. A Sales Guy Talks About DoD s Cautious Journey to the Public Cloud. Sean Curry Sales Executive, Aquilent

What should go to the Cloud and When. What should NOT go to the Cloud and Why

Seeing Though the Clouds

DEPARTMENT OF DEFENSE CLOUD COMPUTING SECURITY REQUIREMENTS GUIDE. REVISION HISTORY For Version 1, Release March, 2016

Federal Risk and Authorization Management Program (FedRAMP)

Security Authorization Process Guide

DoD ENTERPRISE CLOUD SERVICE BROKER CLOUD SECURITY MODEL

Esri Managed Cloud Services and FedRAMP

December 8, Security Authorization of Information Systems in Cloud Computing Environments

Risk Management Framework (RMF): The Future of DoD Cyber Security is Here

How to Use the Federal Risk and Authorization Management Program (FedRAMP) for Cloud Computing

Overview. FedRAMP CONOPS

Cloud Security for Federal Agencies

How To Write The Jab P-Ato Vulnerability Scan Requirements Guide

Federal Aviation Administration. efast. Cloud Computing Services. 25 October Federal Aviation Administration

HyTrust Addendum to the VMware Product Applicability Guide. For. Federal Risk and Authorization Management Program (FedRAMP) version 1.

NIST Cloud Computing Security Reference Architecture (SP draft)

AWS Worldwide Public Sector

Best Practices Guide for DoD Cloud Mission Owners

Cloud Security. Peter Jopling IBM UK Ltd Software Group Hursley Labs. peterjopling IBM Corporation

STATEMENT OF. Dr. David McClure Associate Administrator Office of Citizen Services and Innovative Technologies General Services Administration

10 Considerations for a Cloud Procurement. Anthony Kelly Erick Trombley David DeBrandt Carina Veksler January 2015

Public Sector Cloud Service Providers

DoD-Compliant Implementations in the AWS Cloud

Cloud Services The Path Forward. Mr. Stan Kaczmarczyk Acting Director - Strategic Solutions and Security Services FAS/ ITS, GSA

Cloud Security Introduction and Overview

When Security, Privacy and Forensics Meet in the Cloud

A COALFIRE PERSPECTIVE. Moving to the Cloud. NCHELP Spring Convention Panel May 2012

Department of Defense Use of Commercial Cloud Computing Capabilities and Services

VMware vcloud Air Security TECHNICAL WHITE PAPER

Written Testimony. Mark Kneidinger. Director, Federal Network Resilience. Office of Cybersecurity and Communications

Cloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive

Magento Enterprise Cloud Edition A Platform-as-a-Service for Your Business. Peter Sheldon VP Strategy, Magento Commerce

UNCLASSIFIED. Trademark Information

Tufts University. Department of Computer Science. COMP 116 Introduction to Computer Security Fall 2014 Final Project. Guocui Gao

ArcGIS Security Authorization Advancements

FedRAMP Penetration Test Guidance. Version 1.0.1

Cloud Security: Evaluating Risks within IAAS/PAAS/SAAS

Purpose. Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public.

FISMA Cloud GovDataHosting Service Portfolio

The Council of the Inspectors General on Integrity and Efficiency s Cloud Computing Initiative

FedRAMP Master Acronym List. Version 1.0

VA Enterprise Design Patterns: 6. Cloud Computing 6.1 Enterprise Cloud Services Broker

Security Issues in Cloud Computing

1 Introduction Roles and Responsibilities Cloud Architectures... 7

GSA Cloud Security Case Study

Cloud Computing in the Federal Sector: What is it, what to worry about, and what to negotiate.

Cloud Computing Best Practices. Creating Effective Cloud Computing Contracts for the Federal Government: Best Practices for Acquiring IT as a Service

Flying Through Federal Thunder Clouds Navigating FedRAMP, DoD Cloud Guidance, & Cloud Cybersecurity Issues

DoD s Strategic Mobility Vision: Needs & Challenges

Infrastructure as a Service (IaaS)

How To Cloud Compute At The Cloud At The Cyclone Center For Cnc

Federal Cloud Security

FedRAMP Government Discussion Matt Goodrich, FedRAMP Director

Amazon Web Services vs. Horizon

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

Microsoft SharePoint Architectural Models

DoD Cloud Computing Strategy Needs Implementation Plan and Detailed Waiver Process

Security & Trust in the Cloud

Public Clouds. Krishnan Subramanian Analyst & Researcher Krishworld.com. A whitepaper sponsored by Trend Micro Inc.

The role of certification and standards for trusted Cloud solutions

Department of Defense INSTRUCTION. Public Key Infrastructure (PKI) and Public Key (PK) Enabling

Continuous Monitoring Strategy & Guide

Addressing Cloud Computing Security Considerations

Clouds on the Horizon Cloud Security in Today s DoD Environment. Bill Musson Security Analyst

Cloud Computing Strategy

Concurrent Technologies Corporation (CTC) is an independent, nonprofit, applied scientific research and development professional services

JISC. Technical Review of Using Cloud for Research. Guidance Notes to Cloud Infrastructure Service Providers. Introduction

Cloud Computing: Risks and Auditing

Guide to Understanding FedRAMP. Guide to Understanding FedRAMP

FedRAMP Standard Contract Language

Commercial Software Licensing

AWS Security. Security is Job Zero! CJ Moses Deputy Chief Information Security Officer. AWS Gov Cloud Summit II

Cloud Computing Strategy

Army Cloud Computing Strategy

CLOUD COMPUTING SERVICES CATALOG

Chapter 11 Cloud Application Development

Architecting the Cloud

Cloud Computing; What is it, How long has it been here, and Where is it going?

DLT Solutions and Amazon Web Services

What Cloud computing means in real life

A Survey on Cloud Security Issues and Techniques

The Benefits of FedRAMP. Shamun Mahmud, DLT Cloud Advisory Group

Best Practices for Security and Compliance with Amazon Web Services. A Trend Micro White Paper I April 2013

Cloud Computing Security Issues And Methods to Overcome

Chapter 1: Introduction

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask

319 MANAGED HOSTING TECHNICAL DETAILS

Transcription:

DoD Cloud Computing Security Requirements Guide (SRG) Overview 1

General SRG Information Released 12 January 2015 Version 1, release 1 Provides comprehensive security guidance for components (missions) to acquire cloud services Provides comprehensive guidance for CSP s to understand security requirements if they so choose to deliver cloud services to DoD Developed by DISA for DoD Processes are very FedRAMP like Impact levels now only 2, 4, 5 & 6 collapsed from prior Cloud Security Model s 1 6 levels http://iase.disa.mil/cloud_security /Documents/ucloud_computing_srg_v1r1_final.p df 2

General - SRG Overview SRG release details mission data risk associated with data impact levels 2-5. Subsequent quarterly release will include changes in security control analysis and legal considerations for hosting DoD workloads are not addressed in current version SRG introduces the requirement for DoD Provisional Authorizations and use of a Cloud Access Point for Levels 4-5 to mitigate risk to DoD by allowing CSPs to interconnect with DoD networks SRG introduces the term FedRAMP Plus (+) shared controls require both the CSO and Mission Owner to address security; Computer Network Defense (CDN) responsibilities must be clearly defined Mission defines cloud availability and resiliency (DR) under SLA with CSP The NIST 800-145 definition of cloud services used by DoD to determine if it is cloud 3

SRG Counting Controls 4

SRG Path to P-ATO FedRAMP is minimum security baseline for all DoD cloud services Three paths to PAs: From FedRAMP JAB to DoD PA From FedRAMP Agency to DoD PA DoD Sponsored CSP needs 3PAO or DoD assessor FedRAMP moderate CSPs = IL 2 FedRAMP moderate CSPs + additional DoD C/CE can get to IL 4 and above PII/PHI will add C/CEs overlays from NIST 800.53 rev4 (mission directed) CONUS only for IL 4, 5 and 6 (same for 2 but exceptions could be granted) 5

SRG Observations APIs of a cloud can create risk of unauthorized access to NIPRnet Tenancy matters -e-discovery & law enforcement seizure issues Proper physical/logical isolation is key to PA Shared infrastructure = cloud for Federal and DoD as well as Non-Federal / Non-DoD tenants Private cloud = dedicated infrastructure to serve one group or class of customer ITAR clouds do not necessarily meet the standards for dedicated clouds 6

SRG Where and Who IL 2 = Shared or dedicated infrastructure (and on or off premise OK) IL 4 = Shared or dedicated with strong evidence of virtual separation controls and monitoring ability to meet search and seizure requests of DoD data (on and off premise OK) IL 5 = only dedicated infrastructure (on or off premise OK) Only DoD Private, DoD Community or Federal Government community clouds can be used Each deployment can support multiple missions/tenants from each customer organization Virt/phys separation between DoD & Federal tenants / missions is permitted Virt/phys separation between DoD tenants / missions is permitted (minimally) Physical separation from non-dod/non-federal tenants required 7

SRG Where and Who IL 6 = Dedicated infrastructure approved for classified information On or off premise OK provided NISPOM is met Requires cleared personnel (CSP must have FCL at appropriate level) IL 6 = each deployment may support multiple SECRET missions Virt/phys separation between DoD & Federal tenants / missions at SECRET level is permitted Virt/phys separation between DoD tenants / missions is permitted (minimally) Physical separation from non-dod/non-federal tenants required 8

SRG Observations Continuous Monitoring Differs amongst CSP depending on Agency or JAB ATO leveraged FedRAMP JAB = JAB TRs to FedRAMP PMO to DISA AO to Mission Owner FedRAMP Agency = 3PAO to DISA AO to Mission Owner DoD Self-Assessed PA = varies but generally DISA AO to Mission Owner Change Control / Significant changes = same as above PKI now matters CAC and Alt Token (IdentiTrust (GSA) etc) must be utilized at IL 4/5 NSS PKI at IL 6 (CNSS) Cloud provisioning portal or MFA must be PK enabled for IaaS/PaaS/SaaS at IL 4, 5 and NSS at IL 6 9

SRG Shared Responsibilities IaaS: The CSP is responsible for running the data center which includes the network, servers, the disks, etc. The Mission Owner manages and maintains the cloud stack and must do many of the tasks i.e., patching, locking down ports, removing unnecessary commands from servers and encrypting data. Can we negotiated back to CSP under SOW PaaS: CSP is responsible for the infrastructure layer and the application stack layer. Mission Owner needs to understand the underpinnings of how the PaaS provider s platform works in order to build software on top SaaS: CSP has responsibilities for all the controls within the cloud stack from application layer down 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information