The Cloud Seen from the U.S.A.



Similar documents
Creating Effective Cloud Computing Contracts for the Federal Government

How To Use Cloud Computing For Federal Agencies

Allison Stanton, Director of E-Discovery U.S. Department of Justice, Civil Division. U.S. Department of Agriculture

Cloud Computing Best Practices. Creating Effective Cloud Computing Contracts for the Federal Government: Best Practices for Acquiring IT as a Service

Allison Stanton Director of E-Discovery U.S. Department of Justice, Civil Division

The Council of the Inspectors General on Integrity and Efficiency s Cloud Computing Initiative

Office of Inspector General Audit Report

Written Testimony. Mark Kneidinger. Director, Federal Network Resilience. Office of Cybersecurity and Communications

NIST Cloud Computing Program

Status of Cloud Computing Environments within OPM (Report No. 4A-CI )

Purpose. Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public.

Concurrent Technologies Corporation (CTC) is an independent, nonprofit, applied scientific research and development professional services

Federal Cloud Computing Strategy

Seeing Though the Clouds

Flying Through Federal Thunder Clouds Navigating FedRAMP, DoD Cloud Guidance, & Cloud Cybersecurity Issues

December 8, Security Authorization of Information Systems in Cloud Computing Environments

Cloud Computing A NIST Perspective & Beyond. Robert Bohn, PhD Advanced Network Technologies Division

Cloud Security for Federal Agencies

GAO INFORMATION TECHNOLOGY REFORM. Progress Made but Future Cloud Computing Efforts Should be Better Planned

Berlin, 15 th November Mark Dunne SaaSAssurance

Federal Aviation Administration. efast. Cloud Computing Services. 25 October Federal Aviation Administration

Perspectives on Cloud Computing and Standards. Peter Mell, Tim Grance NIST, Information Technology Laboratory

The Keys to the Cloud: The Essentials of Cloud Contracting

CLOUD COMPUTING. Agencies Need to Incorporate Key Practices to Ensure Effective Performance

Information Assurance in the Cloud

CLOUD SERVICE LEVEL AGREEMENTS Meeting Customer and Provider needs

Cloud Computing in the Federal Sector: What is it, what to worry about, and what to negotiate.

Cloud Brokerage Industry Day August 2, Panel Questions & Answers

DoD Pathway to the Cloud

NIST Cloud Computing Program Activities

The problem of cloud data governance

Consor;um (partners) ARES conference Toulouse, 24 August 2015

ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS

Highlights & Next Steps

U.S. HOUSE OF REPRESENTATIVES SUBCOMMITTEE ON TECHNOLOGY AND INNOVATION COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY HEARING CHARTER

Incident Management. Verdis Spearman

CRISIS MANAGEMENT AND FIRST AID: WHEN GOVERNMENT CONTRACTORS ARE THE HEADLINERS WELCOME

Privacy Recommendations for the Use of Cloud Computing by Federal Departments and Agencies. Privacy Committee Web 2.0/Cloud Computing Subcommittee

Federal Risk and Authorization Management Program (FedRAMP)

Management of Cloud Computing Contracts and Environment

State of Michigan Records Management Services. Guide to E mail Storage Options

Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization

Evolution of the Data Center

Overview. FedRAMP CONOPS

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

Cloud Computing Contract Clauses

How to Lead the People in a Program Based Environment

How To Operate In Cloud

Cloud Computing. Report No. OIG-AMR UNITED STATES GOVERNMENT National Labor Relations Board Office of Inspector General.

Enterprise Continuous Monitoring Bridging Shared Services, Clouds, and In-House Solutions

Cloud Security Alliance and Standards. Jim Reavis Executive Director March 2012

A New Way to Compute or: How I Learned to Stop Worrying and Love the Cloud

THE 411 ON CYBERSECURITY, INFORMATION SHARING AND PRIVACY

FAA Cloud Computing Strategy

Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015

Securing Government Clouds Preparing for the Rainy Days

Federal Data Center Consolidation Initiative

How To Decide If You Should Buy Cloud Computing For Government

Role of contracts in Cloud Computing an Overview. Kevin McGillivray Doctoral Candidate (NRCCL)

Real World Strategies for Migrating and Decommissioning Legacy Applications

Breaking Down the Silos: A 21st Century Approach to Information Governance. May 2015

STATEMENT OF. Dr. David McClure Associate Administrator Office of Citizen Services and Innovative Technologies General Services Administration

2015 List of Major Management Challenges for the CFPB

OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT

The NIST Cloud Computing Program

Health + Government in the

Security, Compliance & Risk Management for Cloud Relationships. Adnan Dakhwe, MS, CISA, CRISC, CRMA Safeway Inc. In-Depth Seminars D32

A Strawman Model. NIST Cloud Computing Reference Architecture and Taxonomy Working Group. January 3, 2011

Cloud Computing: Implications and Guidelines for Records Management in Kentucky State Government

Cloud Security. A Sales Guy Talks About DoD s Cautious Journey to the Public Cloud. Sean Curry Sales Executive, Aquilent

Privacy for Healthcare Data in the Cloud - Challenges and Best Practices

2015 ANNUAL REPORT CHIEF INFORMATION OFFICER UNIVERSITY OF VIRGINIA

Report via OMB s Integrated Data Collection (IDC), 10

A COALFIRE PERSPECTIVE. Moving to the Cloud. NCHELP Spring Convention Panel May 2012

Wrapping Audit Arms around the Cloud Georgia 2013 Conference for College and University Auditors

DATA INTEGRATION Defensibly reducing your data during Mergers, Acquisitions & Divestitures. Ronke Ekwensi Tuesday May 19, 2015 MER Session 12

Information Governance, Risk, Compliance

CLOUD COMPUTING. Additional Opportunities and Savings Need to Be Pursued

TESTIMONY OF MR. RICHARD SPIRES CHIEF INFORMATION OFFICER U.S. DEPARTMENT OF HOMELAND SECURITY BEFORE THE COMMITTEE ON HOMELAND SECURITY

Enterprise Managed Cloud Computing at NASA. Karen Petraska NASA Office of the CIO Computing Services Service Office (CSSO) October 1, 2014

FedRAMP Government Discussion Matt Goodrich, FedRAMP Director

Cloud Archiving. Paul Field Consultant

ENISA and Cloud Security

Cloud Computing A NIST Perspective and Beyond. Robert Bohn, PhD Advanced Network Technologies Division

Audit of the CFPB s Acquisition and Contract Management of Select Cloud Computing Services

Cloud Computing Questions to Ask

OAGM Contractors Conference

NEIAF June 18, IS Auditing 101

Strategic Coverage 29 Cloud Services Common Assessment and Considerations

Killing Two Birds With One Stone: Optimizing Information Governance for Easier E- Discovery

T141 Computer Systems Technician MTCU Code Program Learning Outcomes

Now that the program is up and running: Reaching Consumers via Social Media

GAO. INFORMATION SECURITY Additional Guidance Needed to Address Cloud Computing Concerns

Protecting Official Records as Evidence in the Cloud Environment. Anne Thurston

Rethinking Archiving: Exploring the path to improved IT efficiency and maximizing value of archiving solution investments

Final Review Workshop. CSC phase 2, WP 3

FINAL Version 1.00 May 3, 2011

Cybersecurity y Managing g the Risks

Industry Engagement Event. CLOUD COMPUTING SOLUTIONS CONSULTATION EN /A November 13 th, 2014 Delta Hotel, Ottawa.

{Moving to the cloud}

Transcription:

The Cloud Seen from the U.S.A. Stephen R. Bell, Counselor to the U.S. Coordinator, International Communications and Information Policy, U.S. Department of State

OUTLINE Commercial drivers of Cloud services Economic and Technical U.S. Government drivers of Cloud services Economic and Technical Government consumers face many of the same issues as commercial consumers Security Standards Procurement issues U.S. Government has undertaken a systematic public examination of the issues and has begun to formulate responses

Commercial Drivers Cost savings Complex issue not many good studies Market demand growth: $40 billion in 2010 to $241 in 2020 may be a reasonable proxy Improved efficiencies Shift from capital expenditures to operating expenditures Improve utilization Improve management oversight Improve lead times Access innovation No good studies of the value of these efficiencies

Cost Savings Government Drivers Federal government spends $80 billion on IT annually $ 20 could be shifted to Cloud services Early adopters savings have been identified GSA email migration $15 million, Dept. of Ag. email migration $27 million, Air Force Personnel Services Delivery $4 million annually By FY 2013 estimated savings of $100 million annually from email alone

Improved efficiencies Same list as commercial consumers Some specificity about results Air Force Personnel services delivery improved customer search times from 20 minutes to less than 2 minutes Dept. of Ag. email consolidated 21 fragmented email system GSA email system eliminated redundant email infrastructure at 17 locations HHS Electronic health records reduced time to go live from 1+ years to 3 months Private Cloud solutions are being implemented by the USG From 1998 to 2010, Federal government went from 432 data centers to 2094, IBM went from 235 to 12 By the end of 2012, 429 data centers will be closed

Business and Contracting Models Must Be Changed in the Public Cloud Environment* Select appropriate provider TOS and other agreements (NDAs, Choice of law) SLAs CSP Integrator Roles Appropriate standards Security Privacy E-Discovery FOIA E-records

SLAs Definition of acceptable service Uptime definitions vary Availability is another complicated concept that should be clearly understood and specified Performance including response time, mitigation time, availability should be defined Customer should be promptly advised of a failure by the CSP to meet performance metrics Enforcement mechanisms should be credible and provide clear incentives to the CSP to meet requirements All the relationships in the transaction e.g., CSP, customer, and integrator should be clearly defined and responsibilities clearly identified

Standards Use of international, voluntary consensus standards is mandated by Cloud First Conceptual models, reference architectures, and standards to facilitate communications, data exchange and security are under development Some of these are already in place NIST Spec. Pub 500-291 lists relevant standards for security, interoperability and portability Reference architectures enable the consumer to under the role of all the actors and reach a successful implementation.

Robust Security Analysis FISMA, implemented through FedRamp seeks to implement government wide security assessment and authorization Conduct analysis and categorize security requirements Require CSPs to implement a continuous monitoring system Require CSPs to implement an effective incident reporting mechanism and accept liability for data breach incidents in their environments Work with CSPs to implement a key escrow procedure that will meet Agency needs Limit changes to CSP environment to pre-agreed terms and conditions Employ 2 Factor authorizations June 6, 2012 FedRamp announced government wide security authorization process

Privacy another intense concern Five key factors for agencies to consider in selecting a CSP relate to privacy Compliance with the Privacy Act of 1974 Privacy Impact Assessments(PIA) are required when new processing technologies are adopted Policy training for CSPs related to agencies special requirements Data Breach Response provisions should include clear duties with respect to reporting, mitigation, and cost associated with notice, credit monitoring and addresses termination of service and retrieval of data Data Location consideration involve an analysis of the sensitivities of the data, an understanding where the data will be stored, consultation with legal counsel on the laws of that country The contract should cover the requirements for data in motion, incorporate security controls and define procedures that the CSP must follow if requested to provide data.

E-Discovery Not unsurprisingly USG has substantial and robust guidance with respect to records management and discovery Information management who owns the records Locating relevant documents to respond to discovery Preservation of data including metadata Cost savings in responding FOIA requests This guidance applies only to the procurement of CSP services by the Federal Government but it may be useful to other policy makers addressing the same issues and the relevant documents might provide a useful part of a check list for other consumers

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information