Private sector enterprises are already taking advan-tage of SaaS IT service management solutions be-cause of the greater affordability, flexibility, and speed of implementation that cloud computing offers. Many public sector entities, however, may hesitate to adopt this model until they are sure that the solutions meet the stringent security regulations and standards of the Federal Information Security Management Act (FISMA) and the emerging GSA Federal Risk and Authorization Management Program (FedRAMP).

Although this article focuses on the issues involved in deploying a SaaS ITSM solution in a U.S. Federal Government agency, the same issues can apply to most public sector IT organizations in the United States and worldwide.

The Cloud BeckonsThe benefits of cloud computing are so compelling that government entities at all levels are taking a close look at cloud­based solutions. Many are im-plementing more secure private clouds, and some are working to establish community clouds to share infrastructure — and costs — across multiple agen-cies. Public cloud service delivery models — SaaS,

platform as a service (PaaS), and infrastructure as a service (IaaS) — are also proliferating rapidly. Thousands of private and public sector enterprises are already benefiting from these services.

With respect to U.S. Federal Government agencies, cloud computing isn’t only a “nice to have.” It’s a man­date. In December 2010, the U.S. Chief Information Officer issued a “25 Point Implementation Plan to Reform Federal Information Technology Man age­ment.”1 A key directive in this plan is, “When evaluating options for new IT deployments, OMB will require that agencies default to cloud­based solutions whenever a secure, reliable, cost­effective cloud option exists.” State and local governments are likely to follow suit.

But are public cloud solutions secure enough for government work? Many public sector IT profes-sionals have reservations about cloud security and privacy. They are concerned about moving critical or sensitive, confidential data to an outsourcer’s facility. This is especially true for IT service management solutions that include extremely sensitive informa-tion. The solutions can house a complete map of the IT agency’s infrastructure, including details about all components, such as where they are located and who uses them.

I.T. SERVICE MANAGEMENT, SAAS, AND THE PUBLIC CLOUD: SECURE ENOUGH FOR THE GOVERNMENT? By Kazem Safari, Senior Manager, R&D Program Management, BMC Software

B M C I N D U S T R Y INSIGHTS

Like their counterparts in the private sector, organizations in the U.S. Federal Government

are under intense pressure to improve IT services while cutting costs. At the same time,

federal IT organizations are being pressured to move to cloud-based solutions. State and

local governments are likely to follow suit. Public sector IT organizations can achieve both

objectives with cloud-based IT Service Management (ITSM) solutions that operate based

on a software as a service (SaaS) model.

Concerns about moving this data to the cloud are anal-ogous to those of parents placing their children in the hands of a daycare provider. The security and safety of the children are critical, so parents are extremely cautious as they search for the best provider.

Fortunately, SaaS providers fully understand the neces­sity for strong security and have locked down their data centers accordingly. Today, there are SaaS ITSM offerings that pass the security review of federal agencies and are already helping government entities tap the benefits of cloud computing.

Ensuring Secure ITSM in the CloudITSM applications are mission critical because of the role IT services play in ensuring the integrity, reliability, and availability of critical business services. ITSM soft-ware gathers and maintains crucial data about the IT environment, including the following:

» What components make up the infrastructure » Which components support the various business

services IT provides » How components and services are interrelated » Where components are located and who the owners are » The level of business criticality for various services

This information is vital to ITSM processes, such as service ticket and problem management, performance management, change management, and business continuity and disaster recovery. So what might be the risk if a security breach occurs? In some types of secu-rity breaches, unauthorized parties might gain access to sensitive information about where critical systems are located and who owns them. In other types of secu-rity breaches, outsiders might be able to circumvent standard business processes and/or make unauthor-ized changes. Through the IT service management so-lutions, they might also find their way into other critical systems, such as human resources systems and finan-cial systems.

So if you are going to implement a SaaS delivery model for IT service management, how do you minimize the risk of unauthorized access or a security breach? You do so by ensuring that the solution provider you choose meets today’s stringent security regulations and stan-dards imposed by such entities as the National Institute of Standards and Technology (NIST) and FedRAMP in support of FISMA.

Assessing Your Risk ToleranceEven NIST admits that there is no way to entirely elimi-nate all risks.2 While some risks may be reduced, others are transferred, some are eliminated, and others can-not be eliminated. A threat plus a vulnerability, however, equals risk. If the vulnerability is eliminated, the risk no longer exists in that sense, even if the threat still does. This varies based on the risk type.

With this in mind, government entities need to establish an effective risk management process and apply it to their investigation of a SaaS­based solution. A risk management process encompasses a thorough as-sessment of the risks and then balances that risk against the operational and economic costs of protec-tive measures.

The level of risk that can be tolerated varies from one entity to another. The U.S. Department of Defense and the Department of Homeland Security, for example, deal with highly sensitive and secret information that requires maximum protection. Consequently, these entities need extremely strong controls to prevent intrusion. The Department of Education, on the other hand, may be able to tolerate more risk. So while controls need to be in place, not every agency requires the same level of security.

Part of a valid risk assessment and risk management process involves a management decision with respect to how much risk is too much, and to use that informa-tion to figure out how strong security controls must be. Where risk is relatively low, having employees enter a security code on a keypad to gain access to a data cen-ter may be adequate. For some agencies, however, the damage that could occur as a result of a breach makes the cost of more aggressive protection a must. For those agencies, biometrics, such as finger and palm print readers, retina scans, and face recognition scans, may be necessary. That determination can be made only by knowledgeable personnel within each organization and qualified information security leadership.

The Federal Information Processing Standards (FIPS) 199 (http://csrc.nist.gov/publications/fips/fips199/FIPS­PUB-199­final.pdf), published by NIST, and other guidelines provide guidance to assist government entities in understanding requirements for the depth of the risk

B M C I N D U S T R Y INSIGHTS

With respect to U.S. Federal Government agencies, cloud computing isn’t only a “nice to have.” It’s a mandate.

B M C I N D U S T R Y INSIGHTS

assessment. Moreover, NIST SP 800­30 (http://csrc.nist.gov/publications/nistpubs/800­30/sp800­30.pdf) lays out the steps required to conduct a thorough assessment.

Meeting Security Compliance Criteria FISMA requires federal agencies to develop, document, and implement programs to provide security for infor-mation systems and data that support operations and assets. NIST develops and issues standards, guide-lines, and other publications to assist agencies in im-plementing FISMA and to help them protect their systems and data. Government entities at all levels — local, state/provincial, and national — can use these publications to understand security requirements and determine if a provider of SaaS­based IT service man-agement solutions complies.

There are numerous publications and thousands of pages that define and explain federal regulations and standards that address information systems security. NIST Special Publication 800­53 (http://csrc.nist.gov/publications/nistpubs/800­53­Rev3/sp800­53­rev3­final_updated­errata_05­01­2010.pdf), for example, provides guidelines for selecting and specifying security controls for information systems supporting the executive agencies of the federal government to meet minimum security requirements for federal information systems.

These publications provide tremendous value. At the same time, the volume of material available is over-whelming. As you consider a SaaS provider for your IT service management solutions, here are the key areas on which to focus: physical infrastructure, encryption, and network, server, and application security. Carefully examine the provider’s depth and breadth in each area, and decide if the provider’s security controls measure up to the level of security that your organization requires.

PHYSICAL INFRASTRUCTURE

As in the private sector, data centers in the public sector typically have restricted access. Security can range from a cardkey lock to a security guard checking IDs at the entrance. Additional protection might include motion sensors and video surveillance. More aggressive security might include a gated complex and biometric access devices.

Use your risk assessment as a guide to quickly determine what type of precautions a third­party provider must take for the data center that will house the infrastructure for your SaaS IT service management solutions. The pro-vider should willingly share this information with you.

ENCRYPTION

Data encryption has been used by the military and other government agencies for years to protect sensitive

information. Many private sector organizations use it as well because of the sensitive nature of their data. Typically, data at rest is not encrypted, although it can be if the data is extremely confidential. Data in transit absolutely requires encryption.

When you discuss encryption with the provider, be sure to ask about efforts to ensure ongoing effectiveness. Look for a provider who uses regular external security audits and external penetration tests by independent firms to verify that encryption mechanisms are main-taining the desired level of protection.

NETWORK SECURITY

Secure access methods and restrictions for all network­related components are essential. Examples include an ASA 5540 firewall, internal and external zones and DMZs on the firewall, 24­hour logging of Intrusion Detection System (IDS), and firewall logs (handled via a Managed Security Service Agent). Compare the methods used by the provider against your list of network security requirements. Also, be sure that the provider creates a logically separate network for running each of its customers’ IT service manage­ment solutions.

The network should be implemented using a virtual location network (VLAN) as a means to ensure, for example, strong logical and technical segregation of cloud instances. A VLAN enables the network to be reconfigured based on the needs of the individual tenant groups through logical methods, instead of physically moving network hardware and connections. As a result, service providers can assign one or more discrete network address spaces to each tenant and manage them as an organizational entity.

As you consider a SaaS provider for your IT service management solutions, here are the key areas on which to focus: physical infrastructure, encryption, and network, server, and application security.

BMC, BMC Software, and the BMC Software logo are the exclusive properties of BMC Software, Inc., are registered with the U.S. Patent and Trademark Office, and may be

registered or pending registration in other countries. All other BMC trademarks, service marks, and logos may be registered or pending registration in the U.S. or in other

countries. All other trademarks or registered trademarks are the property of their respective owners. ©2012 BMC Software, Inc. All rights reserved.*240118*

ABOUT THE AUTHORK a z e m S a f a r i , s e n i o r manager for R&D Program M a n a g e m e n t a t B M C Software, has more than 25 years of experience in senior level management of successful enterprises in global executive manage-ment, IT, engineering, SaaS product development/deployment, operations, professional services, program management, business development, and sales operations. He is responsible for managing the Remedy OnDemand for Public Sector program. Prior to joining BMC, he served as managing director and one of the founders of Symfonia, as program general manager at GTSI, as executive director of Global One, and as head of Multi media Systems. Safari is PMI PMP and ITIL Foundation 3 certified. He holds a BA in Computer Science from Southern Illinois University, Carbondale, Illinois.

BUSINESS RUNS ON I.T. I.T. RUNS ON BMC SOFTWAREBusiness runs better when IT runs at its best. That’s why more than 15,000 IT organizations — from the Global 100 to the smallest businesses — in over 120 countries rely on BMC Software to manage their business services and applications across distributed, mainframe, virtual and cloud envi­ronments. With the leading Business Service Management platform, Cloud Management, and the industry’s broadest choice of IT management solutions, BMC helps customers cut costs, reduce risk and achieve business objectives. For the four fiscal quarters ended December 31, 2011, BMC revenue was approximately $2.2 billion. For more information, visit www.bmc.com.

B M C I N D U S T R Y INSIGHTS

Additional protections that should be implemented include the following:

» All remote access should use multifactor authentication — software tokens in addition to strong passwords.

» All remote communications should be encrypted using FIPS 140­2 approved algorithms. » Host Intrusion Prevention (HIP) agents should be deployed on all systems. » Network vulnerability scans should be performed weekly using NIST Security Content

Automation Protocol (SCAP) validated tools. » Logs from the entire infrastructure should be aggregated and monitored using a central

Security Information and Event Management (SIEM) tool.

All service packs, security patches, and firmware must be kept up to date. The provider should also block all unnecessary ports and run third­party penetration tests and security audits at least twice a year.

SERVER SECURITY

The provider’s servers should be hardened at the operating system, application, and database levels. All servers should also include strong logical access controls to prevent unauthorized access. Additionally, they should be running up­to­date antivirus solutions with real­time scanning for all I/O operations to prevent the entry of viruses and other malware.

APPLICATION SECURITY

Look for ITSM application security at three levels: Web, database, and the underlying workflow engine (e.g., mid­tier). To protect applications, the provider should ensure the following:

» All Web access is secure and managed with third­party security certificates. » Direct­write access to the database is prohibited, and read­only direct access is available

only under certain highly restricted and managed circumstances. » Administrative access is available only to preselected, pre­approved, and background­

checked users. » The IT service management solutions require robust, role­based access control to the

applications and underlying data.

Application change management is a best practice that all SaaS vendors should be willing to discuss. This includes having formal change processes, change calendars, Change Authorization Board (CAB) processes, change log generation, change validation, roll­back procedures, and so on. All services should be able to provide a history of who changed what and when the changes were made.

ConclusionThe greater affordability, flexibility, and speed of implementation that cloud computing offers are major factors in the growing emphasis on cloud computing at all levels of government. Public sector IT professionals, however, may hesitate to adopt cloud­based IT service management solutions until they are sure they meet stringent security regulations and standards.

While caution is wise, the reality is that IT service management is one area in which secure, reliable, and cost­effective public cloud options are available. Choosing IT service managements solutions running on a SaaS model is wise as long as you ensure that the provider understands the security standards and can support the level of security your environment requires.

For more information, visit www.bmc.com/products/product-listing/remedy-on-demand-for-public-sector.html.

END NOTES1 Vivek Kundra, U.S. Chief Information Officer, “25 Point Implementation Plan to Reform Federal Information

Technology Management,” December 9, 2010, www.cio.gov/documents/25-point-implementation-plan-to-reform-federal%20it.pdf.

2 Information Security Handbook: A Guide for Managers, NIST Special Publication 800­100, NIST Computer Security Division, Information Technology Laboratory, page 84, http://csrc.nist.gov/publications/nist-pubs/800-100/SP800-100-Mar07-2007.pdf.