jim reavis, executive director cloud security alliance november 22, 2010 developing a baseline on...
TRANSCRIPT
Jim Reavis, Executive Director Cloud Security Alliance
November 22, 2010
Developing a BaselineDeveloping a BaselineOn Cloud SecurityOn Cloud Security
A Combat Support Agency
Unclassified
04/19/23 12:21 2
Purpose & Agenda
Purpose
Provide information about the current state of industry understanding and activities related to securing cloud computing, as a foundation for today’s collaboration
1. Defining Cloud2. Reference Model3. Architecture4. FedRAMP5. Cloud Guidance6. Relating to Tracks
A Combat Support Agency
Unclassified
What is Cloud Computing?What is Cloud Computing?
• Compute as a utility: third major era of computing– Mainframe
– PC Client/Server
– Cloud computing: On demand model for allocation and consumption of computing
• Cloud enabled by– Moore’s Law: Costs of compute & storage approaching zero
– Hyperconnectivity: Robust bandwidth from dotcom investments
– Service Oriented Architecture (SOA)
– Scale: Major providers create massive IT capabilities
A Combat Support Agency
Unclassified
Broad Private/Public ViewBroad Private/Public View
• Ecosystem
• Definitions/Onotology/Taxonomy
• Architecture
• Compliance
• Threat research & modeling
• Domains of Concern
A Combat Support Agency
Unclassified
NIST: Defining CloudNIST: Defining Cloud
• Characteristics
– On demand provisioning
– Elasticity
– Multi-tenancy
– Measured service
• Delivery Models
– Infrastructure as a Service (IaaS): basic O/S & storage
– Platform as a Service (PaaS): IaaS + rapid dev
– Software as a Service (SaaS): complete application
• Deployment Modes
– Public
– Private
– Hybrid
– Community
A Combat Support Agency
Unclassified
CSA Cloud Reference ModelCSA Cloud Reference Model
• From CSA Architectural WG
• 10 Layer reference model view of Cloud Computing
• Encourages cumulative view of SaaS/PaaS/IaaS delivery
A Combat Support Agency
Unclassified
S-P-I contextS-P-I context
IaaSInfrastructure as a Service
You buildsecurity in
You “RFP”security in
PaaSPlatform as a Service
SaaSSoftware as a Service
A Combat Support Agency
Unclassified
Architectural DepictionsArchitectural Depictions
• From Open Security Architecture
• Actor-centric view of cloud architecture
A Combat Support Agency
Unclassified
Architectural DepictionsArchitectural Depictions
Service-centric architectural model from CSA
A Combat Support Agency
UnclassifiedFederal Risk & Authorization
Management Program (FedRAMP)
• A government-wide initiative to provide joint authorization services– FedRAMP PMO in GSA
– Unified government-wide risk management– Agencies would leverage FedRAMP authorizations
(when applicable)• Agencies retain their responsibility and authority to
ensure use of systems that meet their security needs• FedRAMP would provide an optional service to
agencies
A Combat Support Agency
Unclassified
• Duplicative risk management efforts
• Incompatible requirements• Potential for inconsistent
application and interpretation of Federal security requirements
Agency A&A Vendor
BEFOREBEFORE
Agency A&A Vendor
• Unified Risk management and associated cost savings
• Inter-Agency vetted and compatible requirements using a shared cloud service
• Effective and consistent assessment of cloud services
AFTERAFTER
Federal Risk & Authorization Management Program (FedRAMP)
A Combat Support Agency
Unclassified
FedRAMP Authorization Request Process
Cloud BPA Government Cloud
Systems
Services must be intended for use by multiple
agencies
Agency Sponsorship
Primary Agency Sponsorship
Primary Agency Contract
Secondary Agency Sponsorship
Cloud Services through FCCI
BPAs
There are 3 ways a Cloud Service can be proposed for FedRAMP Authorization:
There are 3 ways a Cloud Service can be proposed for FedRAMP Authorization:
31 2
A Combat Support Agency
Unclassified
CSA Guidance ResearchCSA Guidance Research
Governance and Enterprise Risk ManagementGovernance and Enterprise Risk Management
Legal and Electronic DiscoveryLegal and Electronic Discovery
Compliance and AuditCompliance and Audit
Information Lifecycle ManagementInformation Lifecycle Management
Portability and InteroperabilityPortability and Interoperability
Security, Bus. Cont,, and Disaster RecoverySecurity, Bus. Cont,, and Disaster Recovery
Data Center OperationsData Center Operations
Incident Response, Notification, RemediationIncident Response, Notification, Remediation
Application SecurityApplication Security
Encryption and Key ManagementEncryption and Key Management
Identity and Access ManagementIdentity and Access Management
VirtualizationVirtualization
Cloud ArchitectureCloud Architecture
Op
erat
ing
in t
he
Clo
ud
Go
vernin
g th
e C
lou
d• 13 Domains of 13 Domains of concern in 3 concern in 3 main groupingsmain groupings–ArchitectureArchitecture
–GovernanceGovernance
–OperationsOperations
A Combat Support Agency
Unclassified
Track 1 - Cloud Security Policy and Guidance
• Consensus issues identified from industry research
– Auditing capabilities
– Rogue insiders
– 3rd party management
– Transparency
– Data governance: leakage, persistence, destruction, commingling
– Understand risk profile & align key risk indicators
– Translating legacy controls
– Lock-in
A Combat Support Agency
Unclassified
Track 2 - Cloud Security Architecture and Technology
• Consensus issues identified from industry research
– Lack of purpose-built multi-tenant technology
– Federating hybrid clouds
– Duplicating granular defense in depth
– Hardware exploits: CPU, DMA, Bus, I/O
– Hardening virtualization
– Segregation of encryption and key mgt
– Developing layers of abstractions, SOA principles
– Vulnerability scanning
– Software development lifecycle impact
– Threat modeling
A Combat Support Agency
Unclassified
Track 3 – Secure Cloud Operations
• Consensus issues identified from industry research
– Forensics
– Patch management
– Malware
– Logging
– Monitoring & visibility
– Account, service, traffic hijacking
– Suboptimal resource sharing & time slicing
– Compartmentalization of operational activities
A Combat Support Agency
Unclassified
Thank You!
Questions?