assessment and authorization for cloud computing dr. sarbari gupta [email protected]...
TRANSCRIPT
Assessment and Authorization for Assessment and Authorization for
Cloud ComputingCloud Computing
Dr. Sarbari GuptaDr. Sarbari [email protected]
703-437-9451 ext 12
Third Workshop on Cyber Security & Global AffairsThird Workshop on Cyber Security & Global Affairs
May 31 – June 2, 2011May 31 – June 2, 2011
Page 2
OverviewOverview
US Mandates and Programs affecting Cloud Computing
Government-wide Risk and Authorization of Cloud Computing
Challenges faced with Cloud Computing Assessment and Authorization
Page 3
US Mandates and ProgramsUS Mandates and Programs
FISMA – Federal Information Security Management Act or 2002 Defines a compliance framework for
securing government systems NIST responsible for standards & guidelines
FedRAMP – Federal Risk Management and Authorization Program Designed to solve the security authorization
problems highlighted by cloud computing “authorize once, use many”
Page 4
Challenges with FISMA Challenges with FISMA
Measures security planning and not information security
Interpretation of FISMA requirements and NIST guidelines varies greatly
Same system is not compatible across agencies
Continuous Monitoring Inadequate
Page 5
GSA IaaS Cloud Computing GSA IaaS Cloud Computing EnvironmentEnvironment
Cloud Storage Services Storage for Files, Data and Data Objects Well-defined Storage & Bandwidth Tiers
Virtual Machines CPU (RAM, Disk space, Data transfer Bandwidth) Operating System Persistence
Cloud Web Hosting CPU, OS, Software
Page 6
GSA IaaS – Separation of DutiesGSA IaaS – Separation of Duties
Page 7
FISMA / FedRAMP DetailsFISMA / FedRAMP Details
Page 8
FISMA / FedRAMP DetailsFISMA / FedRAMP Details
Page 9
Control Tailoring WorkbookControl Tailoring Workbook
AC-1 Access Control Policy and Procedures
Control: AC1: [Assignment: organization-defined frequency]
Control: AC1: Biennial
AC-2 Account Management
Control: AC2j: [Assignment: organization-defined frequency] Enhancements:(2): [Assignment: organization-defined time period for each type of account]. (3): [Assignment: organization-defined time period].
Control: AC2j: Annually Enhancements:(2): No more than 90 days.(3): 90 Days for User Level Accounts - as per contractor system determination for non-user level accounts (device, token, smart cards, etc)
AC-3 Access Enforcement AC-4 Information Flow AC-5 Separation of Duties
AC-6 Least Privilege
Enhancements:(1): [Assignment: organization-defined list of security functions (deployed in hardware, software, and firmware) and security-relevant information]. (2): [Assignment: organization-defined list of security functions or security-relevant information].
Enhancements:(1): As per contractor system determination. (2): All Security Functions (Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e.,
CNTL No.
Control Name
Organization Defined Settings (for controls where 800-53R3 requires an organizational defined setting)
Contractor Implemented Settings (Enter contractor implemented settings where the setting is different from the GSA Defined Setting (in column D) and where the GSA Defined setting allows a contractor determined setting)
GSA Defined Settings (for controls where 800-53R3 requires an organizational defined setting)
Fill this column
out if the system
setting is different than the
GSA defined
setting in the
previous column
Page 10
FISMA / FedRAMP DetailsFISMA / FedRAMP Details
Page 11
FISMA / FedRAMP DetailsFISMA / FedRAMP Details
Page 12
FedRAMP ChallengesFedRAMP Challenges
Continuous monitoring not adequate SLA’s not validated in real-time Manual processes prone to error Security Control testing may be done too far
apart
Security Management not adequate Data collection for analysis inadequate Corrective action hard to negotiate
Can outsource responsibility but not accountability
Page 13
End-user Visibility is KeyEnd-user Visibility is Key
