cloud-based customer experience management solutions for government agencies
DESCRIPTION
This white paper provides insights for cloud computing buyers and vendors into the opportunities and challenges of certifying cloud-based solutions for U.S. Federal Government Civilian Agencies.TRANSCRIPT
www.rightnow.com
CLOUD-BASED CUSTOMER EXPERIENCE MANAGEMENT SOLUTIONS FOR GOVERNMENT AGENCIES
Opportunities and Challenges of Certifying Cloud-Based Solutions for U.S. Federal Government Civilian Agencies
©2009 RightNow Technologies. All rights reserved. RightNow and RightNow logo are trademarks of RightNow Technologies Inc. All other trademarks are the property of their respective owners. 9007
www.rightnow.com
TABLE OF CONTENTS
Introduction .......... 1
Cloud Computing Fundamentals .......... 3
How We Approached C&A .......... 3
Challenges We Faced in Working Through Our C&A .......... 4
Lessons Learned in Working Through The Challenges .......... 5
Conclusion .......... 7
Authors .......... 9
About SecureForce .......... 9
About RightNow Technologies .......... 9
CLOUD-BASED CUSTOMER EXPERIENCE MANAGEMENT SOLUTIONS FOR GOVERNMENT AGENCIES
www.rightnow.com1
Share This
INTRODUCTION
RightNow TechnologiesRightNow is a provider of cloud-based customer experience management solutions that help consumer-centric organizations deliver exceptional customer experiences across the web, social networks, and contact centers. Founded in 1997, RightNow is headquartered in Bozeman, Montana, employs more than 800 people, and with more than eight billion customer interactions delivered, RightNow is the customer experience fabric for nearly 2,000 organizations around the globe. RightNow is listed on the NASDAQ under the symbol RNOW. Over 170 public sector clients, including nearly every US cabinet level agency, Army, Marines, Air Force, members of the Intelligence Community and DoD, rely on RightNow CX to deliver real-time information, when and where it’s needed.
RightNow CX, the Customer Experience SuiteRightNow CX is a total customer experience solution for consumer-centric organizations serious about enabling superior interactions across web, social, and contact center touchpoints. RightNow’s customer experience solutions give agencies the ability to coordinate disparate resources, including people and technology, across the organization to develop, rapidly execute, and manage a comprehensive customer experience strategy. RightNow CX applications address the three experiences that matter most (see diagram below), ensuring a seamless multi-channel (web, voice, chat, etc.) experience, regardless of the number or type of customer interactions initiated.
RightNow Government CloudTo serve its U.S. Federal Government customers, RightNow has built a dedicated private cloud infrastructure from the ground up to provide enhanced security and satisfy regulatory compliance requirements. Deployed in a Tier 4 datacenter, the RightNow Government
www.rightnow.com2
Share This
Cloud offers logical separation of tenants and other controls necessary to provide the security, high availability, and redundancy equivalent to our commercial offering. The Government Cloud has been designed to satisfy the control requirements for the National Institute of Standards and Technology (NIST) 800-53 “moderate” baseline. Control implementation and compliance status has been independently verified and documented by a third party.
SECUREFORCE
SecureForce, LLC (SecureForce) is a Washington, DC Metro area based cybersecurity firm that has extensive experience supporting the U.S. Government. SecureForce has provided security engineering, Certification and Accreditation (C&A), security assessment, and security operations support to a broad customer base, including Federal Civilian agencies, the Department of Defense, and the Intelligence Community. SecureForce has performed numerous C&As leveraging the processes outlined in NIST 800-37, NIACAP, DIACAP and DCID 6/3.
RightNow and SecureForce have partnered to ensure government compliance requirements are integrated throughout the lifecycle of the RightNow Government Cloud offering and a comprehensive C&A package is developed for each product release.
The Demand for Cloud ComputingWe have seen an increasing demand for cloud computing resources to be made available in all enterprises globally. Very recently, the demand and interest for cloud computing resources in the Federal Government has increased tremendously. Increasingly, there is a need to offer cloud-based services to the Federal Government that have historically only been available to the private sector.
The Goal of this DocumentRightNow and SecureForce have spent the last year and a half working through the complexities of certifying a cloud computing infrastructure against the moderate baseline of the NIST 800-53 control framework. Throughout this process we have identified a number of security controls that were not written with a cloud computing environment in mind.
In this document we provide some insight into the high-level challenges that we have faced throughout this process, along with some of our findings, to raise the visibility for other cloud computing vendors who may be thinking about providing services to the Federal Government. We’ve also positioned this document to provide cloud computing buyers lessons learned with the goal of increasing awareness of the obstacles associated with performing C&A in the cloud.
..........
www.rightnow.com3
Share This
CLOUD COMPUTING FUNDAMENTALS
In accordance with the NIST Definition of cloud computing (http://csrc.nist.gov/groups/SNS/cloud-computing/), cloud-based services can be offered via one of three service models.
Infrastructure Cloud (IaaS)Infrastructure services in the cloud. This type of cloud vendor will typically provide the processing, storage, and network infrastructure. Examples of IaaS vendors are:
· Amazon EC2 and S3
· OpsSource
· Rackspace
Platform Cloud (PaaS)Cloud providers in this category typically provide either an application development platform, or a raw operating environment from which to house your applications. Vendors in the platform cloud could, in theory, be utilizing IaaS from another vendor underneath the covers. Examples of PaaS vendors are:
· Microsoft Azure
· Boomi
· Google App Engine
Application Cloud (SaaS)SaaS vendors are providing an actual application to their customers, typically delivered via web technologies such as Web 2.0 or smart client technology. SaaS vendors could, in theory, be utilizing both a PaaS vendor for delivery of their service and an IaaS vendor for the underlying infrastructure. Examples of SaaS vendors are:
· RightNow Technologies
· Concur
· MessageLabs
HOW WE APPROACHED C&A
RightNow recognizes that meeting Federal Information Security Management Act (FISMA) compliance is a cost of doing business with the Federal Government. Furthermore, RightNow acknowledges the expectation of the government that vendors should be responsible for demonstrating FISMA compliance within their product offerings in order to establish the chain of trust as part of the implementation of the NIST Risk Management Framework (RMF). Through the partnership with SecureForce, RightNow has taken the initiative to demonstrate the required trustworthiness and address FISMA compliance head-on.
Given the RightNow Government Cloud is a multi-tenant environment, we anticipated that certification boundaries would become blurry and controls would become harder to satisfy. In order to address all aspects of the cloud offering, a flexible yet comprehensive approach to addressing C&A within the cloud was required. Based upon the most common customer use cases and data types, the Federal Information Processing Standard (FIPS) 199 system categorization for the Government Cloud was determined to be moderate. To ensure consistent documentation and assessment of controls across tenants, the certification
www.rightnow.com4
Share This
boundary was determined to include all infrastructure components as well as the baseline application. The Government Cloud C&A package is built upon the NIST RMF and includes the following artifacts:
Artifact NotesSystem Security Plan (SSP) Consistent with NIST SP 800-18Security Assessment Report Consistent with NIST SP 800-53ARisk Assessment Report Consistent with NIST SP 800-30Plan of Actions and Milestones (POA&M) Maintained by RightNow
For each subsequent product version the C&A package is updated and made available to new customers or to existing customers that are upgrading to that version. For those customers that have extensive customizations that extend product functionality, an addendum to the C&A package for their product version must be developed to capture any non-compliant controls and potential risks that may be introduced via the customizations.
CHALLENGES WE FACED IN WORKING THROUGH OUR C&A
C&A is a complex process made more difficult when applied to a multi-tenant, cloud-based offering. The three most pressing issues we faced during the C&A of the Government Cloud were:
1) Multi-tenancy: Some NIST SP 800-53 controls and NIST SP 800-53A control assessment objectives were not written to address multi-tenancy or data co-mingling. As a result, this created some difficulty when assessing common controls applicable to the entire environment. Ultimately, those controls were fully documented in the SSP then assessed against the “spirit of the law” (i.e. does the control satisfy the control assessment objective while maintaining adequate isolation between customer instances?).
2) Hybrid Control Identification and Ownership Determination: While the majority of applicable security controls are the responsibility of the outsourced provider, some controls also require decision or action by the government customer. These types of controls in which there is shared responsibility between the vendor and the government are known as known as hybrid controls. Examples of hybrid controls include incident response and contingency planning where both the government and the vendor would be required to have policies and procedures in place and the policies and procedures in use by the government may be common for all systems within their inventory. Hybrid controls and the customer-specific responsibilities for meeting control assessment objectives are identified in both the SSP and SAR.
3) Lack of System and Control Documentation: The security architecture and concept of operations of the Government Cloud was not sufficiently documented to provide the necessary context for non-RightNow personnel to fully understand the Government Cloud architecture and operations in order to determine control adequacy and robustness. Having a fully documented security architecture and concept of operations is essential to ensuring complete transparency and establishing the necessary chain of trust between the vendor and the government customer. As part of the C&A process, the security architecture and concept of operations were documented in the SSP.
www.rightnow.com5
Share This
LESSONS LEARNED IN WORKING THROUGH THE CHALLENGES
Multi-TenancyMost cloud computing vendors in the SaaS space, including RightNow, offer a solution that is multi-tenant. Multi-tenancy presents a number of challenges, outlined above, in an environment that is to be certified and accredited. Here is a summary of the key lessons that we learned during our C&A.
No context of cloud computingWhile multi-tenant environments are not explicitly prohibited, many of the controls in the NIST SP 800-53 framework assume a single-tenant installation. Because agencies have become familiar with these controls, many of the Information Assurance (IA) professionals and Authorizing Officials that we’ve worked with were initially very reluctant to housing their data in a multi-tenant environment.
RightNow and SecureForce have been able to overcome this reluctance and provide a high degree of assurance regarding the effectiveness of control implementation by clearly outlining the security engineering decisions that RightNow made early-on to logically separate clients from one another. Throughout the C&A process, careful attention was paid to clearly detailing the technical steps taken to logically separate customers from one another in such a way that the risk of co-mingling of data on the same physical infrastructure and the likelihood of cross-organizational operational impact are minimal.
System categorization must be based upon high watermarkIt was also recognized early-on that in a multi-tenant environment, the system as a whole would need to be certified and accredited at a FIPS 199 impact categorization that was commensurate with the highest level that any single potential client could require. This is due to the fact that a large number of the controls that are documented and audited are common controls that involve all of the underlying infrastructure components that are shared in a multi-tenant environment. Consequently, any cloud computing vendor who intends to run a multi-tenant environment would need to certify at the “high water mark”, determined by the highest feasible impact categorization of any single tenant of the infrastructure.
Of course, this means that tenants that do not have an explicit requirement for a higher level impact categorization get to take advantage of the increased operational and security controls that are in place. Not only does this provide them with an extra level of assurance in their cloud computing vendor, but it allows them the flexibility to grow into system requirements that are beyond the scope of their original deployment.
Consistent and repeatable processes are requiredConsistent and repeatable processes should be part of any mature cloud computing vendor’s operational practices. The NIST 800-53 control framework requires policies and procedures be developed for all three classes of controls—technical, operational, and management. The application of consistent and repeatable processes can be difficult and is further complicated when being applied to a multi-tenant cloud computing environment.
Automation is key to cloud computingAutomated and repeatable processes must be tightly integrated throughout all components of the environment to maintain the integrity and security of the cloud computing platform
www.rightnow.com6
Share This
and to ensure quality provisioning of elastic, on demand, services.
RightNow has developed a comprehensive management system which automates commonly performed tasks throughout the Government Cloud, including the infrastructure, platform, and application. RightNow achieves operational excellence, while maintaining a robust security posture, in a complex multi-tenant environment by directly controlling all aspects of the Government Cloud.
Change management approval process is mandatoryIn any computing environment, there will inevitably be some processes which cannot be automated. Those processes which cannot be automated require thorough review and approvals to ensure that operational risk is reduced as much as possible, without losing the ability to be flexible.
We have implemented a change management and tracking process that allows the operators of the environment to propose changes to the environment. These proposals are reviewed by appropriate engineering resources and approved by management multiple times per week. This level of frequency allows us to be responsive to customer demands in a constantly evolving environment.
Version control is taken to a new levelThe ability to run multiple versions of the application (SaaS level) of the cloud computing environment is driven primarily by the mission criticality of the application use case. Having a system that allows the tenants a choice in version and upgrade schedule is one of the many unique value propositions that RightNow provides. Maintaining a large number of versions in a production environment requires robust logical separation of tenants from one another. Only through robust logical separation can the integrity of the environment be maintained despite the disparity in service functionality and patch levels between tenants.
www.rightnow.com7
Share This
CONCLUSION
SuggestionsTo address common concerns related to cloud computing, guidance should be developed that addresses the application of the NIST 800-53 control framework to a cloud computing environment. Particular attention should be paid to explaining the risks associated with multi-tenancy and the types of controls and countermeasures that may be put in place to effectively enforce and monitor logical separation, and their ability to mitigate the associated risks. Additionally, the guidance should address those hybrid controls that may be common across the cloud computing environment (i.e. common for all tenants) as well as those controls where the responsibility for control implementation should be shared between the vendor and the government. We are aware that NIST is presently developing guidance on cloud computing and we look forward to reviewing and providing feedback on the initial public draft.
ConsiderationsVendors should be aware that:
· Government customers are required to conduct C&A of their systems prior to operation and are required to monitor the system on a continuous basis thereafter.
· Government customers expect the vendors to support the C&A process; therefore, C&A is a mandatory requirement for doing business with the government.
· Government customers expect complete transparency into cloud computing offerings in order to ensure all aspects of the offering (e.g. 3rd party vendors and services) meet the necessary control requirements and do not weaken the chain of trust.
· Hybrid controls exist where there may be shared responsibility between the vendor and government.
· Security engineering should be tightly integrated throughout the lifecycle of cloud computing offerings so that security requirements are fully understood and a risk management program is in place to balance security against operational and functional requirements.
Government customers should be aware that:
· Many vendors have never dealt with C&A and are not fully educated on the requirements for complying with FISMA. Contracts should clearly identify the applicable NIST 800-53 controls and enhancements and the vendor’s responsibility to ensure they are satisfied.
· NIST guidelines do not fully address cloud computing. Applicable controls must be assessed within the given context of their environment.
· Hybrid controls exist where there may be shared responsibility between the vendor and government.
· Mature cloud computing vendors should be able to demonstrate that security engineering principles are tightly integrated throughout the lifecycle of their offerings, that security requirements are fully understood, and a risk management program is in place to balance security against operational and functional requirements.
www.rightnow.com8
Share This
Chain of TrustTransparency is a key factor in developing trust with cloud computing consumers. If the chain of trust has fewer links, the service will ultimately be easier to secure and control, thereby facilitating:
· Auditing
· Reporting
· Accountability
Cloud computing vendors who have direct control over all three cloud service models will have a distinct advantage for providing transparency as well as addressing the numerous controls and policies necessary to achieve compliance and accreditation. Very little finger pointing can take place in an environment where a single vendor is responsible from end to end.
SummaryIn going through the FISMA certification and accreditation process, we found several things particularly challenging:
· Multi-tenancy: clarity and guidance needs to be provided to help define and control multi-tenant environments
· Hybrid controls: standards need to be updated to accommodate that some controls may be applicable across multiple layers of infrastructure, with different responsible parties at each layer
· Lack of system and control documentation: this is an area that vendors just need to be prepared to address
We suggest that the FISMA guidelines be updated to provide clarity in the first two issues noted above and would welcome the opportunity to provide direct feedback in these areas to those who are responsible for writing/amending the guidelines.
There have been some changes made recently to NIST 800-37 (revision 1) that will make a unified standard and methodology easier to achieve over the long term. However, we feel that these changes do not yet directly address the areas that we’re suggesting above.
www.rightnow.com9
Share This
AUTHORS
Ben Nelson
CISO & Director, IT Services
RightNow Technologies
Stefen Smith, CISSP-ISSEP
Chief Technology Officer
SecureForce
ABOUT SECUREFORCE
SecureForce is passionate about cyber security. We are comprehensive in our approach to providing end-to-end security solutions using state-of-the-art technologies supplemented with constantly evolving knowledge and expertise. Our methods are singularly focused on removing the threat of cyber exploitation. Located in Washington, DC, SecureForce has the proven credentials to assess, architect, engineer, certify, accredit, and operate the security infrastructure of the largest government agencies and corporations located in the U.S. and abroad.
ABOUT RIGHTNOW
RightNow (NASDAQ: RNOW) delivers the high-impact technology solutions and services organizations need to cost-efficiently deliver a consistently superior customer experience across their frontline service touchpoints. Approximately 1,900 corporations, government agencies, and institutions worldwide depend on RightNow to achieve their strategic objectives and better meet the needs of those they serve. RightNow is headquartered in Bozeman, Montana.
For more information, please visit www.rightnow.com.
RightNow is a registered trademark of RightNow Technologies, Inc. NASDAQ is a registered trademark of the NASDAQ Stock Market.
Contact us today to find out how we can help you create the best possible customer experience for your customers.
TwitterRightNow.com Facebook
RightNow BlogLinkedInYouTube
Be social with us:
Our solutions: