cloud security for federal agencies: achieving greater efficiency and better security through...

8/7/2019 Cloud Security for Federal Agencies: Achieving greater efficiency and better security through federally certified clou

1/6

ISSUEBRIEF

Cloud Security forFederal AgenciesAchieving greater efficiency and better securitythrough federally certified cloud services

This paper is intended to help federal agency executives to better address federal

security and privacy requirements when choosing cloud computing services. We

explain how using a cloud provider that is certified through the Federal Risk and

Authorization Management Program (FedRAMP) and the General Services

Administrations Blanket Purchase Agreement (BPA) for Infrastructure as a Service

(IaaS) offers agencies real potential for improving efficiency and risk management

in establishing their IT infrastructure in the cloud. We also delineate the FedRAMP

lines of responsibility between agencies and cloud providers, and provide guidance

for evaluating cloud providers to maximize benefits and minimize delivery risk.

A critical issue, but not a barrier

Cloud computing offers federal agencies a powerful means to reduce costs, deliver

more timely services, and significantly reduce burdens on internal IT resources.

While the promised value is compelling, agency managers cite security and data

privacy concerns as primary reasons for not migrating specific systems to the cloud.

They are concerned about the loss of control from the multi-tenant nature of cloud

computing which requires rigorous controls and continuous monitoring to prevent

potential data leakage and unauthorized access. They also require visibility into

potential security incidents and must be able to respond to security audit findings

and obtain support for investigations.

As a result, security and data privacy were top priorities the General Services

Administrations (GSAs) Federal Cloud Computing Initiative sought to address to

facilitate cloud adoption. GSA has collaborated with the Federal Chief Information

Officer (CIO), the National Institute of Science and Technology (NIST), the CIOCouncil, and Senior Agency Information Security Officers to build a common cloud

security Assessment and Authorization (A&A) framework called the Federal Risk

Authorization Management Program (FedRAMP). GSA has also required cloud

providers on its Blanket Purchase Agreement (BPA) for Infrastructure as a Service

(IaaS) to receive A&A to support systems requiring Low or Moderate Risk Impact

environments. In addition, these vendors must pass stringent National Agency

Checks with Investigations according to HSPD-12 criteria. Prior to these initiatives,

early movers to the cloud had to take on undue risk to meet desired timeframes.

CGI GROUP INC. All rights www.cgi.com/federalcloud

It is not sufficient to

consider only the potential

value of moving to cloud

services. Agencies should

make risk-based decisions

which carefully consider the

readiness of commercial

or government providers to

fulfill their Federal needs.

Vivek Kundra,

U.S. Chief Information Officer

Federal CloudComputing Strategy

February 8, 2011


2/6 CGI GROUP INC. All rightswww.cgi.com/federalcloud

2

Keys to minimizing risk and maximizing value

The Federal Cloud Computing Strategyreleased February 8, 2011, recommends that agencies

carefully consider their cloud security needs across a number of dimensions, including statutory

compliance, data characteristics, privacy and confidentiality, integrity, data controls and access

policies, and governance. In addition, NISTs recent draft publication Guidelines on Security and

Privacy in Public Cloud Computing(SP 800-144) identifies nine security and privacy considerations

for planning, reviewing, negotiating or initiating a public cloud service outsourcing arrangement.

Agencies can fast track their realization of cloud savings and other benefits while simultaneously

addressing the security and privacy challenges highlighted by NIST, by leveraging GSAs IaaS BPA.

By choosing cloud providers on the GSA BPA for IaaS, agencies can confidently achieve:

Physical separation of software in federal clouds from commercial clouds

Tenant and vendor administrators vetted by the federal government

Data ownership and protection approaches clearly stating that agencies own their data

and spelling out mutually agreed processes the agency and cloud provider will follow for

Freedom of Information Act or other data requests

Clear scope of security models and environments that are pre-tested by the governmentto meet FISMA Moderate Risk Impact requirements and provide continuous monitoring.

Agencies with higher security requirements can work with certified cloud providers to

design and deploy systems that meet more stringent specifications.

Transparency into what security features are included in a cloud bid, and what additional

services are available or desired by the agency to meet its specific needs

Ability to solve many security challenges more efficiently than internal solutions by leveraging

the significant investments made by providers to deliver superior controls and enterprise-

class production environments that are pre-tested and certified by the government

Faster authorization of systems moving to the cloud by re-using existing security

authorizations established via FedRAMP, and separately certifying only additionalagency- and application-specific requirements

Savings in time and money by using existing security authorizations, eliminating the need

to visit data centers and pursue and justify separate infrastructure accreditations (typically

40% of the A&A level of effort)

More time and resources to focus on application security.

Ensuring data and systems security is one of the biggest and most important challenges

for federal agencies moving to the cloud. FedRAMPs uniform set of security authorizations caneliminate the need for each agency to conduct duplicative, time-consuming, costly security reviews.

David McClure, GSAs Associate Administrator for Citizen Services and Innovative Technologies

1 Guidelines would speed certification of cloud products, services, November 2, 2010, Government Computer News


3/6 CGI GROUP INC. All rights reserved.www.cgi.com/federalcloud

Realizing greater security in the cloud

By using the IaaS BPA for cloud solutions, federal agencies can readily comply with the Federal

Information Security Management Acts (FISMAs) comprehensive framework for securing their IT for

a large majority of agency systems. The basis for determining the level of risk impact is the Federal

Information Processing Standard (FIPS) 199. Figure 1 shows that 88% of categorized federal systems

are classified as FIPS Low or Moderate Risk Impact. By using cloud environments that have been

certified to meet Moderate Risk Impact requirements, agency applications in fact can be more secure

in the cloud than they are in many existing infrastructures, especially those based on legacy platforms

using legacy controls.

Figure 1: FIPS Risk Impact of Categorized Federal Systems

40% of categorized systems are classified as Low Risk Impact. Examples include public-facing

websites with non-sensitive data as well as applications such as inventory systems. Systems with

public data that is subject to transparency requirements have been among the first to leverage the

cloud. For example, the Recovery Accountability and Transparency Board deployed Recovery.gov in

the cloud, and NASA has also leveraged the cloud for public information. When considering the public

cloud for such systems, agencies should ensure that cloud providers can provide a security level thatprevents data tampering or disruption of service.

48% of categorized systems are classified as Moderate Risk Impact. These include systems

supporting operations and those processing sensitive data such as personally identifiable information

(PII), Confidential Business Information (CBI), and personal health information. Federal financial

systems that process budget and procurement information, purchase card numbers, banking

information for payments, or Social Security Numbers would be categorized as Moderate Risk

Impact. Often, such financial systems are better suited to Virtual Private Clouds for which agencies

can dictate their required levels of security. Virtual Private Clouds give agencies exclusive use of

computing infrastructure and allow them to prescribe specific security measures without requiring

infrastructure investment.

Low

40%

Moderate

48%

High

12%

Source: Fiscal Year 2009 Report to Congress on the Implementation of The Federal Information Security Management Act of 2002

FedRAMP Highlights

FedRAMP offers a common security A&A framework for cloud infrastructure; defines requirements for

controls such as vulnerability scanning and incident monitoring, logging and reporting; and provides

continuous monitoring services for certified government and commercial cloud computing systems that

are intended for multi-agency use, improving risk management. An agency can leverage an existing

authorization by accepting the findings in that FedRAMP package. The authorization remains in effect

as long as the related security risks are accepted by the agency and the authorization complies with

relevant policies.



4

Agency security responsibilities vs. certified cloud provider responsibilities

When determining additional agency security requirements to deploy as part of their move to the cloud

per the NIST model, it is the agencys responsibility to address the security and risk management of its

own major applications. Security controls can be provided by the application owner or can be secured

from a qualified vendor (See Figure 2).

Figure 2: Examples of Available Security Controls

For agencies preferring that their cloud provider perform continuous monitoring, backup and restore

data, and/or guarantee that data centers are located on U.S. soil, certified providers on GSAs BPA for

IaaS will meet these requirements.

Governance, Risk andCompliance

Compliance reporting

services

Vulnerability management

Security event and

incident management

System operational risk

management

System security measures

and configurations

Operating System relatedsecurity, patching and

vulnerability scanning

Configuration management

Policies and procedures

Data RiskManagement

Application activity

management

Strong authentication

Identity management

Web policy management

Data loss prevention

Infrastructure ProtectionManagement

Intrusion protection services

Endpoint protection

Log management services

Firewalls management

System antivirus software

configuration

Secure messaging services

Anti-DDoS

Inherent security advantages of cloud technology

Automated security management

Greater redundancy

Improved disaster recovery (no matter what happens to a desktop or laptop, data is backed

up in the cloud)

Simplified security auditing and testing

Shifting public data to an external cloud reduces risk of exposing internal, sensitive data

Centralizing data allows skilled experts to ensure that all security measures are taken,eliminating risks posed by employees with less technical skill


5/6 CGI GROUP INC. All rights reserved.www.cgi.com/federalcloud

Figure 3: Comparison of Agency and Certified Cloud Provider Responsibilitiesshows the security

responsibility boundaries between agencies and certified cloud providers for virtual machines and

web hosting services offered on the BPA for IaaS. For virtual machines, agencies are responsible for

securing the O/S, hosting software and major application. With web hosting, the cloud provider handles

the O/S-related security and some hosting software security. Any responsibility gaps can be identified

clearly so that agencies can decide what additional security controls, performance reporting, or other

standards of compliance are needed, and whether to address those internally or through their cloud

provider.

Figure 3: Comparison of Agency and Certified Cloud Provider Security Responsibilities

Note: Agencies must provide the Disaster Recovery (DR) testing and planning for their own cloud-based

applications. This is unlike a typical managed hosting offering that includes the recovery plans and test-

ing. As a result, agencies may require DR services beyond the cloud offering to complete their needs.

Next steps

CGI offers a disciplined transition process to get you to the cloud with confidence. We are one of the

12 awardees under GSAs BPA for Infrastructure as a Service. One of our expert executive consultants

also chairs TechAmericas public sector task group which is providing industry input into FedRAMP.

CGIs cloud offerings compel the development of well-managed cloud initiatives because processes,

governance, security and compliance are all embedded in our solutions.

In addition, as a full-service cloud and security partner, CGI helps protect operations at the infrastruc-

ture and data layers and provides advisory services designed to assess and strengthen security

strategies. We offer the full range of security services, including security governance and engineering,

cybersecurity and managed security services (e.g. program, configuration, incident and event manage-

ment and business continuity services). Our certified, accredited and security-cleared experts use

proven industry best practices such as ITIL and SANS, continuous monitoring, real-time reporting and

immediate action on suspicious activity.

To learn how to find greater security in the cloud for your agency, or to talk to a CGI cloud expert

about your specific situation, contact your CGI Federal program manager or visit us at

www.cgi.com/federalcloud.

Major

Application

OperatingSystem

Web Hosting

Software

Web Hosting

Hypervisor

Physical

Major

Application

OperatingSystem

Web Hosting

Software

Virtual Machines

Boundary

Hypervisor

Physical

Agency

Responsibility

Cloud

Service

Provider

Responsibility



6

About CGI

A global leader in IT, business process and professional services, CGI partners with federal agencies

to provide end-to-end solutions for defense, civilian and intelligence missions. For 35 years, we have

delivered quality services to help clients achieve results at every stage of the program, product, and

business lifecycle. We deliver end-to-end solutions in application and technology management,

systems integration and consulting, business process management and services, advanced

engineering and technology services, and operational support services. Our proven capabilities in

high-demand areas include cloud, cybersecurity, biometrics, citizen services, data exchange, health

IT and energy/environment. CGI has 31,000 employees in 125+ offices worldwide.

Why CGI

Nearly 35 years of experience in managing infrastructure, security and other business and IT services

for complex organizations

Trusted by more than 180 CIOs to manage their IT infrastructure

Experience providing infrastructure support for 50+ federal agencies

Major cybersecurity practice and significant percentage of federal practice professionals with security

clearances

Rigorous service management and governance processes that are proven against the mostdemanding requirements, with Service Level Agreements that are 98+% exceeded or met

Ability to deliver entire applications to meet critical needs faster than agency data centers could

deliver just the infrastructure, for example:

In just six weeks, built and deployed FederalReporting.gov in a virtualized hosting environment

to handle Recovery Act funding recipient reporting

In just six weeks, built and deployed a cloud-based portal to support a major health reform

initiative. The portal, which includes data from more than 3,000 commercial and public sector

organizations, enables citizens to conduct real-time comparisons so they can make more

informed healthcare decisions.

Flexible cloud approaches that can include blending with traditional hosting, ability to transfer

customer data back in-house, and access to robust common services

Vulnerability scanning and patch management for web hosting that provides embedded security

to close the most common exploits.

cloud security for federal agencies: achieving greater efficiency and better security through...

Documents