cloud security for federal agencies: achieving greater efficiency and better security through...
TRANSCRIPT
-
8/7/2019 Cloud Security for Federal Agencies: Achieving greater efficiency and better security through federally certified clou
1/6
ISSUEBRIEF
Cloud Security forFederal AgenciesAchieving greater efficiency and better securitythrough federally certified cloud services
This paper is intended to help federal agency executives to better address federal
security and privacy requirements when choosing cloud computing services. We
explain how using a cloud provider that is certified through the Federal Risk and
Authorization Management Program (FedRAMP) and the General Services
Administrations Blanket Purchase Agreement (BPA) for Infrastructure as a Service
(IaaS) offers agencies real potential for improving efficiency and risk management
in establishing their IT infrastructure in the cloud. We also delineate the FedRAMP
lines of responsibility between agencies and cloud providers, and provide guidance
for evaluating cloud providers to maximize benefits and minimize delivery risk.
A critical issue, but not a barrier
Cloud computing offers federal agencies a powerful means to reduce costs, deliver
more timely services, and significantly reduce burdens on internal IT resources.
While the promised value is compelling, agency managers cite security and data
privacy concerns as primary reasons for not migrating specific systems to the cloud.
They are concerned about the loss of control from the multi-tenant nature of cloud
computing which requires rigorous controls and continuous monitoring to prevent
potential data leakage and unauthorized access. They also require visibility into
potential security incidents and must be able to respond to security audit findings
and obtain support for investigations.
As a result, security and data privacy were top priorities the General Services
Administrations (GSAs) Federal Cloud Computing Initiative sought to address to
facilitate cloud adoption. GSA has collaborated with the Federal Chief Information
Officer (CIO), the National Institute of Science and Technology (NIST), the CIOCouncil, and Senior Agency Information Security Officers to build a common cloud
security Assessment and Authorization (A&A) framework called the Federal Risk
Authorization Management Program (FedRAMP). GSA has also required cloud
providers on its Blanket Purchase Agreement (BPA) for Infrastructure as a Service
(IaaS) to receive A&A to support systems requiring Low or Moderate Risk Impact
environments. In addition, these vendors must pass stringent National Agency
Checks with Investigations according to HSPD-12 criteria. Prior to these initiatives,
early movers to the cloud had to take on undue risk to meet desired timeframes.
CGI GROUP INC. All rights www.cgi.com/federalcloud
It is not sufficient to
consider only the potential
value of moving to cloud
services. Agencies should
make risk-based decisions
which carefully consider the
readiness of commercial
or government providers to
fulfill their Federal needs.
Vivek Kundra,
U.S. Chief Information Officer
Federal CloudComputing Strategy
February 8, 2011
-
8/7/2019 Cloud Security for Federal Agencies: Achieving greater efficiency and better security through federally certified clou
2/6 CGI GROUP INC. All rightswww.cgi.com/federalcloud
2
Keys to minimizing risk and maximizing value
The Federal Cloud Computing Strategyreleased February 8, 2011, recommends that agencies
carefully consider their cloud security needs across a number of dimensions, including statutory
compliance, data characteristics, privacy and confidentiality, integrity, data controls and access
policies, and governance. In addition, NISTs recent draft publication Guidelines on Security and
Privacy in Public Cloud Computing(SP 800-144) identifies nine security and privacy considerations
for planning, reviewing, negotiating or initiating a public cloud service outsourcing arrangement.
Agencies can fast track their realization of cloud savings and other benefits while simultaneously
addressing the security and privacy challenges highlighted by NIST, by leveraging GSAs IaaS BPA.
By choosing cloud providers on the GSA BPA for IaaS, agencies can confidently achieve:
Physical separation of software in federal clouds from commercial clouds
Tenant and vendor administrators vetted by the federal government
Data ownership and protection approaches clearly stating that agencies own their data
and spelling out mutually agreed processes the agency and cloud provider will follow for
Freedom of Information Act or other data requests
Clear scope of security models and environments that are pre-tested by the governmentto meet FISMA Moderate Risk Impact requirements and provide continuous monitoring.
Agencies with higher security requirements can work with certified cloud providers to
design and deploy systems that meet more stringent specifications.
Transparency into what security features are included in a cloud bid, and what additional
services are available or desired by the agency to meet its specific needs
Ability to solve many security challenges more efficiently than internal solutions by leveraging
the significant investments made by providers to deliver superior controls and enterprise-
class production environments that are pre-tested and certified by the government
Faster authorization of systems moving to the cloud by re-using existing security
authorizations established via FedRAMP, and separately certifying only additionalagency- and application-specific requirements
Savings in time and money by using existing security authorizations, eliminating the need
to visit data centers and pursue and justify separate infrastructure accreditations (typically
40% of the A&A level of effort)
More time and resources to focus on application security.
Ensuring data and systems security is one of the biggest and most important challenges
for federal agencies moving to the cloud. FedRAMPs uniform set of security authorizations caneliminate the need for each agency to conduct duplicative, time-consuming, costly security reviews.
David McClure, GSAs Associate Administrator for Citizen Services and Innovative Technologies
1 Guidelines would speed certification of cloud products, services, November 2, 2010, Government Computer News
-
8/7/2019 Cloud Security for Federal Agencies: Achieving greater efficiency and better security through federally certified clou
3/6 CGI GROUP INC. All rights reserved.www.cgi.com/federalcloud
Realizing greater security in the cloud
By using the IaaS BPA for cloud solutions, federal agencies can readily comply with the Federal
Information Security Management Acts (FISMAs) comprehensive framework for securing their IT for
a large majority of agency systems. The basis for determining the level of risk impact is the Federal
Information Processing Standard (FIPS) 199. Figure 1 shows that 88% of categorized federal systems
are classified as FIPS Low or Moderate Risk Impact. By using cloud environments that have been
certified to meet Moderate Risk Impact requirements, agency applications in fact can be more secure
in the cloud than they are in many existing infrastructures, especially those based on legacy platforms
using legacy controls.
Figure 1: FIPS Risk Impact of Categorized Federal Systems
40% of categorized systems are classified as Low Risk Impact. Examples include public-facing
websites with non-sensitive data as well as applications such as inventory systems. Systems with
public data that is subject to transparency requirements have been among the first to leverage the
cloud. For example, the Recovery Accountability and Transparency Board deployed Recovery.gov in
the cloud, and NASA has also leveraged the cloud for public information. When considering the public
cloud for such systems, agencies should ensure that cloud providers can provide a security level thatprevents data tampering or disruption of service.
48% of categorized systems are classified as Moderate Risk Impact. These include systems
supporting operations and those processing sensitive data such as personally identifiable information
(PII), Confidential Business Information (CBI), and personal health information. Federal financial
systems that process budget and procurement information, purchase card numbers, banking
information for payments, or Social Security Numbers would be categorized as Moderate Risk
Impact. Often, such financial systems are better suited to Virtual Private Clouds for which agencies
can dictate their required levels of security. Virtual Private Clouds give agencies exclusive use of
computing infrastructure and allow them to prescribe specific security measures without requiring
infrastructure investment.
Low
40%
Moderate
48%
High
12%
Source: Fiscal Year 2009 Report to Congress on the Implementation of The Federal Information Security Management Act of 2002
FedRAMP Highlights
FedRAMP offers a common security A&A framework for cloud infrastructure; defines requirements for
controls such as vulnerability scanning and incident monitoring, logging and reporting; and provides
continuous monitoring services for certified government and commercial cloud computing systems that
are intended for multi-agency use, improving risk management. An agency can leverage an existing
authorization by accepting the findings in that FedRAMP package. The authorization remains in effect
as long as the related security risks are accepted by the agency and the authorization complies with
relevant policies.
-
8/7/2019 Cloud Security for Federal Agencies: Achieving greater efficiency and better security through federally certified clou
4/6 CGI GROUP INC. All rightswww.cgi.com/federalcloud
4
Agency security responsibilities vs. certified cloud provider responsibilities
When determining additional agency security requirements to deploy as part of their move to the cloud
per the NIST model, it is the agencys responsibility to address the security and risk management of its
own major applications. Security controls can be provided by the application owner or can be secured
from a qualified vendor (See Figure 2).
Figure 2: Examples of Available Security Controls
For agencies preferring that their cloud provider perform continuous monitoring, backup and restore
data, and/or guarantee that data centers are located on U.S. soil, certified providers on GSAs BPA for
IaaS will meet these requirements.
Governance, Risk andCompliance
Compliance reporting
services
Vulnerability management
Security event and
incident management
System operational risk
management
System security measures
and configurations
Operating System relatedsecurity, patching and
vulnerability scanning
Configuration management
Policies and procedures
Data RiskManagement
Application activity
management
Strong authentication
Identity management
Web policy management
Data loss prevention
Infrastructure ProtectionManagement
Intrusion protection services
Endpoint protection
Log management services
Firewalls management
System antivirus software
configuration
Secure messaging services
Anti-DDoS
Inherent security advantages of cloud technology
Automated security management
Greater redundancy
Improved disaster recovery (no matter what happens to a desktop or laptop, data is backed
up in the cloud)
Simplified security auditing and testing
Shifting public data to an external cloud reduces risk of exposing internal, sensitive data
Centralizing data allows skilled experts to ensure that all security measures are taken,eliminating risks posed by employees with less technical skill
-
8/7/2019 Cloud Security for Federal Agencies: Achieving greater efficiency and better security through federally certified clou
5/6 CGI GROUP INC. All rights reserved.www.cgi.com/federalcloud
Figure 3: Comparison of Agency and Certified Cloud Provider Responsibilitiesshows the security
responsibility boundaries between agencies and certified cloud providers for virtual machines and
web hosting services offered on the BPA for IaaS. For virtual machines, agencies are responsible for
securing the O/S, hosting software and major application. With web hosting, the cloud provider handles
the O/S-related security and some hosting software security. Any responsibility gaps can be identified
clearly so that agencies can decide what additional security controls, performance reporting, or other
standards of compliance are needed, and whether to address those internally or through their cloud
provider.
Figure 3: Comparison of Agency and Certified Cloud Provider Security Responsibilities
Note: Agencies must provide the Disaster Recovery (DR) testing and planning for their own cloud-based
applications. This is unlike a typical managed hosting offering that includes the recovery plans and test-
ing. As a result, agencies may require DR services beyond the cloud offering to complete their needs.
Next steps
CGI offers a disciplined transition process to get you to the cloud with confidence. We are one of the
12 awardees under GSAs BPA for Infrastructure as a Service. One of our expert executive consultants
also chairs TechAmericas public sector task group which is providing industry input into FedRAMP.
CGIs cloud offerings compel the development of well-managed cloud initiatives because processes,
governance, security and compliance are all embedded in our solutions.
In addition, as a full-service cloud and security partner, CGI helps protect operations at the infrastruc-
ture and data layers and provides advisory services designed to assess and strengthen security
strategies. We offer the full range of security services, including security governance and engineering,
cybersecurity and managed security services (e.g. program, configuration, incident and event manage-
ment and business continuity services). Our certified, accredited and security-cleared experts use
proven industry best practices such as ITIL and SANS, continuous monitoring, real-time reporting and
immediate action on suspicious activity.
To learn how to find greater security in the cloud for your agency, or to talk to a CGI cloud expert
about your specific situation, contact your CGI Federal program manager or visit us at
www.cgi.com/federalcloud.
Major
Application
OperatingSystem
Web Hosting
Software
Web Hosting
Hypervisor
Physical
Major
Application
OperatingSystem
Web Hosting
Software
Virtual Machines
Boundary
Hypervisor
Physical
Agency
Responsibility
Cloud
Service
Provider
Responsibility
-
8/7/2019 Cloud Security for Federal Agencies: Achieving greater efficiency and better security through federally certified clou
6/6 CGI GROUP INC. All rightswww.cgi.com/federalcloud
6
About CGI
A global leader in IT, business process and professional services, CGI partners with federal agencies
to provide end-to-end solutions for defense, civilian and intelligence missions. For 35 years, we have
delivered quality services to help clients achieve results at every stage of the program, product, and
business lifecycle. We deliver end-to-end solutions in application and technology management,
systems integration and consulting, business process management and services, advanced
engineering and technology services, and operational support services. Our proven capabilities in
high-demand areas include cloud, cybersecurity, biometrics, citizen services, data exchange, health
IT and energy/environment. CGI has 31,000 employees in 125+ offices worldwide.
Why CGI
Nearly 35 years of experience in managing infrastructure, security and other business and IT services
for complex organizations
Trusted by more than 180 CIOs to manage their IT infrastructure
Experience providing infrastructure support for 50+ federal agencies
Major cybersecurity practice and significant percentage of federal practice professionals with security
clearances
Rigorous service management and governance processes that are proven against the mostdemanding requirements, with Service Level Agreements that are 98+% exceeded or met
Ability to deliver entire applications to meet critical needs faster than agency data centers could
deliver just the infrastructure, for example:
In just six weeks, built and deployed FederalReporting.gov in a virtualized hosting environment
to handle Recovery Act funding recipient reporting
In just six weeks, built and deployed a cloud-based portal to support a major health reform
initiative. The portal, which includes data from more than 3,000 commercial and public sector
organizations, enables citizens to conduct real-time comparisons so they can make more
informed healthcare decisions.
Flexible cloud approaches that can include blending with traditional hosting, ability to transfer
customer data back in-house, and access to robust common services
Vulnerability scanning and patch management for web hosting that provides embedded security
to close the most common exploits.