new version march 2012 - isc2baltimorechapter.org · 12/18/2014 · june 26, 2012 dod cio...
TRANSCRIPT
© 2011 Aquilent, Inc. All Rights Reserved.© 2013 Aquilent, Inc. All Rights Reserved.
Cloud Security
A Sales Guy Talks About DoD’s Cautious Journey to the Public Cloud
Sean CurrySales Executive, Aquilent
© 2011 Aquilent, Inc. All Rights Reserved.© 2013 Aquilent, Inc. All Rights Reserved.
The first in a series of audits
Aquilent Proprietary and Confidential
2
DoD did not fully execute elements of the July 2012 DoD Cloud
Computing Strategy
For the three cloud computing contracts reviewed, no waivers from the
designated review authority to use a non-DoD approved CSP
DoD CIO had not developed an implementation plan (as of June 2014)
nor a detailed written process for obtaining a GIG waiver
Greater risk of not preserving the security of DoD information against
cyber threats
© 2011 Aquilent, Inc. All Rights Reserved.© 2013 Aquilent, Inc. All Rights Reserved.
Cloud First
Aquilent Proprietary and Confidential
3
Requires Federal Government shift to a “Cloud First” policy
Cites benefits of cloud
Economical
Flexible
Fast
When evaluating options for new IT, agencies should default
to cloud-based solutions whenever a secure, reliable, cost-
effective cloud option exists
NIST to lead the development of standards for security,
interoperability, and portability
SP 800-125 Guide to Security for Full Virtualization Technologies,
January 2011
SP 800-145 NIST Definition of Cloud Computing, September 2011
SP 800-144 Guidelines on Security and Privacy in Public Cloud,
November 2011
SP 800-146 NIST Cloud Computing Synopsis and
Recommendations, May 2012
“Scaling to larger sets of consumers and resources is one of the important strategies for public
clouds to achieve low costs and elasticity; if this scaling is achieved, however, it also implies a
large collection of potential attackers.”
© 2011 Aquilent, Inc. All Rights Reserved.© 2013 Aquilent, Inc. All Rights Reserved.
Federal Risk and
Authorization Management Program (FedRAMP)
Aquilent Proprietary and Confidential
4
Tools Developed a list of NIST 800.53 controls CSPs
must meet for Low and Moderate Impact levels
Developed Security Assessment Framework (SAF) which details the security assessment process Cloud Service Providers (CSPs) must use to achieve compliance with FedRAMP.
Developed a security contract clause template to assist federal agencies in procuring cloud-based services
Maintains a Security Repository of CSP compliant providers who have obtained Provisional ATOs
Developed in collaboration with NIST, GSA, DoD and DHS http://cloud.cio.gov/fedramp
Ensures cloud based services have adequate information security
Eliminates duplication of effort and reduce risk management costs
Enables rapid and cost-effective procurement of information systems/services for Federal agencies
© 2011 Aquilent, Inc. All Rights Reserved.© 2013 Aquilent, Inc. All Rights Reserved.
DoD Cloud Strategy
Aquilent Proprietary and Confidential
5
June 26, 2012 DoD CIO designated DISA to perform cloud brokerage functions to achieve IT efficiencies, reliability, interoperability and improve security and end-to-end performance by using cloud service offerings.
IOC as Enterprise Cloud Service Broker (ECSB) on April 16, 2013
DoD Cloud Security Model (CSM) established security guidelines for hosting DoD data/mission/ applications in a cloud environment.
Continuous updates, current version is ECSB CSM v2.1 dated March 13, 2014
Establishes the DoD security requirements for CSPs to host DoD mission up to and including Secret
http://iase.disa.mil/cloud_security
In July 2012, the DoD CIO issued the DoD Cloud Computing Strategy to accelerate the DoD adoption of cloud computing and take advantage of its benefits. The strategy provides elements intended to foster adoption of cloud computing and establish a DoD cloud infrastructure. Elements in the strategy include, but are not limited to, the establishment of broker services, training, contract clauses, and broker management capabilities such as:
providing an integrated billing and contracting interface;
managing integrated service delivery from DoD and commercial cloud service providers (CSPs);
controlling usage and optimizing cloud computing workload distribution; and
providing a common, integrated helpdesk.
© 2011 Aquilent, Inc. All Rights Reserved.© 2013 Aquilent, Inc. All Rights Reserved.
Transitioning to the “Cloud”
Aquilent Proprietary and Confidential
6
“The DoD Enterprise Cloud Environment will facilitate consolidating and optimizing the Department’s IT infrastructure, including data centers and network operations, and standardizing IT platforms that ensure a secure cyber environment and leverage Agile development. The Department will also adopt commercial cloud computing solutions to the greatest extent possible in support of the Department’s mission.”
© 2011 Aquilent, Inc. All Rights Reserved.© 2013 Aquilent, Inc. All Rights Reserved.
Commercial Cloud Process
Aquilent Proprietary and Confidential
7
Increasing Security
and Operating
Requirements
DoD Cloud Security Process and Requirements(Administered via DISA)
18 FedRAMP Compliant
CSP Offerings1
FedRAMP Authority to OperateCSM ATO Levels
1-2 (Public)
CSM ATO Levels 3-5 (NIPR)
CSM ATO Level
6 (SIPR)
1
2
3
4
5
6
Providers are a mix of IaaS,
PaaS, SaaS(Initial Focus is on IaaS)
Provisional
Authorization
granted2
Provisional
Authorization
granted3
100’s of Cloud Service
Providers (CSP)
System-Specific
ATO
John Doe
DoD DAA
The DoD provisionally
authorized commercial
CSP offering is eligible to
be included in the
Enterprise Cloud Service
Catalog
1 Source: http://cloud.cio.gov/fedramp/cloud-systems
2 Provisional ATO granted to 3 CSPs by February 2014
3 AWS GovCloud Provisional ATO granted 8/8/2014 to deploy pilot applications
© 2011 Aquilent, Inc. All Rights Reserved.© 2013 Aquilent, Inc. All Rights Reserved.
Moves and Countermoves
Aquilent Proprietary and Confidential
8
Broker concept is “still being developed by DoD and not fully in place” DON will ensure “systems are properly certified and formally approved” by the appropriate
DAA and ensure “commercial CSPs are used to support low-impact systems and missions functions, unless a more cost effective DoD solution is identified”
Enterprise Cloud Service Broker (ECSB) IOC on April 16, 2013
DON CIO 04 June 2013 Update to DON Approach to Cloud Computing Cancels 01 April 2013 memo DON CIO will use the Broker to:
arrange for offerings via the “Enterprise Cloud Service Catalog or other contract vehicles approved by the Broker”
“Identify and vet commercial CSP’s to host low impact systems…”
DOD CIO 16 December 2013 Update to DON Approach to Cloud Computing All commercial cloud requests proceed through the DoD Cloud Broker DoD PA or DISN GIG Flag Panel approval prior to acquisition and use Suspension of deployments not having DOD PA or not hosted with DoD’s infrastructure
© 2011 Aquilent, Inc. All Rights Reserved.© 2013 Aquilent, Inc. All Rights Reserved.
Catching Fire
Aquilent Proprietary and Confidential
9
February 2014 - 3 CSPs have DOD PAs for Impact Levels 1 and 2
21 May 2014 – Terry Halvorsen becomes acting DoD CIO
8 August 2014 - AWS GovCloud PA granted for Levels 3 - 5
Conditional upon establishing NIPRNet connectivity to GovCloud, with CND
Leveraging the PA, system owner DAAs (not DISA) responsible for system accreditation
11 November 2014 – DoD Cloud Way Forward
Comprehensive cloud guidance to CSPs and DoD customer organizations
Requires physical separation from non-DoD tenants for impact levels 3-5
Outlines process for requirements that cannot be met by a DoD provisionally authorized cloud service
© 2011 Aquilent, Inc. All Rights Reserved.© 2013 Aquilent, Inc. All Rights Reserved.
The first in a series of audits
Aquilent Proprietary and Confidential
10
DoD did not fully execute elements of the July 2012 DoD Cloud
Computing Strategy
For the three cloud computing contracts reviewed, no waivers from the
designated review authority to use a non-DoD approved CSP
DoD CIO had not developed an implementation plan (as of June 2014)
nor a detailed written process for obtaining a GIG waiver
Greater risk of not preserving the security of DoD information against
cyber threats
© 2011 Aquilent, Inc. All Rights Reserved.© 2013 Aquilent, Inc. All Rights Reserved.
Breaking News
Aquilent Proprietary and Confidential
11
7 December 2014 - Draft Cloud Computing Security Requirements Guide (SRG) V1 Incorporates, supersedes, and rescinds the previous Cloud Security Model
A Technical Interchange Meeting (TIM) held 12/18 to discuss the SRG
Impact Levels 1 (public information) and 3 (low impact Controlled Unclassified Information (CUI) were merged with the next higher impact levels
DISA is considering accepting FedRAMP Provisional Authorization as the basis for granting a DOD P-ATO for Impact Level 2
15 December 2014 - DoD CIO Updated Guidance on the Acquisition and Use of Commercial Cloud Services
Cancels 2 key DoD Cloud Memos:– “Designation of the Defense Information Systems Agency as the Department of Defense
Enterprise Cloud Service Broker”, 26 June 2012
– “Supplemental Guidance on the Use of Commercial Cloud Computing Services”, 16 December 2013
DoD components may acquire cloud services directly
Requires Business Case Analysis (BCA) and cloud services offered by DISA must be considered
Components may host unclassified DoD data that has been publicly released on FedRAMP approved cloud services
Cloud services used for Sensitive Data must be connected to customers through a DoD CIO approved Cloud Access Point (CAP) provided by DISA or another DoD Component