1. Risk Management & Legal Issues in Cloud Practice Christopher Dodorico Director, PricewaterhouseCoopers Wednesday, October 10, 2012

2. Cloud Computing in the US Federal Government – Where are we today? The pace of cloud adoption by federal agencies is picking up Agencies are starting to “dip their toe in the water” and “learn as they go” Embracing the possibilities of cost savings and efficiencies Federal agencies see positive movement in the long-awaited framework for cloud providers to address security concerns in a homogenous manner, with a common controls framework Slide 2

3. Cloud Computing in the US Federal Government – Where are we at today? Despite this positive initial movement, agencies are still concerned about security of the cloud Issues of working with service providers to manage a myriad of compliance requirements, data location, multi-tenancy, and security continue to concern federal agencies contemplating a movement to the cloud Agencies should not rely solely on FedRAMP for information assurance Need for automated audit and assessment tools, as well as continuous monitoring Initial migration of lower-risk and “less mission-critical” operations to the cloud, as a first step Slide 3

4. Cloud Computing in the US Federal Government – Where are we at today? However, the outlook is still bright The combination of education, experience and emerging standards should increase cloud adoption in government Security concerns may decrease over time due to continuous process improvement Harmonizing multiple, overlapping regulatory requirements through Integrated Compliance are critical Patience and Strategy are key – as cloud computing technology, security and cost savings mature, federal agencies will become more comfortable with placing key information in the cloud Slide 4

5. Cloud Security Compliance - FedRAMP The Federal Risk and Authorization Management Program (FedRAMP) establishes the first regulatory program to provide: -A standard, mandatory common controls framework for federal Cloud Service Providers (CSPs) -A standard approach for conducting security assessments of cloud-based systems by Third Party Assessment Organization (3PAO) -Published controls that are entry into market Positive trend toward reuse/reapplication Yet another compliance requirement? Slide 5

6. Integrated Compliance Integrate Cloud Compliance with Existing Control Frameworks 6 FISMA / FedRAMP Taking Requirements….. PCI HIPAA ISO Other Requirements Identifying Common Controls or Processes…. Integrated Control Framework Documenting policy, controls, and criteria that meet minimum requirements across standards…. Execute Integrated Program Executing the program with the integrated framework. Define & Assess Risk Identify Data Sources Develop & Implement Controls Audit and Correct Enforce, Monitor & Support Access Controls Passwords Encryption Training Risk Assessments

7. Critical Success Factors for Cloud Compliance Cloud environments, and more so public cloud environments, present a unique challenge with respect to the sharing of responsibilities for security controls between the CSP and the user organization Appropriate scoping of the environment, location of data, boundary definition, security controls demarcation and clarity about responsibility is critical! Slide 7 SaaSThe cloud provider assumes primary responsibilities for security, and consumers control limited service settings IaaSThe consumer has the greatest responsibilities for security. Due to extensibility, security is required across all layers of implementation PaaSResponsibility lies somewhere in the middle, with extensibility and security features that must be leveraged by the customer

8. Critical Success Factors for Cloud Compliance Understanding data access controls, specifically: -How is data classified in a multi-tenant environment? -How is data classified if multiple organizations are stored in the same data set? -How is logical access granted to specific data sets? -What access control mechanisms are used? Development, deployment and ongoing management of a cloud environment require significant attention to governance. -A cloud environment by nature cannot be static as customers and capabilities are changing constantly, and must scale to meet changing business objectives and regulatory requirements. Slide 8

9. Critical Success Factors for Cloud Compliance Definition of what qualifies as a “Significant Change” -CSPs and their customers each have a point of view -Dialogue between CSPs and their customers to come to joint agreement on what might trigger re-accreditation or re-assessment Collaboration between subscribers (federal agencies), CSPs, authoritative bodies, assessors/auditors, member organizations and software vendors is critical to the success of federal cloud computing -Design and development of robust SLAs, legal agreements -Agreement on applicable control requirements and areas where “scale-up” may be necessary -Government is doing good job of outreach Slide 9

10. PwC PwC’s Washington Federal Practice assists our federal and commercial clients with their IT regulatory and cloud compliance challenges Christopher P. Dodorico, Director christopher.p.dodorico@us.pwc.com 703-861-2205