Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Cloud Abides The Challenges of Cloud Migration and Acquisition

Published byBernice Dennis Modified over 6 years ago

Similar presentations

Presentation on theme: "The Cloud Abides The Challenges of Cloud Migration and Acquisition"— Presentation transcript:

1 The Cloud Abides The Challenges of Cloud Migration and Acquisition
Alexander W. Major Franklin C. Turner

2 Overview of Cloud Computing Challenges
Identifying it Buying it Selling it Securing it

3 Cloud Basics Identifying it

4 What is Cloud Computing?
NIST SP Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

5 The Basic Cloud Framework
Hybrid Clouds Deployment Models Community Cloud Private Cloud Public Cloud Service Models Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) Resource Pooling Broad Network Access Rapid Elasticity Measured Service On Demand Self-Service Essential Characteristics Low Cost Software Virtualization Service Orientation Advanced Security Massive Scale Resilient Computing Homogeneity Geographic Distribution Common Characteristics

6 Federal Cloud Computing
Buying it

7 Understanding The Acronyms …
Key acronyms: Federal Information Security Management Act of 2002 (FISMA 2002) Federal Information Security Modernization Act of 2014 (FISMA 2014) National Archives and Records Administration Controlled Unclassified Information (NARA CUI) National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) Federal Risk and Authorization Management Program (FedRAMP)

8 FAR Part 39 FAR 39- Acquisition of Information Technology
Applies to acquisition of information technology by or for the use of agencies Does not apply to acquisitions of information technology for national security systems (e.g., intelligence, cryptologic, military C2, or weapons systems) Types of Contracts Fixed-Price Cost-Type Indefinite Delivery Indefinite Quantity (IDIQ)/Requirements/Task Order/Purchase Order Other types: GWAC Labor Hour Time & Materials Letter Contract

9 FAR Part 39 Preference for Commercial Items
Preference for Commercial Items implemented by both statute and regulation 41 U.S.C. § 3307 10 U.S.C. § 2377 FAR Part 12 Particularly significant for commercial computer software GSA IT Schedule 70 = $14B or 42% of all GSA buys New Federal cybersecurity best practices do not change the preference for commercial items

10 Contracting Mechanisms
FAR Part 13 Acquisition of supplies and services, including construction, research and development, and commercial items, the aggregate amount of which does not exceed the Simplified Acquisition Threshold FAR Part 15 Governs competitive and noncompetitive negotiated acquisitions FAR Part 41(?) Applies to the acquisition of utility services for the Government, including connection charges and termination liabilities

11 FAR Part 8 – GSA Sales GSA Government-wide Federal Supply Schedule (“FSS”) Blanket Purchase Agreement (“BPA”) awarded in September 2015 for identity monitoring, data breach response and protection services Multiple Award Schedule 70 (“MAS IT-70”) Cloud Computing Special Item Number (“SIN”)

12 FAR Part 8 – GSA Sales FedRAMP
Cloud Computing Security Working Group Creates Security Requirements Baseline Joint Authorization Board (“JAB”) Technical Representatives (“TRs”) Identify Additional Controls and Enhancements Public Vetting of Security Control Baseline with Agency and Industry JAB TRs Evaluate and Incorporate Public Feedback JAB Establishes Security Controls Baseline with Recommendations from TRs, Industry, and Agencies

13 Federal Risk and Authorization Management Program (“FedRAMP”)
A Government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services Establishes a Federal Government standard baseline for securing cloud environments based on NIST SP For private organizations that are not related to Federal agencies or departments, FedRAMP is not required

14 The Federal Cloud Customer
Selling it

15 Spending on the Cloud Represents about 8.5% of IT spending by the Federal Government for FY16 Estimated at around $6.7B for FY16 Up from roughly 5% in FY15 Nature of cloud spending also changing in FY16 SaaS increased from $700.7M to $702.9M million IaaS increased from $1.1B to nearly $1.2B PaaS increased from $227.1M to $231.3M

16 The “Basic” FedRAMP Process
Determination: Using the FIPS 199 Categorization template, a cloud service provider (CSP) must determine whether its system falls into a low or moderate security category, which in turn dictates the set of applicable FedRAMP security controls Initiation: Agencies or CSPs initiate the FedRAMP process by pursuing a security authorization for the program Assessment: CSPs must hire a third-party assessment organization (3PAO) to perform an independent assessment Authorization: Upon completion, the security assessment package will then be forwarded to the FedRAMP JAB for review Leveraging: The CSP will then continue to work with the executive departments and agencies for the Authority to Operate (ATO) permissions

17 FedRAMP Preparation: SSP
Download and examine the required System Security Plan (SSP) Centerpiece of FedRAMP compliance with FedRAMP 400-page template describing CSP system inventory, boundaries, and controls Plan must satisfy the 298 control requirements derived from the NIST SP Plan accordingly – the SSP, along with control mapping and implementation, could take several months A contractor cannot move forward until the SSP is complete

18 FedRAMP Template Available? FedRAMP Supplied Template Required?
FedRAMP Preparation Other Templates are also required, for example: Template Name FedRAMP Template Available? FedRAMP Supplied Template Required? System Security Plan Yes Control Information Summary FIPS 199 Template eAuthentication Template No Control Tailoring Workbook Rules of Behavior Configuration Management Plan Information System Security Policies IT Contingency Plan Incident Response Plan Privacy Threshold Assessment / Impact Assessment Security Assessment Plan Security Assessment Report Plan of Action & Milestones

19 Clearing the FedRAMP CSP submits appropriate documentation to the FedRAMP PMO and to the JAB which may grant a Provisional Authorization to Operate (P-ATO) CSP submits the appropriate documentation to the FedRAMP PMO and to an agency which may grant an agency “Authorization to Operate” (ATO) Other agencies can then “leverage” this ATO for use in their agency, decreasing the time for approvals Agency may be a bit faster; but confer with both a registered 3PAO and the agency involved Submit all documentation to the PMO or sponsoring agency for review  CSP documentation must be approved before a FedRAMP assessment can begin Engage a 3PAO to perform the FedRAMP assessment No standard timeframe…but typically takes about 2 years

20 New Developments with FedRAMP
FedRAMP Accelerated Process - JAB authorization streamlining – target is ATO in six months “FedRAMP Ready”: a pre-audit, enabling cloud providers to demonstrate their readiness to achieve a FedRAMP authorization

21 FedRAMP Recap – Compliance Basics
Plan accordingly and prepare to wait Ensure your solution addresses the FedRAMP security control requirements Coordinate with a sponsor agency and 3PAO Make sure that the solution security package is created using the required FedRAMP templates and has been assessed by a 3PAO Ensure that the completed security assessment package is in the FedRAMP secure repository for public, hybrid, and community clouds Await an ATO for your cloud solution

22 Cloud Concerns Securing it

23 Cloud Migration and Cloud Security Architectures
Clouds typically have a single security architecture but have many customers with different demands Clouds should attempt to provide configurable security mechanisms Organizations have more control over the security architecture of private clouds followed by community and then public This doesn’t say anything about actual security Higher sensitivity data is likely to be processed on clouds where organizations have control over the security model

24 Federal Cloud Computing – Security and Privacy
Key security and privacy issues: (1) Governance (2) Compliance (3) Data Location (4) Trust (5) Architecture (6) Identity and Access Management (7) Data Protection (8) Availability (9) Incident Response

25 Federal Cloud Computing – Security and Privacy
Practical recommendations: (1) Risk of Unintended Data Disclosure (2) Data Privacy (3) System Integrity (4) Multi-Tenancy (5) Browsers (6) Hardware Support for Trust (7) Key Management

26 Agency Cloud Contractual Efforts: DoD
DFARS – Cloud Computing Services Provides standard contracting language for acquisition of cloud computing services, including access, security, and reporting requirements Imposes safeguarding requirements consistent with Cloud Computing Security Requirements Guide Applies to “Government data” and not “Government-related data” Limits access to Government data by CSPs Imposes reporting requirements for cyber incidents “related to the cloud computing service provided” under the contract or subcontract Prompt notification of third-party requests Must cooperate with the Government to address any spillages

27 DoD Cloud Computing Security Requirements Guide (SRG)
Objectives: Provide security requirements and guidance to Cloud Service Providers (CSPs) that want to service DoD components Establishes a basis to assess the security posture of a CSP’s service offering Define the policies, requirements, and architectures for the use and implementation of commercial cloud services by DoD Mission Owners Intended to make it easier for DoD components to procure commercial cloud services Particular Cloud Service Offerings (CSOs) can be compliant at a particular level; CSPs are not themselves compliant

28 DoD Cloud Computing – Security Requirements
FedRAMP+ Security Controls/Enhancements Refers to a tailored baseline of security controls and control enhancements which have been developed for each DoD information impact Level, except for Level 2 FedRAMP+ controls and control enhancements include NIST security controls and enhancements not included in the FedRAMP Moderate baseline Selected primarily because they address issues such as the Advanced Persistent Threat (APT) and/or Insider Threat, and because the DoD, unlike the rest of the Federal Government, must categorize its systems in accordance with Committee on National Security Systems Instruction No. 1253, use its baseline, and then tailor as needed

29 Risk Management: Cybersecurity Liability Calculus
It’s simple really: CL = f (Dt, Do, 2Dl, CuI, R, P, T3)Sc CL = Cyber Liability Dt = Data Type Do = Data Owner Dl = Data Location CuI = Customers & Industry R = Regulators P = Promises T3 = Threat Sc = System Criticality

30 That was a lot…but there’s more…
We’re here to help… Alexander W. Major | Partner McCARTER & ENGLISH, LLP T: C: F: Franklin C. Turner | Partner McCARTER & ENGLISH, LLP T: C: F:

31 Service Level Agreement expectations
Backup Slides Service Level Agreement expectations

32 SLA Recommendations An SLA defines:
The level of service and performance expected from a provider; How that performance will be measured; and What enforcement mechanisms will be used to ensure the specified performance levels are achieved.

33 SLA Recommendations Roles and responsibilities Performance measures
1. Specify roles and responsibilities of all parties with respect to the SLA, and, at a minimum, include agency and cloud providers. 2. Define key terms, such as dates and performance. Performance measures 3. Define clear measures for performance by the contractor. Include which party is responsible for measuring performance. Examples of such measures would include Level of service (e.g., service availability—duration the service is to be available to the agency). Capacity and capability of cloud service (e.g., maximum number of users that can access the cloud at one time and ability of provider to expand services to more users). Response time (e.g., how quickly cloud service provider systems process a transaction entered by the customer, response time for responding to service outages).

34 SLA Recommendations Performance measures (cont.)
4. Specify how and when the agency has access to its own data and networks. This includes how data and networks are to be managed and maintained throughout the duration of the SLA and transitioned back to the agency in case of exit/termination of service. 5. Specify the following service management requirements: How the cloud service provider will monitor performance and report results to the agency. When and how the agency, via an audit, is to confirm performance of the cloud service provider. 6. Provide for disaster recovery and continuity of operations planning and testing, including how and when the cloud service provider is to report such failures and outages to the agency. In addition, how the provider will remediate such situations and mitigate the risks of such problems from recurring. 7. Describe any applicable exception criteria when the cloud provider’s performance measures do not apply (e.g., during scheduled maintenance or updates).

35 SLA Recommendations Security Consequences
8. Specify metrics the cloud provider must meet in order to show it is meeting the agency’s security performance requirements for protecting data (e.g., clearly define who has access to the data and the protections in place to protect the agency’s data). 9. Specifies performance requirements and attributes defining how and when the cloud service provider is to notify the agency when security requirements are not being met (e.g., when there is a data breach). Consequences 10. Specify a range of enforceable consequences, such as penalties, for non-compliance with SLA performance measures.

Download ppt "The Cloud Abides The Challenges of Cloud Migration and Acquisition"

Similar presentations

BENEFITS OF SUCCESSFUL IT MODERNIZATION

BENEFITS OF SUCCESSFUL IT MODERNIZATION
Federal Risk and Authorization Management Program (FedRAMP) Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination.

Federal Risk and Authorization Management Program (FedRAMP) Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination.
Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.

Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.
Cloud Computing to Satisfy Peak Capacity Needs Case Study.

Cloud Computing to Satisfy Peak Capacity Needs Case Study.
Federal Cloud Computing Initiative Matthew Goodrich November 5, 2010 GSA Confidential and Proprietary – Not for Distribution Section 508 Coordinator Conference.

Federal Cloud Computing Initiative Matthew Goodrich November 5, 2010 GSA Confidential and Proprietary – Not for Distribution Section 508 Coordinator Conference.
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Cloud Usability Framework

Cloud Usability Framework
Be Smart, Use PwrSmart What Is The Cloud?. Where Did The Cloud Come From? We get the term “Cloud” from the early days of the internet where we drew a.

Be Smart, Use PwrSmart What Is The Cloud?. Where Did The Cloud Come From? We get the term “Cloud” from the early days of the internet where we drew a.
Cloud Computing Guide & Handbook SAI USA Madhav Panwar.

Cloud Computing Guide & Handbook SAI USA Madhav Panwar.
Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer.

Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer.
© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
Complying With The Federal Information Security Act (FISMA)

Complying With The Federal Information Security Act (FISMA)
Effectively and Securely Using the Cloud Computing Paradigm.

Effectively and Securely Using the Cloud Computing Paradigm.
“ Does Cloud Computing Offer a Viable Option for the Control of Statistical Data: How Safe Are Clouds” Federal Committee for Statistical Methodology (FCSM)

“ Does Cloud Computing Offer a Viable Option for the Control of Statistical Data: How Safe Are Clouds” Federal Committee for Statistical Methodology (FCSM)
Panel: Moderator: Michele Iversen Guest Experts: Dr. Ron Ross, Rod Beckstrom, Bob Wandell.

Panel: Moderator: Michele Iversen Guest Experts: Dr. Ron Ross, Rod Beckstrom, Bob Wandell.
Jim Reavis, Executive Director Cloud Security Alliance November 22, 2010 Developing a Baseline On Cloud Security.

Jim Reavis, Executive Director Cloud Security Alliance November 22, 2010 Developing a Baseline On Cloud Security.
Security and Privacy Services Cloud computing point of view October 2012.

Security and Privacy Services Cloud computing point of view October 2012.
DFARS 204.73 & 252.204-7012 What is Unclassified Controlled Technical Information (UCTI)?

DFARS & What is Unclassified Controlled Technical Information (UCTI)?
Cloud Computing. What is Cloud Computing? Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable.

Cloud Computing. What is Cloud Computing? Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable.
NIST Special Publication Revision 1

NIST Special Publication Revision 1

Similar presentations

Ads by Google