Assessment and Authorization for Cloud Computing Dr. Sarbari Gupta sarbari@electrosoft-inc.com 703-437-9451 ext 12 Third Workshop on Cyber Security & Global Affairs May 31 – June 2, 2011 Overview US Mandates and Programs affecting Cloud Computing Government-wide Risk and Authorization of Cloud Computing Challenges faced with Cloud Computing Assessment and Authorization Page 2 US Mandates and Programs FISMA – Federal Information Security Management Act or 2002 Defines a compliance framework for securing government systems NIST responsible for standards & guidelines FedRAMP – Federal Risk Management and Authorization Program Designed to solve the security authorization problems highlighted by cloud computing “authorize once, use many” Page 3 Challenges with FISMA Measures security planning and not information security Interpretation of FISMA requirements and NIST guidelines varies greatly Same system is not compatible across agencies Continuous Monitoring Inadequate Page 4 GSA IaaS Cloud Computing Environment Cloud Storage Services Storage for Files, Data and Data Objects Well-defined Storage & Bandwidth Tiers Virtual Machines CPU (RAM, Disk space, Data transfer Bandwidth) Operating System Persistence Cloud Web Hosting CPU, OS, Software Page 5 GSA IaaS – Separation of Duties Page 6 FISMA / FedRAMP Details Page 7 FISMA / FedRAMP Details Page 8 Control Tailoring Workbook CNTL No. Control Name Organization Defined Settings controls where 800-53R3 requires an organizational defined setting) (for Control: AC1: [Assignment: organization-defined frequency] AC-1 Access Control Policy and Procedures AC-2 AC-3 AC-4 AC-5 Control: AC2j: [Assignment: organization-defined frequency] Enhancements: (2): [Assignment: organizationdefined time period for each type of account]. (3): [Assignment: organizationAccount Management defined time period]. Access Enforcement Information Flow Separation of Duties AC-6 Least Privilege Enhancements: (1): [Assignment: organizationdefined list of security functions (deployed in hardware, software, and firmware) and securityrelevant information]. (2): [Assignment: organizationdefined list of security functions or security-relevant information]. GSA Defined Settings (for controls where 800-53R3 requires an organizational defined setting) Contractor Implemented Settings (Enter contractor implemented settings where the setting is different from the GSA Defined Setting (in column D) and where the GSA Defined setting allows a contractor determined setting) Control: AC1: Biennial Control: AC2j: Annually Enhancements: (2): No more than 90 days. (3): 90 Days for User Level Accounts - as per contractor system determination for nonuser level accounts (device, token, smart cards, etc) Enhancements: (1): As per contractor system determination. (2): All Security Functions (Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., Page 9 Fill this column out if the system setting is different than the GSA defined setting in the previous column FISMA / FedRAMP Details Page 10 FISMA / FedRAMP Details Page 11 FedRAMP Challenges Continuous monitoring not adequate SLA’s not validated in real-time Manual processes prone to error Security Control testing may be done too far apart Security Management not adequate Data collection for analysis inadequate Corrective action hard to negotiate Can outsource responsibility but not accountability Page 12 End-user Visibility is Key Page 13 A&A Process for Cloud Computing Questions? sarbari@electrosoft-inc.com Page 14