Assessment and Authorization for
Cloud Computing
Dr. Sarbari Gupta
sarbari@electrosoft-inc.com
703-437-9451 ext 12
Third Workshop on Cyber Security & Global Affairs
May 31 – June 2, 2011
Overview
 US Mandates and Programs affecting
Cloud Computing
 Government-wide Risk and
Authorization of Cloud Computing
 Challenges faced with Cloud Computing
Assessment and Authorization
Page 2
US Mandates and Programs
 FISMA – Federal Information Security
Management Act or 2002
 Defines a compliance framework for
securing government systems
 NIST responsible for standards & guidelines
 FedRAMP – Federal Risk Management
and Authorization Program
 Designed to solve the security authorization
problems highlighted by cloud computing
 “authorize once, use many”
Page 3
Challenges with FISMA
Measures security planning and not
information security
Interpretation of FISMA requirements and
NIST guidelines varies greatly
Same system is not compatible across
agencies
Continuous Monitoring Inadequate
Page 4
GSA IaaS Cloud Computing
Environment
 Cloud Storage Services
 Storage for Files, Data and Data Objects
 Well-defined Storage & Bandwidth Tiers
 Virtual Machines
 CPU (RAM, Disk space, Data transfer Bandwidth)
 Operating System
 Persistence
 Cloud Web Hosting
 CPU, OS, Software
Page 5
GSA IaaS – Separation of Duties
Page 6
FISMA / FedRAMP Details
Page 7
FISMA / FedRAMP Details
Page 8
Control Tailoring Workbook
CNTL
No.
Control Name
Organization Defined
Settings
controls where 800-53R3
requires an organizational
defined setting)
(for
Control:
AC1: [Assignment:
organization-defined frequency]
AC-1
Access Control Policy
and Procedures
AC-2
AC-3
AC-4
AC-5
Control:
AC2j: [Assignment:
organization-defined frequency]
Enhancements:
(2): [Assignment: organizationdefined time period for each
type of account].
(3): [Assignment: organizationAccount Management defined time period].
Access Enforcement
Information Flow
Separation of Duties
AC-6
Least Privilege
Enhancements:
(1): [Assignment: organizationdefined list of security functions
(deployed in hardware, software,
and firmware) and securityrelevant information].
(2): [Assignment: organizationdefined list of security functions
or security-relevant information].
GSA Defined Settings
(for controls where 800-53R3
requires an organizational
defined setting)
Contractor Implemented Settings
(Enter contractor implemented
settings where the setting is different
from the GSA Defined Setting (in
column D) and where the GSA
Defined setting allows a contractor
determined setting)
Control:
AC1: Biennial
Control:
AC2j: Annually
Enhancements:
(2): No more than 90 days.
(3): 90 Days for User Level
Accounts - as per contractor
system determination for nonuser level accounts (device,
token, smart cards, etc)
Enhancements:
(1): As per contractor system
determination.
(2): All Security Functions
(Examples of security functions
include but are not limited to:
establishing system accounts,
configuring access
authorizations (i.e.,
Page 9
Fill this
column
out if the
system
setting is
different
than the
GSA
defined
setting in
the
previous
column
FISMA / FedRAMP Details
Page 10
FISMA / FedRAMP Details
Page 11
FedRAMP Challenges
 Continuous monitoring not adequate
 SLA’s not validated in real-time
 Manual processes prone to error
 Security Control testing may be done too far
apart
 Security Management not adequate
 Data collection for analysis inadequate
 Corrective action hard to negotiate
Can outsource responsibility but not accountability
Page 12
End-user Visibility is Key
Page 13
A&A Process for Cloud Computing
Questions?
sarbari@electrosoft-inc.com
Page 14