Secure Cloud Solutions Open Government Forum Abu Dhabi 28-30 April 2014 Karl Chambers CISSP PMP President/CEO Diligent eSecurity International The e-Government Challenge Securely delivering high-quality digital government information and services utilizing cloud IT solutions: • Anywhere • Anytime • On any device Three Key Principles to a Secure Cloud Solution • Design and Build it Securely • Operate it Securely • Always Encrypted Data Design and Build it Securely Using • Cloud Risk Management Framework (CRMF) • Federal Risk and Authorization Management Program (FedRAMP) Design and Build it Securely Using • Cloud Risk Management Framework (CRMF) Step 1:Categorize the Cloud Solution Step 2: Identify Security Controls to Protect the Cloud Solution Step 3: Implement the Selected Security Controls in the Cloud Security Architecture Step 4: Assess the Security Controls of the Cloud Solution using the FedRAMP process Step 5: Authorize the use of the Cloud Solution Step 6: Monitor the Cloud Solution Continually Design and Build it Securely Using • Federal Risk and Authorization Management Program (FedRAMP) Three Key Principles to a Secure Cloud Solution • Design and Build it Securely • Operate it Securely • Always Encrypted Data Operate it Securely Using Automated Continuous Security Monitoring • Automated Continuous Security Monitoring is a risk management approach to Cybersecurity that: • Maintains a picture of an organization’s security posture • Provides continuous visibility into information assets • Leverages use of automated data feeds and data analytics • Monitors effectiveness of security controls • Enable prioritization of remedies. Automated Continuous Security Monitoring (ACSM) Case Study – US Department of State • ACSM Tool: Analytics and Continuous monitoring Engine (ACE) solution from Virtustream • ACE receives and analyzes continuous inputs from: • • • • • • • • • • • Asset Management Vulnerability Scanners Patch Management Event Management Incident Management Malware Detection Configuration Management Network Management License Management Information Management Software Management • ACE provides continuous risk updates to management dashboard. Three Key Principles to a Secure Cloud Solution • Design and Build it Securely • Operate it Securely • Always Encrypted Data Always Encrypted Data • In transit between systems and locations • Stored in the cloud Questions Karl Chambers PMP CISSP President/CEO Diligent eSecurity International, Inc. 1954 Airport Road Suite 233 Atlanta, Ga 30341 Karl.chambers@desintl.com 01-678-591-7764