 December 2010 US Chief Information Officer Vivek Kundra released the Federal Cloud Computing Strategy. This became to be what is known as “Cloud First”

Slides:

Advertisements

Similar presentations

Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.

Advertisements

An Approach to Secure Cloud Computing Architectures By Y. Serge Joseph FAU security Group February 24th, 2011.

1 Security on OpenStack 11/7/2013 Brian Chong – Global Technology Strategist.

MSIA Introduction to Information Systems Security Training and Policy Week 1 Live Session Presentation.

Information Security Policies and Standards

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Introduction to Cloud Computing and Secure Cloud Computing

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

BETA!BETA! Building a secure private cloud on Microsoft technologies Private cloud security concerns Security & compliance in a Microsoft private cloud.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

Pre-adoption concern 60% cited concerns around data security as a barrier to adoption 45% concerned that the cloud would result in a lack of data control.

BUILDING AND SECURING GOVERNMENT DRUPAL SITES IN THE CLOUD

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Network security policy: best practices

5205 – IT Service Delivery and Support

Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer.

Security Guide for Interconnecting Information Technology Systems

A Balancing Act Between Risk Appetite and Risk Tolerance Federal Information Systems Security Educators’ Association Conference March 2005 Ezra Cornell.

Jim Reavis, Executive Director Cloud Security Alliance November 22, 2010 Developing a Baseline On Cloud Security.

Security and Privacy Services Cloud computing point of view October 2012.

COEN 252 Computer Forensics

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

DISCOVER IT PEACE OF MIND Staying HIPAA-Compliant Revised: April 13, 2015.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Chapter 6 of the Executive Guide manual Technology.

Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,

2009 Federal IT Summit Cloud Computing Breakout October 28, 2009.

Appendix C: Designing an Operations Framework to Manage Security.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.

12 Steps to Cloud Security A guide to securing your Cloud Deployment Vishnu Vettrivel Principal Engineering Lead,

Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Chapter 2 Securing Network Server and User Workstations.

Cloud Computing Use Case Draft v2.

Microsoft Dynamics CRM 4.0 Microsoft Dynamics CRM 2011 Microsoft Dynamics CRM 2013 Microsoft Dynamics CRM 2015 Assessment Choosing upgrade/rip-

The Art of Information Security: A Strategy Brief Uday Ali Pabrai, CISSP, CHSS.

Copyright © New Signature Who we are: Focused on consistently delivering great customer experiences. What we do: We help you transform your business.

By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 10 Network Security Management.

Managed IT Services JND Consulting Group LLC

DOE S&S Audit and Tune IT Up Campaign Mark Leininger August 26, 2009.

Clouding with Microsoft Azure

Information Systems Security

CLOUD ARCHITECTURE Many organizations and researchers have defined the architecture for cloud computing. Basically the whole system can be divided into.

Security on OpenStack 11/7/2013

Securing Network Servers

Chapter 6: Securing the Cloud

Avenues International Inc.

Working at a Small-to-Medium Business or ISP – Chapter 8

VIRTUALIZATION & CLOUD COMPUTING

Planning & System installation

Leverage What’s Out There

BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT

Network Services, Cloud Computing, and Virtualization

Cloud Testing Shilpi Chugh.

CompTIA Security+ Study Guide (SY0-401)

Cloud Security An IaaS Story 2018 © Netskope. All rights reserved.

Healthcare Cloud Security Stack for Microsoft Azure

Developing a Baseline On Cloud Security Jim Reavis, Executive Director

NCHER Knowledge Symposium Federal Contractor/TPS Session

BUILDING AND SECURING GOVERNMENT DRUPAL SITES IN THE CLOUD

Information Security Awareness

Increase and Improve your PC management with Windows Intune

Technology Solutions Cybersecurity Report to the KCTCS Board of Regents March 14, 2019.

IT Management Services Infrastructure Services

Presentation transcript:

 December 2010 US Chief Information Officer Vivek Kundra released the Federal Cloud Computing Strategy. This became to be what is known as “Cloud First” and called for agencies to evaluate cloud-based solutions before making any new investments.  2012 the first 20 cloud migration plans were submitted to the Government Accountability Office for approval.  June 4, 2012 FedRAMP is launched.  July 2012 DoD Cloud Computing Strategy is released.

 Fear!!!!!!!!  Lack of Understanding of the Rules.  FedRAMP  DoD IL 2? 4? 5?  Choosing What is Right.  IaaS  PaaS  SaaS  FedRAMP?

IaaS PaaS SaaS U.S. Government Cloud First Initiative and FedRAMP

IaaS PaaS SaaS SaaS - Software as a Service Management of the full stack up to the application layer and user experience … PaaS - Platform as a Service OS or DB as a Service, aids to logging, monitoring, backup, authentication … IaaS - Infrastructure as a Service Physical servers, virtual machines, Storage systems, network hardware….

To ensure a deployment is FedRAMP compliant, an agency must have in place at least 325 total controls Using a FedRAMP Cloud Services Provider (CSP), an agency can have many of these controls taken care of

When an agency deploys an application in the cloud, they still need to satisfy all 325 total controls Using a FedRAMP IaaS CSP fully takes care of 74 (23%) of them IaaS covers 23% The agency still has to put in place at least 251 controls. PaaS can cover up to 40%, depending on the definition

CONTROLS AN AGENCY MUST DO WITH IAAS Above the IaaS level, an Agency must do these Virus scanning Intrusion detection Log correlation, alerting & review Vulnerability scanning Risk categorization & POA&M management CIS & FIPS compliance scanning Configuration management Maintain audit trail Implement & Test backup & recovery Implement & Test Contingency Plan Implement & Test Incident Response Implement & maintain executable “white lists” Configure application with access banner Change passwords every 60 days Disable inactive accounts after 90 days Alert when atypical Audit execution of privileged functions Lock sessions after 15 minutes of inactivity Impleme Update audited events with threat level Review audit logs at lea Annual security assessment Annual penetration testing Manage Interconnect Maintain baselines for applications Retain copies of past baselines Analyze patches for security before Script to regenerate servers after disaster Script to restore access controls after disaster 251 controls

When an agency deploys an application in the cloud, they still need to satisfy all 325 total controls Using a FedRAMP SaaS CSP fully takes care of 306 (94%) SaaS covers 94% The remainder have to do with an agency implementing FISMA compliant PIV or CAC cards and authorizing its own users

 All Clouds are not created equal.  Choose what makes the most sense for your situation.  Don’t be afraid. Your data is safe.  Know the players. 