Developing a Baseline On Cloud Security Jim Reavis, Executive Director Cloud Security Alliance November 22, 2010

Purpose & Agenda Purpose Defining Cloud Reference Model Architecture Provide information about the current state of industry understanding and activities related to securing cloud computing, as a foundation for today’s collaboration Defining Cloud Reference Model Architecture FedRAMP Cloud Guidance Relating to Tracks 11/21/2018 11:02 PM 2

What is Cloud Computing? Compute as a utility: third major era of computing Mainframe PC Client/Server Cloud computing: On demand model for allocation and consumption of computing Cloud enabled by Moore’s Law: Costs of compute & storage approaching zero Hyperconnectivity: Robust bandwidth from dotcom investments Service Oriented Architecture (SOA) Scale: Major providers create massive IT capabilities 3

Broad Private/Public View Ecosystem Definitions/Onotology/Taxonomy Architecture Compliance Threat research & modeling Domains of Concern 4

NIST: Defining Cloud Characteristics Delivery Models Deployment Modes On demand provisioning Elasticity Multi-tenancy Measured service Delivery Models Infrastructure as a Service (IaaS): basic O/S & storage Platform as a Service (PaaS): IaaS + rapid dev Software as a Service (SaaS): complete application The NIST diagram provides a good visualization of what it is, what types of services are delivered and how it is deployed. Deployment Modes Public Private Hybrid Community 5

CSA Cloud Reference Model From CSA Architectural WG 10 Layer reference model view of Cloud Computing Encourages cumulative view of SaaS/PaaS/IaaS delivery The security approach and role varies depending on the delivery model 6

Infrastructure as a Service S-P-I context You “RFP” security in SaaS Software as a Service You build security in PaaS Platform as a Service IaaS Infrastructure as a Service The security approach and role varies depending on the delivery model 7

Architectural Depictions From Open Security Architecture Actor-centric view of cloud architecture The security approach and role varies depending on the delivery model 8

Architectural Depictions The security approach and role varies depending on the delivery model Service-centric architectural model from CSA 9

Federal Risk & Authorization Management Program (FedRAMP) A government-wide initiative to provide joint authorization services FedRAMP PMO in GSA Unified government-wide risk management Agencies would leverage FedRAMP authorizations (when applicable) Agencies retain their responsibility and authority to ensure use of systems that meet their security needs FedRAMP would provide an optional service to agencies

Federal Risk & Authorization Management Program (FedRAMP) Duplicative risk management efforts Incompatible requirements Potential for inconsistent application and interpretation of Federal security requirements Agency A&A Vendor BEFORE FedRAMP Unified Risk management and associated cost savings Inter-Agency vetted and compatible requirements using a shared cloud service Effective and consistent assessment of cloud services AFTER

FedRAMP Authorization Request Process There are 3 ways a Cloud Service can be proposed for FedRAMP Authorization: Cloud BPA Government Cloud Systems Agency Sponsorship 1 2 3 Primary Agency Sponsorship Cloud Services through FCCI BPAs Services must be intended for use by multiple agencies Primary Agency Contract Secondary Agency Sponsorship 12

CSA Guidance Research 13 Domains of concern in 3 main groupings Architecture Governance Operations Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Cloud Architecture Operating in the Cloud Governing the Cloud 13

Track 1 - Cloud Security Policy and Guidance Consensus issues identified from industry research Auditing capabilities Rogue insiders 3rd party management Transparency Data governance: leakage, persistence, destruction, commingling Understand risk profile & align key risk indicators Translating legacy controls Lock-in 14

Track 2 - Cloud Security Architecture and Technology Consensus issues identified from industry research Lack of purpose-built multi-tenant technology Federating hybrid clouds Duplicating granular defense in depth Hardware exploits: CPU, DMA, Bus, I/O Hardening virtualization Segregation of encryption and key mgt Developing layers of abstractions, SOA principles Vulnerability scanning Software development lifecycle impact Threat modeling 15

Track 3 – Secure Cloud Operations Consensus issues identified from industry research Forensics Patch management Malware Logging Monitoring & visibility Account, service, traffic hijacking Suboptimal resource sharing & time slicing Compartmentalization of operational activities 16

Thank You! Questions? 17