Presentation is loading. Please wait.

Presentation is loading. Please wait.

 December 2010 US Chief Information Officer Vivek Kundra released the Federal Cloud Computing Strategy. This became to be what is known as “Cloud First”

Published byStewart Douglas Modified over 7 years ago

Similar presentations

Presentation on theme: " December 2010 US Chief Information Officer Vivek Kundra released the Federal Cloud Computing Strategy. This became to be what is known as “Cloud First”"— Presentation transcript:

1

2  December 2010 US Chief Information Officer Vivek Kundra released the Federal Cloud Computing Strategy. This became to be what is known as “Cloud First” and called for agencies to evaluate cloud-based solutions before making any new investments.  2012 the first 20 cloud migration plans were submitted to the Government Accountability Office for approval.  June 4, 2012 FedRAMP is launched.  July 2012 DoD Cloud Computing Strategy is released.

3  Fear!!!!!!!!  Lack of Understanding of the Rules.  FedRAMP  DoD IL 2? 4? 5?  Choosing What is Right.  IaaS  PaaS  SaaS  FedRAMP?

4 IaaS PaaS SaaS U.S. Government Cloud First Initiative and FedRAMP

5 IaaS PaaS SaaS SaaS - Software as a Service Management of the full stack up to the application layer and user experience … PaaS - Platform as a Service OS or DB as a Service, aids to logging, monitoring, backup, authentication … IaaS - Infrastructure as a Service Physical servers, virtual machines, Storage systems, network hardware….

6 To ensure a deployment is FedRAMP compliant, an agency must have in place at least 325 total controls Using a FedRAMP Cloud Services Provider (CSP), an agency can have many of these controls taken care of

7 When an agency deploys an application in the cloud, they still need to satisfy all 325 total controls Using a FedRAMP IaaS CSP fully takes care of 74 (23%) of them IaaS covers 23% The agency still has to put in place at least 251 controls. PaaS can cover up to 40%, depending on the definition

8 CONTROLS AN AGENCY MUST DO WITH IAAS Above the IaaS level, an Agency must do these Virus scanning Intrusion detection Log correlation, alerting & review Vulnerability scanning Risk categorization & POA&M management CIS & FIPS compliance scanning Configuration management Maintain audit trail Implement & Test backup & recovery Implement & Test Contingency Plan Implement & Test Incident Response Implement & maintain executable “white lists” Configure application with access banner Change passwords every 60 days Disable inactive accounts after 90 days Alert when atypical Audit execution of privileged functions Lock sessions after 15 minutes of inactivity Impleme Update audited events with threat level Review audit logs at lea Annual security assessment Annual penetration testing Manage Interconnect Maintain baselines for applications Retain copies of past baselines Analyze patches for security before Script to regenerate servers after disaster Script to restore access controls after disaster 251 controls

9 When an agency deploys an application in the cloud, they still need to satisfy all 325 total controls Using a FedRAMP SaaS CSP fully takes care of 306 (94%) SaaS covers 94% The remainder have to do with an agency implementing FISMA compliant PIV or CAC cards and authorizing its own users

10  All Clouds are not created equal.  Choose what makes the most sense for your situation.  Don’t be afraid. Your data is safe.  Know the players.  www.fedramp.gov www.fedramp.gov

Download ppt " December 2010 US Chief Information Officer Vivek Kundra released the Federal Cloud Computing Strategy. This became to be what is known as “Cloud First”"

Similar presentations

Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.

Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.
An Approach to Secure Cloud Computing Architectures By Y. Serge Joseph FAU security Group February 24th, 2011.

An Approach to Secure Cloud Computing Architectures By Y. Serge Joseph FAU security Group February 24th, 2011.
1 Security on OpenStack 11/7/2013 Brian Chong – Global Technology Strategist.

1 Security on OpenStack 11/7/2013 Brian Chong – Global Technology Strategist.
MSIA 711 1 Introduction to Information Systems Security Training and Policy Week 1 Live Session Presentation.

MSIA Introduction to Information Systems Security Training and Policy Week 1 Live Session Presentation.
Information Security Policies and Standards

Information Security Policies and Standards
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Introduction to Cloud Computing and Secure Cloud Computing

Introduction to Cloud Computing and Secure Cloud Computing
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
BETA!BETA! Building a secure private cloud on Microsoft technologies Private cloud security concerns Security & compliance in a Microsoft private cloud.

BETA!BETA! Building a secure private cloud on Microsoft technologies Private cloud security concerns Security & compliance in a Microsoft private cloud.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Pre-adoption concern 60% cited concerns around data security as a barrier to adoption 45% concerned that the cloud would result in a lack of data control.

Pre-adoption concern 60% cited concerns around data security as a barrier to adoption 45% concerned that the cloud would result in a lack of data control.
BUILDING AND SECURING GOVERNMENT DRUPAL SITES IN THE CLOUD

BUILDING AND SECURING GOVERNMENT DRUPAL SITES IN THE CLOUD
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
Network security policy: best practices

Network security policy: best practices
5205 – IT Service Delivery and Support

5205 – IT Service Delivery and Support
Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer.

Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer.
Security Guide for Interconnecting Information Technology Systems

Security Guide for Interconnecting Information Technology Systems
A Balancing Act Between Risk Appetite and Risk Tolerance Federal Information Systems Security Educators’ Association Conference March 2005 Ezra Cornell.

A Balancing Act Between Risk Appetite and Risk Tolerance Federal Information Systems Security Educators’ Association Conference March 2005 Ezra Cornell.
Jim Reavis, Executive Director Cloud Security Alliance November 22, 2010 Developing a Baseline On Cloud Security.

Jim Reavis, Executive Director Cloud Security Alliance November 22, 2010 Developing a Baseline On Cloud Security.
Security and Privacy Services Cloud computing point of view October 2012.

Security and Privacy Services Cloud computing point of view October 2012.

Similar presentations

Ads by Google