Presentation is loading. Please wait.

Presentation is loading. Please wait.

ISA 201 Intermediate Information Systems Acquisition

Published byPierce Miller Modified over 6 years ago

Similar presentations

Presentation on theme: "ISA 201 Intermediate Information Systems Acquisition"— Presentation transcript:

1 ISA 201 Intermediate Information Systems Acquisition

2 Lesson 21 DoD Cloud Computing

3 Today we will learn to: Identify the basic terms of Cloud Computing
Recognize some DoD Concerns of Using Cloud Services Summarize some Program concerns when purchasing cloud services from a vendor. Identify the advancements in technology that enabled the rise of cloud computing. Recognize the five essential characteristics of a cloud service. Identify the Three Cloud Service Models defined by NIST. Recognize characteristics of Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). Recognize public, private, community and hybrid cloud deployment models (NIST). Recognize the steps for obtaining Cloud services. Describe the problems with Legacy software applications and Cloud. Software Quality Assurance

4 In-Class Quiz Team 1 Team 2 Team 3 Team 4 Team 5
True or False: According to the DoD Chief Information Officer (CIO), DoD components are required to use the Defense Information Systems Agency (DISA) to acquire cloud services. The _____________ provided cloud services must be considered as part of the Enterprise IT Business Case Analysis (BCA) performed by the Component for cloud services. Team 2 Team 3 The __________________________ is intended to give cloud providers a stable security requirement, and to help DoD cloud customers move more rapidly and securely into the cloud. Which of the following is NOT a benefit of Cloud Computing per the DoD Cloud Computing Strategy? De-coupled from private sector innovation; Enables improved asset utilization; Allows for near-instantaneous increases and reductions in capacity; Shifts focus from asset ownership to service management Team 4 Team 5 According to the DoD Cloud Computing Strategy, what are the three areas DoD can benefit from by moving to cloud computing? DoD Cloud Computing

5 HOMEWORK Cloud Laws, Policies, Guidance and Standards
Lesson Plan Cloud Laws, Policies, Guidance and Standards Cloud Basics and Benefits Cloud Computing Definition Concerns with using Cloud Using the Cloud (Assessment & Authorization) Exercise HOMEWORK DoD Cloud Computing

6 Trademark Information
Names, products, and services referenced within this lesson may be the trade names, trademarks, or service marks of their respective owners. References to commercial vendors and their products or services are provided strictly as a convenience to our students, and do not constitute or imply endorsement by DoD or DAU. DoD Cloud Computing

7 Cloud Computing Definition
Lesson Plan Status Cloud Laws, Policies, Guidance and Standards Cloud Basics and Benefits Cloud Computing Definition Concerns with using Cloud Using the Cloud (Assessment & Authorization) Exercise DoD Cloud Computing

8 Official DoD Definition of Cloud Computing
Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. NIST Special Publication DoD Cloud Computing

9 The Composition of the Cloud
The “Cloud” is composed of five essential characteristics, three service models, four deployment models NIST Special Publication DoD Cloud Computing

10 5 Essential Cloud Characteristics
According to the NIST Special Publication , the Cloud model is composed of five essential characteristics: On-demand self-service Broad network access Resource pooling Location independence Rapid elasticity Measured service NIST Special Publication DoD Cloud Computing

11 The 3 Cloud Service Models
Infrastructure as a Service (IaaS) Compute, storage, and networking capability Platform as a Service (PaaS) Deploy customer-created applications to a cloud Software as a Service (SaaS) Use provider’s applications over a network To be considered “cloud” the Cloud Service Models must be deployed on top of cloud infrastructure that has the key characteristics DoD Cloud Computing

12 Infrastructure as a Service (IaaS)
Provisioning processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls). DoD Cloud Computing

13 Platform as a Service (PaaS)
Deployed onto the cloud infrastructure consumer‐created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application‐hosting environment. DoD Cloud Computing

14 Software as a Service (SaaS)
Using the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web‐based ), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user‐specific application configuration settings. DoD Cloud Computing

15 Management Responsibilities with the 3 Cloud Service Models
Cloud Services offers a way for the DoD to lower costs, improve performance, increase utilization and security, and take advantage of commercial innovation DoD Cloud Computing

16 Pizza as a Service DoD Cloud Computing

17 The 4 Cloud Deployment Models
Cloud services can be deployed in different ways depending on the customer’s specific needs, such as security, privacy, and cost. Public cloud Private cloud Community cloud Hybrid cloud NIST Special Publication DoD Cloud Computing

18 Public Cloud Deployment Model
Public cloud infrastructures operate in a multi-tenant environment whose resources are allocated for the general public. Public clouds tend to be large and provide economies of scale for their customers. Security and privacy concerns are heightened because any individual or organization can potentially access the same cloud infrastructure. Only DoD information that has been approved for public release should be placed on a public facing website. DoD Cloud Computing

19 Private Cloud Deployment Model
Private cloud infrastructures are operated only for an individual organization (Single Tenant). The organization can leverage the scalability and performance aspects of cloud computing, but the infrastructure is isolated from that of other organizations, improving security and privacy. Because of their specialized nature, private clouds could potentially be as costly as dedicated data centers. For example, the DoD has a Private Cloud, milCloud, which is operated by DISA. DoD Cloud Computing

20 Community Cloud Deployment Model
Community cloud infrastructures are private clouds provisioned for a specific community of interest with shared concerns, such as a govern- ment-only cloud. The Community cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). Community clouds may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises. Amazon GovCloud is an example of a Community Cloud that is available to Federal, State and Local Governments. DoD Cloud Computing

21 Hybrid Cloud Deployment Model
Hybrid cloud infrastructures are combinations of any two or more of the other cloud deployment models. This model will be the most prevalent model for the DoD given its strategy to aggressively pursue the competitive acquisition and use of commercial cloud service offerings and understanding that “one cloud’ will not meet all the unique requirements of the DoD. One example of Hybrid Cloud is used in the Development – Test – Production software lifecycle. DoD Cloud Computing

22 Concerns with using Cloud
Lesson Plan Status Cloud Laws, Policies, Guidance and Standards Cloud Basics and Benefits Cloud Computing Definition Concerns with using Cloud Using the Cloud (Assessment & Authorization) Exercise DoD Cloud Computing

23 DoD’s Concerns of Using Cloud Services
Data Security Location of DoD data Comingling of DoD data with other customer’s data Physical security of data center “Noisy Neighbor” Latency Network congestion/bandwidth availability Remote cloud data centers Unanticipated costs Network upgrades to maintain performance (increased bandwidth demands) Strict security requirements (e.g. Private vs Public) Cybersecurity: Protecting the Defense Information Systems Network (DISN) The DISN is a critical infrastructure to the DoD Mission DoD Cloud Computing

24 DISN, DoDIN; what’s the diff?
Joint Publication 1-02 states: Defense Information Systems Network (DISN) - The integrated network, centrally managed and configured by the DISA to provide dedicated point-to-point, switched voice and data, imagery, and video teleconferencing services for all Department of Defense activities. Department of Defense Information Network (DoDIN) - The set of information capabilities, and associated processes for collecting, processing, storing, disseminating, and managing information on-demand to warfighters, policy makers, and support personnel, whether interconnected or stand-alone, including owned and leased communications and computing systems and services, software (including applications), data, security services, other associated services, and national security systems The DISN is the protected networks which include NIPRNet, SIPRNet, or other DISN-based mission partner/Community of Interest networks DoD Cloud Computing

25 Cybersecurity is a Concern when using Cloud Services
With respect to Cloud Computing, “Mission” refers to the information systems and function for which a DoD entity acquires or uses a Cloud Service The Mission Owner must consider Risk to Data (referred to as Information Impact Level) and Risk to the DISN Risk to Data Loss of Confidentiality, Integrity and Availability (CIA) Risk to DISN Loss of CIA of Data on DISN Loss of Availability of DISN DoD Cloud Computing

26 Using the Cloud (Assessment & Authorization)
Lesson Plan Status Cloud Laws, Policies, Guidance and Standards Cloud Basics and Benefits Cloud Computing Definition Concerns with using Cloud Using the Cloud (Assessment & Authorization) Exercise DoD Cloud Computing

27 Cloud Service Providers and Offerings
Types of Cloud Services Commercial DoD Non-DoD (i.e., Federal, DHS) Cloud Service Provider (CSP) A company or organization that offers some component of cloud computing (i.e., IaaS, PaaS, or SaaS) to other businesses, organizations or individuals. Cloud Service Offering (CSO) The deployed cloud computing service(s) (i.e., IaaS, PaaS, or SaaS) DoD Cloud Computing

28 Using the Cloud The DoD Chief Information Officer’s memo from December 2014 identified 5 activities when acquiring cloud services Perform an IT business case analysis Apply the DoD Cloud Computing Security Requirements Guide Use commercial cloud services that have a DoD Provisional Authorization and obtain a Component Authority to Operate Use an approved DoD Boundary Cloud Access Point (BCAP) and Cyber Security Service Provider (CSSP) to protect sensitive data Apply the Defense Federal Acquisition Regulation Supplement Interim Rule to commercial cloud contracts DoD Cloud Computing

29 Activity 1 - Performing the IT Business Case Analysis (BCA)
Keep in mind that a BCA is not a requirements validation process. The purposes of the BCA are as follows: Ensure a consistent approach in IT investment analysis. Facilitate comparison of alternatives. Clearly define expected costs, benefits, operational impacts, and risk. The major components of a BCA are: Cost and economic viability Requirement satisfaction/completeness Operational benefit (qualitative) Risk assessment Conclusions and recommendations Balance cost effectiveness with operational benefit Funding type and sources DoD Cloud Computing

30 Activity 1 - Performing the IT BCA
Each use of cloud services must complete an Enterprise IT Business Case Analysis (BCA) The BCA must be approved by the Component CIO, or designee, with a copy submitted to the DoD CIO Follow Component direction on completing the BCA DISA provided services must be considered as an Alternative in the BCA DoD Cloud Computing

31 Activity 2 - Apply the DoD Cloud Computing SRG
All DoD data is important, but not all data needs to be equally protected Information Impact Levels (IILs) consider the potential impact should the confidentiality and integrity of the information be compromised DoD Cloud Computing

32 Federal Risk and Authorization Management Program (FedRAMP)
For cloud products and services used by the Federal Government, FedRAMP is a program that provides a standardized approach to: Security assessment Authorization Continuous monitoring OMB policy requires Federal departments and agencies to use FedRAMP approved Cloud Service Providers (CSPs) and share Agency ATOs with the FedRAMP Secure Repository “Do Once, Use Many Times” DoD Cloud Computing

33 FedRAMP+ and DoD Provisional Authorization
FedRAMP+ is the concept used in order to meet and assure DoD’s critical mission requirements Leverages FedRAMP assessment Adds specific security controls and requirements DoD Provisional Authorization is an acceptance of risk based on an evaluation of the CSP’s Cloud Service Offering (CSO) and the potential for risk introduced to the DISN DoD PAs are granted by DISA to the CSP for a CSO, not for a CSP If a CSP’s CSO (e.g., SaaS) leverages another CSP’s CSO (e.g., IaaS) then the DoD PA for the former includes inherited compliance for the latter. DoD Cloud Computing

34 Activity 3 – Use Commercial CSPs with DoD PAs and Obtain an Authority to Operate
Each CSO must be granted a DoD PA in order to host DoD mission systems CSOs possessing a DoD PA are listed in the DoD Cloud Service Catalog The responsible Authorizing Official leverages the DoD PA information, supplemented with an assessment of the risks within the Mission Owner’s responsibility, in granting an Authorization to Operate (ATO) Authorizing Officials use the Risk Management Framework to issue an ATO DoD Cloud Computing

35 Activity 4 – Use a DoD BCAP and CSSP (1 of 2)
A DoD Boundary Cloud Access Point (BCAP) is a system of network boundary protection and monitoring devices, otherwise known as an Information Assurance stack, through which CSP infrastructure and networks will connect to the DISN With Controlled Unclassified Information data (IIL 4 & 5), a BCAP is required between the DISN and the CSO The BCAP is used to protect the DISN, and systems, information and users residing on the DISN from attacks that may be launched from within a compromised CSO; facilitate protected connections between users on a DoD network and systems/applications on the CSO DoD Cloud Computing

36 Activity 4 – Use a DoD BCAP and CSSP (2 of 2)
DoD BCAPs will provide the following generalized functions: Intrusion Detection/Intrusion Protection Data Loss Prevention Full Packet Capture Network Routing/Switching Network Access Control to CSPs Next Generation Firewall Application Firewall The Cyber Security Service Provider (CSSP) provides cyber security services and Command and Control direction addressing the protection of the network, detection of threats and response to incidents DoD PMs must ensure that CSSP processes are in place and functional prior to any transition to or use of a CSO DoD Cloud Computing

37 Activity 5 – Apply the DFARS Interim Rule for Cloud Services
DoD issued an interim rule amending the DFARS to implement a section of the FYs 13 & 15 National Defense Authorization Acts Require contractor reporting on network penetrations Implements DoD policy on the purchase of cloud computing services DFARS, Subpart Cloud Computing Policy and Responsibilities Required storage of data within the US or outlying areas Solicitation provision and contract clauses ( ) DoD Cloud Computing

38 Required Storage of Data within the US
The contractor shall maintain within the United States or outlying areas all government data that is not physically located on DoD premises, unless the contractor receives written notification from the contracting officer to use another location. The contractor shall provide the government with a list of the physical locations which may contain government data within 20 days. Updates are required on a quarterly basis. DoD Cloud Computing

39 Storing Data in Non-US Locations
The U.S. government restricts the transfer of sensitive or classified data (such as sensitive technology information and information that could potentially affect operational security) to locations outside of the control of U.S. companies or the U.S. government There are specific rules for the locations of data processing centers based on the IIL of the data: IIL 2 and 4 must be hosted at locations in the U.S., U.S. territories, or on DoD premises per the Status of Forces Agreement (SOFA) unless the location is authorized by the AO IIL 5 must be hosted at locations in the U.S., U.S. territories, or on DoD premises per the SOFA IIL 6 must be hosted at locations authorized for classified processing DoD Cloud Computing

40 Additional Considerations for Using the Cloud
The DoD Program Manager needs to understand and perform additional activities when acquiring cloud services Consider key skills needed for a successful deployment Protect DoD Equities in cloud contracts and Service Level Agreements Complete Cloud Service Offering funding reporting responsibilities, e.g., SNaP-IT, Budget 300 Exhibits 53A/C Plan for Close-Out and Transition DoD Cloud Computing

41 Program concerns when purchasing commercial cloud services
Cloud Service Provider Maturity Deployment Model Considerations, Physical/Virtual Separation Requirements, “noisy neighbor” Encryption (at rest & in transition) CSP Personnel Requirements Physical Access Legacy Software Interoperability

42 Problems with legacy software applications and the cloud
Legacy software applications were not designed to be virtualized Redesigning legacy software applications to use cloud services can be cost prohibitive Legacy software applications that are tightly integrated with a computer’s operating system are extremely difficult to migrate to the cloud Software that is encapsulated from the operating system has a better chance of migrating to the cloud Encapsulation means there is no direct dependency on any one operating system DoD Cloud Computing

43 Exercise Cloud Laws, Policies, Guidance and Standards
Lesson Plan Status Cloud Laws, Policies, Guidance and Standards Cloud Basics and Benefits Cloud Computing Definition Concerns with using Cloud Using the Cloud (Assessment & Authorization) Exercise DoD Cloud Computing

44 Today we learned to: Identify the basic terms of Cloud Computing
Recognize some DoD Concerns of Using Cloud Services Summarize some Program concerns when purchasing cloud services from a vendor. Identify the advancements in technology that enabled the rise of cloud computing. Recognize the five essential characteristics of a cloud service. Identify the Three Cloud Service Models defined by NIST. Recognize characteristics of Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). Recognize public, private, community and hybrid cloud deployment models (NIST). Recognize the steps for obtaining Cloud services. Describe the problems with Legacy software applications and Cloud. DoD Cloud Computing

Download ppt "ISA 201 Intermediate Information Systems Acquisition"

Similar presentations

Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.

Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.
Chapter 22: Cloud Computing and Related Security Issues Guide to Computer Network Security.

Chapter 22: Cloud Computing and Related Security Issues Guide to Computer Network Security.
Clouds C. Vuerli Contributed by Zsolt Nemeth. As it started.

Clouds C. Vuerli Contributed by Zsolt Nemeth. As it started.
Be Smart, Use PwrSmart What Is The Cloud?. Where Did The Cloud Come From? We get the term “Cloud” from the early days of the internet where we drew a.

Be Smart, Use PwrSmart What Is The Cloud?. Where Did The Cloud Come From? We get the term “Cloud” from the early days of the internet where we drew a.
Design of New or Changed Services in the Cloud: An ISO/IEC 20000 Perspective Ronald Dattero Missouri State University, CIS Dept. Stuart D. Galup Florida.

Design of New or Changed Services in the Cloud: An ISO/IEC Perspective Ronald Dattero Missouri State University, CIS Dept. Stuart D. Galup Florida.
Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer.

Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer.
Cloud computing Tahani aljehani.

Cloud computing Tahani aljehani.
Duncan Fraiser, Adam Gambrell, Lisa Schalk, Emily Williams

Duncan Fraiser, Adam Gambrell, Lisa Schalk, Emily Williams
Discussion on LI for Mobile Clouds

Discussion on LI for Mobile Clouds
Plan Introduction What is Cloud Computing?

Plan Introduction What is Cloud Computing?
Cloud Computing in Large Scale Projects George Bourmas Sales Consulting Manager Database & Options.

Cloud Computing in Large Scale Projects George Bourmas Sales Consulting Manager Database & Options.
Effectively and Securely Using the Cloud Computing Paradigm.

Effectively and Securely Using the Cloud Computing Paradigm.
CLOUD COMPUTING & COST MANAGEMENT S. Gurubalasubramaniyan, MSc IT, MTech Presented by.

CLOUD COMPUTING & COST MANAGEMENT S. Gurubalasubramaniyan, MSc IT, MTech Presented by.
Introduction to Cloud Computing

Introduction to Cloud Computing
“ Does Cloud Computing Offer a Viable Option for the Control of Statistical Data: How Safe Are Clouds” Federal Committee for Statistical Methodology (FCSM)

“ Does Cloud Computing Offer a Viable Option for the Control of Statistical Data: How Safe Are Clouds” Federal Committee for Statistical Methodology (FCSM)
Cloud Computing Saneel Bidaye uni-slb2181. What is Cloud Computing? Cloud Computing refers to both the applications delivered as services over the Internet.

Cloud Computing Saneel Bidaye uni-slb2181. What is Cloud Computing? Cloud Computing refers to both the applications delivered as services over the Internet.
Cloud Computing. What is Cloud Computing? Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable.

Cloud Computing. What is Cloud Computing? Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable.
Computer Science and Engineering 1 Cloud ComputingSecurity.

Computer Science and Engineering 1 Cloud ComputingSecurity.
In the name of God :).

In the name of God :).
Plan  Introduction  What is Cloud Computing?  Why is it called ‘’Cloud Computing’’?  Characteristics of Cloud Computing  Advantages of Cloud Computing.

Plan  Introduction  What is Cloud Computing?  Why is it called ‘’Cloud Computing’’?  Characteristics of Cloud Computing  Advantages of Cloud Computing.

Similar presentations

Ads by Google