Presentation is loading. Please wait.

Presentation is loading. Please wait.

Certified Authorization Professional Donald E. Hester

Similar presentations


Presentation on theme: "Certified Authorization Professional Donald E. Hester"— Presentation transcript:

1 Certified Authorization Professional Donald E. Hester
Understanding FISMA & (ISC)2 CAP Certified Authorization Professional Donald E. Hester CISSP, CISA, CAP, CRISC, MCT, MCITP, MCTS, MCSE Security, Security+, CTT+ 1

2 Beyond The Six Steps in the RMF
Categorize Select Implement Assess Authorize Monitor

3 Federal Cloud Computing Strategy “Cloud First policy”
Image: NASA Federal Cloud Computing Strategy, Vivek Kundra US CIO, 8 FEB 2011 Federal Cloud Computing Strategy “Cloud First policy” Image: NASA

4 What is Cloud Computing?
The “Cloud” Buzz word Overused cliché Ill defined Many different definitions Marketing term All hype The “unknown path” Service provider “____-as-a-service” Nebulous Image: NASA

5 Definition “..[a] model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, services) that can be provisioned and released with minimal management effort or service provider interactions.” NIST & Cloud Security Alliance A utility model of technology delivery. Photo by Donald E. Hester all rights reserved NIST SP

6 Definition According to NIST the cloud model is composed of five essential characteristics, three service models, and four deployment models. Photo by Donald E. Hester all rights reserved NIST SP

7 Essential Characteristics
On-demand self-service, customer driven utility Broad network access, using standard networking Resource pooling, economies of scale Rapid elasticity, dynamic provisioning and releasing Measured service, the ability to measure usage Essential Characteristics: On-demand self-service. A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider. Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops, and workstations). Resource pooling. The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, and network bandwidth. Rapid elasticity. Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time. Measured service. Cloud systems automatically control and optimize resource use by leveraging a metering capability1 at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service. NIST SP

8 “____-as-a-service” (Service Models)
Software-as-a-Service (SaaS)** Platform-as-a-Service (PaaS)** Infrastructure-as-a-Service (IaaS)** Communication-as-a-Service (CaaS) Monitoring-as-a-Service (MaaS) Security-as-a-Service (SECaaS) Everything-as-a-Service (EaaS) Anything-as-a-Service (XaaS) Image: Microsoft Clip Art Service Models: Software as a Service (SaaS). The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure2. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based ), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider.3 The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment. Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls). ** Defined by NIST

9 Cloud Flavors (Deployment Models)
Private Cloud Operated solely for one organization In-sourcing Community Cloud Operated for a group of similar organizations Public Cloud Outsourced Multi-tenant Hybrid Cloud Combination of the above Image: Microsoft Clip Art • Private cloud. The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise. • Community cloud. The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise. • Public cloud. The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services. • Hybrid cloud. The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds). This cloud model is composed of five essential characteristics, three service models, and four deployment models.

10 Image: Federal Cloud Computing Strategy, Vivek Kundra US CIO, 8 FEB 2011

11 Potential Spending on Cloud Computing
Image: Federal Cloud Computing Strategy, Vivek Kundra US CIO, 8 FEB 2011 “Cloud First policy. This policy is intended to accelerate the pace at which the government will realize the value of cloud computing by requiring agencies to evaluate safe, secure cloud computing options before making any new investments.” - Federal Cloud Computing Strategy, February 2011

12 Reasons Efficiency Agility Innovation
“Cloud First policy. This policy is intended to accelerate the pace at which the government will realize the value of cloud computing by requiring agencies to evaluate safe, secure cloud computing options before making any new investments.” “…to be more efficient, agile, and innovative through more effective use of IT investments…” Federal Cloud Computing Strategy, February 2011

13 Benefits Save time and money on provisioning new services
Less time spent on deployment Move capital investment to operational expenses Instant test bed Enables IT systems to be scalable and elastic Provision computing resources as required, on-demand No need to own data center infrastructure (for public cloud service)

14 Benefits Energy saving (green) Better service
Increased utilization, less idle time Cost based on usage More effective use of capital resources ($) Better service Allows IT staff to focus on core competencies Repurpose IT staff for more customer service Outsource to esoteric experts 24/7 service and support Economies of scale

15 Cloud Provider Benefits (NIST SP 800-144)
They will have specialized staff The platform will typically be more uniform They have the ability to scale and add redundancy Better backup and recovery May support a greater number of mobile devices Data may be centralized and not on laptops

16 Benefits Image: Federal Cloud Computing Strategy, Vivek Kundra US CIO, 8 FEB 2011

17 Cost Considerations Traditional Costs Cloud Costs Capital Expenses
Hardware (initial) Software (initial) Hardware repair/upgrades Software upgrades Staff costs Energy costs Training Traditional Limits Maximum load Maximum up-time Maximum users MTTR Dependencies Cloud Costs Operational Expenses Cost per user Cost by bandwidth/storage Cost increase over time Cost of additional services Legal consultation costs Staff costs Training Cloud limitations Users Bandwidth Storage Service Support Dependencies MTTR Mean-Time-To-Recover

18 Cost Benefit Analysis Example
Traditional Costs TCO $21,000 Cloud Costs TCO $22,850 This is somewhat similar to the ownership verse leasing calculation Cloud Costs do not include the cost of Internet service or the cost if needed for more bandwidth Savings in Up-front Costs

19 Cloud Risks Where’s My Data? The Bad Divorce Trust but Verify
“I thought you knew” I didn’t think of that Clarify Consider Expectations, Put it in Writing Compatibility Can you think of some risks not mentioned?

20 Where’s My Data? In the information age your key asset is information.
Some information requires protection (Credit Card Data, Student Records, SSN, etc…) Your information could be anywhere in the world You may loss access to your data (availability) ISP failure Service provider failure Failure to pay (service provider stops access) Image: Microsoft Clip Art

21 The Bad Divorce “Vendor Lock” All relationships come to an end
Let you down, had a breach, SLA performance etc… The company fails/gets sold Introductory pricing or it goes up over time Transition to new vendor or in-source How will you get your data back? Lack of Portability between PaaS Clouds Example, something built for Google won’t work for SharePoint or Amazon Get a prenup – get it in the contract up front Image: Microsoft Clip Art

22 Trust but Verify Assurance
How do you know they are protecting your data? Not everyone is treated the same by service providers Disclosure concerning security posture 3rd party independent verification (audit/assessment) SAS 70 / SSAE 16 SysTrust / WebTrust ISO Certification Audit / Assessment MOU/MOA & ISA Image: Microsoft Clip Art

23 “I thought you knew” Cloud systems are typically more complex
This may create a larger attack surface Breach Notification When do you want to know about a data breach? (Data that you are legal obligated to protect) Typical contracts give wide latitude for service providers Actual verses possible breach Timeliness of notification Image: Microsoft Clip Art

24 I didn’t think of that Dependencies Other considerations
Infrastructure – Internet Authentication management (SSO) Operational budget Greater dependency on 3rd parties Other considerations Complex legal issues Multi-tenancy Transborder data flow Jurisdiction and Regulation Support for Forensics Image: Microsoft Clip Art

25 Clarify What do they mean by “Cloud”
Establish clear responsibilities and accountability Your expectations Cost of compensating controls What will happen with billing disputes Will your data be in a multi-tenant environment What controls will you have Image: Microsoft Clip Art

26 Consider The reputation of the service provider
Track record of issues Large or small, likelihood of change Vendor ‘supply chain management’ issues The reliability of the service or technology Is the technology time tested Competency of cloud provider Typically you have no control over upgrades and changes Training for staff Image: Microsoft Clip Art

27 Compatibility When will they upgrade their service?
Will they be ready when you are ready for an upgrade of dependent software Will you be ready when they are ready to upgrade Browser-based Risks and Risk Remediation What software will be required on the client side? Java Flash Active-X Silverlight HTML 5

28 New attack vectors Hypervisor complexity
Data leakage (multi-tenant environment) Man in the Middle Browser vulnerabilities Mobile device vulnerabilities

29 Service Agreements Service Level Agreement (SLA) Terms of Service
Some are predefined and non-negotiable Some are negotiable (typically cost more) Terms of Service May cover privacy Breach notification Licensing Acceptable use (What you can and can’t do) Limitations on liability (Typically in the favor of the service provider) Modifications of the terms of service (Do you want this?) Data ownership

30 Traditional risks no matter where you go
Insider threat, Instead of your staff it is their staff Access control How can you control and monitor? Authentication Another logon or SSO Data sanitation Is your data really deleted? Others????

31 What to do? Careful planning before engagement
Understand the technical aspects of the solution Make sure it will meet your needs (security and privacy) Maintain accountability Define data location restrictions Ensure laws and regulations are met Make sure they can support electronic discovery and forensics Follow NIST and Cloud Security Alliance guidance

32 Remember to specify Personnel (clear backgrounds)
Access control, account resource and management Availability, including SLA and dependencies Problem & Incident reporting, notification and resolution Disclosure agreements Physical controls Network boundary protection Continuity, Backup and Recovery Assurance levels Independent audit or assessment

33 Resources Cloud Security Alliance
cloudsecurityalliance.org ISACA: Cloud Computing Management Audit/Assurance Program, 2010 NIST SP (draft) NIST SP NIST SP (draft) Federal Cloud Computing Strategy, February 2011 Above the Clouds managing Risk in the World of Cloud Computing by McDonald ( ) Cloud Computing, Implementation, Management, and Security by Rittinghouse and Ransome ( ) Image: Microsoft Clip Art


Download ppt "Certified Authorization Professional Donald E. Hester"

Similar presentations


Ads by Google