Presentation is loading. Please wait.

Presentation is loading. Please wait.

Developing a Baseline On Cloud Security Jim Reavis, Executive Director

Published byMorgan Black Modified over 6 years ago

Similar presentations

Presentation on theme: "Developing a Baseline On Cloud Security Jim Reavis, Executive Director"— Presentation transcript:

1 Developing a Baseline On Cloud Security Jim Reavis, Executive Director
Cloud Security Alliance November 22, 2010

2 Purpose & Agenda Purpose Defining Cloud Reference Model Architecture
Provide information about the current state of industry understanding and activities related to securing cloud computing, as a foundation for today’s collaboration Defining Cloud Reference Model Architecture FedRAMP Cloud Guidance Relating to Tracks 11/21/ :02 PM 2

3 What is Cloud Computing?
Compute as a utility: third major era of computing Mainframe PC Client/Server Cloud computing: On demand model for allocation and consumption of computing Cloud enabled by Moore’s Law: Costs of compute & storage approaching zero Hyperconnectivity: Robust bandwidth from dotcom investments Service Oriented Architecture (SOA) Scale: Major providers create massive IT capabilities 3

4 Broad Private/Public View
Ecosystem Definitions/Onotology/Taxonomy Architecture Compliance Threat research & modeling Domains of Concern 4

5 NIST: Defining Cloud Characteristics Delivery Models Deployment Modes
On demand provisioning Elasticity Multi-tenancy Measured service Delivery Models Infrastructure as a Service (IaaS): basic O/S & storage Platform as a Service (PaaS): IaaS + rapid dev Software as a Service (SaaS): complete application The NIST diagram provides a good visualization of what it is, what types of services are delivered and how it is deployed. Deployment Modes Public Private Hybrid Community 5

6 CSA Cloud Reference Model
From CSA Architectural WG 10 Layer reference model view of Cloud Computing Encourages cumulative view of SaaS/PaaS/IaaS delivery The security approach and role varies depending on the delivery model 6

7 Infrastructure as a Service
S-P-I context You “RFP” security in SaaS Software as a Service You build security in PaaS Platform as a Service IaaS Infrastructure as a Service The security approach and role varies depending on the delivery model 7

8 Architectural Depictions
From Open Security Architecture Actor-centric view of cloud architecture The security approach and role varies depending on the delivery model 8

9 Architectural Depictions
The security approach and role varies depending on the delivery model Service-centric architectural model from CSA 9

10 Federal Risk & Authorization Management Program (FedRAMP)
A government-wide initiative to provide joint authorization services FedRAMP PMO in GSA Unified government-wide risk management Agencies would leverage FedRAMP authorizations (when applicable) Agencies retain their responsibility and authority to ensure use of systems that meet their security needs FedRAMP would provide an optional service to agencies

11 Federal Risk & Authorization Management Program (FedRAMP)
Duplicative risk management efforts Incompatible requirements Potential for inconsistent application and interpretation of Federal security requirements Agency A&A Vendor BEFORE FedRAMP Unified Risk management and associated cost savings Inter-Agency vetted and compatible requirements using a shared cloud service Effective and consistent assessment of cloud services AFTER

12 FedRAMP Authorization Request Process
There are 3 ways a Cloud Service can be proposed for FedRAMP Authorization: Cloud BPA Government Cloud Systems Agency Sponsorship 1 2 3 Primary Agency Sponsorship Cloud Services through FCCI BPAs Services must be intended for use by multiple agencies Primary Agency Contract Secondary Agency Sponsorship 12

13 CSA Guidance Research 13 Domains of concern in 3 main groupings
Architecture Governance Operations Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Cloud Architecture Operating in the Cloud Governing the Cloud 13

14 Track 1 - Cloud Security Policy and Guidance
Consensus issues identified from industry research Auditing capabilities Rogue insiders 3rd party management Transparency Data governance: leakage, persistence, destruction, commingling Understand risk profile & align key risk indicators Translating legacy controls Lock-in 14

15 Track 2 - Cloud Security Architecture and Technology
Consensus issues identified from industry research Lack of purpose-built multi-tenant technology Federating hybrid clouds Duplicating granular defense in depth Hardware exploits: CPU, DMA, Bus, I/O Hardening virtualization Segregation of encryption and key mgt Developing layers of abstractions, SOA principles Vulnerability scanning Software development lifecycle impact Threat modeling 15

16 Track 3 – Secure Cloud Operations
Consensus issues identified from industry research Forensics Patch management Malware Logging Monitoring & visibility Account, service, traffic hijacking Suboptimal resource sharing & time slicing Compartmentalization of operational activities 16

17 Thank You! Questions? 17

Download ppt "Developing a Baseline On Cloud Security Jim Reavis, Executive Director"

Similar presentations

© 2012 Open Grid Forum Simplifying Inter-Clouds October 10, 2012 Hyatt Regency Hotel Chicago, Illinois, USA.

© 2012 Open Grid Forum Simplifying Inter-Clouds October 10, 2012 Hyatt Regency Hotel Chicago, Illinois, USA.
Impacts of 3 rd Party IaaS on broadband network operations and businesses Prabhat Kumar Managing Partner, i 3 m 3 Solutions.

Impacts of 3 rd Party IaaS on broadband network operations and businesses Prabhat Kumar Managing Partner, i 3 m 3 Solutions.
Pros and Cons of Cloud Computing Professor Kam-Fai Wong Faculty of Engineering The Chinese University of Hong Kong.

Pros and Cons of Cloud Computing Professor Kam-Fai Wong Faculty of Engineering The Chinese University of Hong Kong.
Hi – 5 Marcus Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi Security of Cloud Computing.

Hi – 5 Marcus Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi Security of Cloud Computing.
1 Cloud Security in the Federal Sector: FedRAMP (Federal Risk and Authorization Management Program) © Grant Thornton LLP. All rights reserved. Orus Dearman,

1 Cloud Security in the Federal Sector: FedRAMP (Federal Risk and Authorization Management Program) © Grant Thornton LLP. All rights reserved. Orus Dearman,
System Center 2012 R2 Overview

System Center 2012 R2 Overview
Current impacts of cloud migration on broadband network operations and businesses David Sterling Partner, i 3 m 3 Solutions.

Current impacts of cloud migration on broadband network operations and businesses David Sterling Partner, i 3 m 3 Solutions.
Federal Risk and Authorization Management Program (FedRAMP) Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination.

Federal Risk and Authorization Management Program (FedRAMP) Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination.
Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.

Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.
Cloud Security Challenges Today and Tomorrow NameTitle February 2011.

Cloud Security Challenges Today and Tomorrow NameTitle February 2011.
Federal Cloud Computing Initiative Matthew Goodrich November 5, 2010 GSA Confidential and Proprietary – Not for Distribution Section 508 Coordinator Conference.

Federal Cloud Computing Initiative Matthew Goodrich November 5, 2010 GSA Confidential and Proprietary – Not for Distribution Section 508 Coordinator Conference.
Security in the Cloud: Can You Trust What You Can’t Touch? Rob Johnson Security Architect, Cloud Engineering Unisys Corp.

Security in the Cloud: Can You Trust What You Can’t Touch? Rob Johnson Security Architect, Cloud Engineering Unisys Corp.
BETA!BETA! Building a secure private cloud on Microsoft technologies Private cloud security concerns Security & compliance in a Microsoft private cloud.

BETA!BETA! Building a secure private cloud on Microsoft technologies Private cloud security concerns Security & compliance in a Microsoft private cloud.
Copyright Marchany 2010 Cloud Computing Security Issues Randy Marchany, VA Tech IT Security,

Copyright Marchany 2010 Cloud Computing Security Issues Randy Marchany, VA Tech IT Security,
Cloud Usability Framework

Cloud Usability Framework
Wally Kowal, President and Founder Canadian Cloud Computing Inc.

Wally Kowal, President and Founder Canadian Cloud Computing Inc.
© 2013 PRICE Systems, LLC All Rights Reserved | Decades of Cost Management Excellence 1 Costs of Migration and Operation in the Cloud Arlene Minkiewicz,

© 2013 PRICE Systems, LLC All Rights Reserved | Decades of Cost Management Excellence 1 Costs of Migration and Operation in the Cloud Arlene Minkiewicz,
Does The Cloud Fit Into Your Organization? Tom Horan Meridian IT Inc. VP, Strategic Markets (847) 912-3244.

Does "The Cloud" Fit Into Your Organization? Tom Horan Meridian IT Inc. VP, Strategic Markets (847)
Achieving Security Assurance and Compliance in the Cloud Jim Reavis Executive Director.

Achieving Security Assurance and Compliance in the Cloud Jim Reavis Executive Director.
Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer.

Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer.

Similar presentations

Ads by Google