Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jim Reavis, Executive Director Cloud Security Alliance November 22, 2010 Developing a Baseline On Cloud Security.

Similar presentations


Presentation on theme: "Jim Reavis, Executive Director Cloud Security Alliance November 22, 2010 Developing a Baseline On Cloud Security."— Presentation transcript:

1 Jim Reavis, Executive Director Cloud Security Alliance November 22, 2010 Developing a Baseline On Cloud Security

2 A Combat Support Agency Unclassified 9/5/2015 11:31 PM 2 Purpose & Agenda Purpose Provide information about the current state of industry understanding and activities related to securing cloud computing, as a foundation for today’s collaboration 1. Defining Cloud 2. Reference Model 3. Architecture 4. FedRAMP 5. Cloud Guidance 6. Relating to Tracks

3 A Combat Support Agency Unclassified What is Cloud Computing? Compute as a utility: third major era of computing – Mainframe – PC Client/Server – Cloud computing: On demand model for allocation and consumption of computing Cloud enabled by – Moore’s Law: Costs of compute & storage approaching zero – Hyperconnectivity: Robust bandwidth from dotcom investments – Service Oriented Architecture (SOA) – Scale: Major providers create massive IT capabilities

4 A Combat Support Agency Unclassified Broad Private/Public View Ecosystem Definitions/Onotology/Taxonomy Architecture Compliance Threat research & modeling Domains of Concern

5 A Combat Support Agency Unclassified NIST: Defining Cloud Characteristics – On demand provisioning – Elasticity – Multi-tenancy – Measured service Delivery Models – Infrastructure as a Service (IaaS): basic O/S & storage – Platform as a Service (PaaS): IaaS + rapid dev – Software as a Service (SaaS): complete application Deployment Modes – Public – Private – Hybrid – Community

6 A Combat Support Agency Unclassified CSA Cloud Reference Model From CSA Architectural WG 10 Layer reference model view of Cloud Computing Encourages cumulative view of SaaS/PaaS/IaaS delivery

7 A Combat Support Agency Unclassified S-P-I context IaaS Infrastructure as a Service You build security in You “RFP” security in PaaS Platform as a Service SaaS Software as a Service

8 A Combat Support Agency Unclassified Architectural Depictions From Open Security Architecture Actor-centric view of cloud architecture

9 A Combat Support Agency Unclassified Architectural Depictions Service-centric architectural model from CSA

10 A Combat Support Agency Unclassified Federal Risk & Authorization Management Program (FedRAMP) A government-wide initiative to provide joint authorization services –FedRAMP PMO in GSA –Unified government-wide risk management –Agencies would leverage FedRAMP authorizations (when applicable) Agencies retain their responsibility and authority to ensure use of systems that meet their security needs FedRAMP would provide an optional service to agencies

11 A Combat Support Agency Unclassified Duplicative risk management efforts Incompatible requirements Potential for inconsistent application and interpretation of Federal security requirements AgencyA&AVendor BEFORE AgencyA&AVendor FedRAMP Unified Risk management and associated cost savings Inter-Agency vetted and compatible requirements using a shared cloud service Effective and consistent assessment of cloud services AFTER Federal Risk & Authorization Management Program (FedRAMP)

12 A Combat Support Agency Unclassified FedRAMP Authorization Request Process Cloud BPAGovernment Cloud Systems Services must be intended for use by multiple agencies Agency Sponsorship Primary Agency Sponsorship Primary Agency Contract Secondary Agency Sponsorship Cloud Services through FCCI BPAs There are 3 ways a Cloud Service can be proposed for FedRAMP Authorization: 312

13 A Combat Support Agency Unclassified CSA Guidance Research Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Cloud Architecture Operating in the Cloud Governing the Cloud 13 Domains of concern in 3 main groupings 13 Domains of concern in 3 main groupings – Architecture – Governance – Operations

14 A Combat Support Agency Unclassified Track 1 - Cloud Security Policy and Guidance Consensus issues identified from industry research – Auditing capabilities – Rogue insiders – 3 rd party management – Transparency – Data governance: leakage, persistence, destruction, commingling – Understand risk profile & align key risk indicators – Translating legacy controls – Lock-in

15 A Combat Support Agency Unclassified Track 2 - Cloud Security Architecture and Technology Consensus issues identified from industry research – Lack of purpose-built multi-tenant technology – Federating hybrid clouds – Duplicating granular defense in depth – Hardware exploits: CPU, DMA, Bus, I/O – Hardening virtualization – Segregation of encryption and key mgt – Developing layers of abstractions, SOA principles – Vulnerability scanning – Software development lifecycle impact – Threat modeling

16 A Combat Support Agency Unclassified Track 3 – Secure Cloud Operations Consensus issues identified from industry research – Forensics – Patch management – Malware – Logging – Monitoring & visibility – Account, service, traffic hijacking – Suboptimal resource sharing & time slicing – Compartmentalization of operational activities

17 A Combat Support Agency Unclassified Thank You! Questions?


Download ppt "Jim Reavis, Executive Director Cloud Security Alliance November 22, 2010 Developing a Baseline On Cloud Security."

Similar presentations


Ads by Google