1 / 14

Assessment and Authorization for Cloud Computing Dr. Sarbari Gupta sarbari@electrosoft-inc

Assessment and Authorization for Cloud Computing Dr. Sarbari Gupta sarbari@electrosoft-inc.com 703-437-9451 ext 12 Third Workshop on Cyber Security & Global Affairs May 31 – June 2, 2011. Overview. US Mandates and Programs affecting Cloud Computing

deanne
Download Presentation

Assessment and Authorization for Cloud Computing Dr. Sarbari Gupta sarbari@electrosoft-inc

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Assessment and Authorization for Cloud Computing Dr. Sarbari Gupta sarbari@electrosoft-inc.com 703-437-9451 ext 12 Third Workshop on Cyber Security & Global Affairs May 31 – June 2, 2011

  2. Overview • US Mandates and Programs affecting Cloud Computing • Government-wide Risk and Authorization of Cloud Computing • Challenges faced with Cloud Computing Assessment and Authorization

  3. US Mandates and Programs • FISMA – Federal Information Security Management Act or 2002 • Defines a compliance framework for securing government systems • NIST responsible for standards & guidelines • FedRAMP – Federal Risk Management and Authorization Program • Designed to solve the security authorization problems highlighted by cloud computing • “authorize once, use many” 

  4. Challenges with FISMA Measures security planning and not information security Interpretation of FISMA requirements and NIST guidelines varies greatly Same system is not compatible across agencies Continuous Monitoring Inadequate

  5. GSA IaaS Cloud Computing Environment • Cloud Storage Services • Storage for Files, Data and Data Objects • Well-defined Storage & Bandwidth Tiers • Virtual Machines • CPU (RAM, Disk space, Data transfer Bandwidth) • Operating System • Persistence • Cloud Web Hosting • CPU, OS, Software

  6. GSA IaaS – Separation of Duties

  7. FISMA / FedRAMP Details

  8. FISMA / FedRAMP Details

  9. Control Tailoring Workbook Fill this column out if the system setting is different than the GSA defined setting in the previous column

  10. FISMA / FedRAMP Details

  11. FISMA / FedRAMP Details

  12. FedRAMP Challenges • Continuous monitoring not adequate • SLA’s not validated in real-time • Manual processes prone to error • Security Control testing may be done too far apart • Security Management not adequate • Data collection for analysis inadequate • Corrective action hard to negotiate Can outsource responsibility but not accountability

  13. End-user Visibility is Key

  14. A&A Process for Cloud Computing Questions? sarbari@electrosoft-inc.com

More Related