110 likes | 261 Views
Risk Management & Legal Issues in Cloud Practice. Christopher Dodorico Director, PricewaterhouseCoopers Wednesday, October 10, 2012. Cloud Computing in the US Federal Government – Where are we today?. The pace of cloud adoption by federal agencies is picking up
E N D
Risk Management & Legal Issues in Cloud Practice Christopher Dodorico Director, PricewaterhouseCoopers Wednesday, October 10, 2012
Cloud Computing in the US Federal Government – Where are we today? The pace of cloud adoption by federal agencies is picking up • Agencies are starting to “dip their toe in the water” and “learn as they go” • Embracing the possibilities of cost savings and efficiencies • Federal agencies see positive movement in the long-awaited framework for cloud providers to address security concerns in a homogenous manner, with a common controls framework
Cloud Computing in the US Federal Government – Where are we at today? Despite this positive initial movement, agencies are still concerned about security of the cloud • Issues of working with service providers to manage a myriad of compliance requirements, data location, multi-tenancy, and security continue to concern federal agencies contemplating a movement to the cloud • Agencies should not rely solely on FedRAMP for information assurance • Need for automated audit and assessment tools, as well as continuous monitoring • Initial migration of lower-risk and “less mission-critical” operations to the cloud, as a first step
Cloud Computing in the US Federal Government – Where are we at today? However, the outlook is still bright • The combination of education, experience and emerging standards should increase cloud adoption in government • Security concerns may decrease over time due to continuous process improvement • Harmonizing multiple, overlapping regulatory requirements through Integrated Compliance are critical • Patience and Strategy are key – as cloud computing technology, security and cost savings mature, federal agencies will become more comfortable with placing key information in the cloud
Cloud Security Compliance - FedRAMP • The Federal Risk and Authorization Management Program (FedRAMP) establishes the first regulatory program to provide: • A standard, mandatory commoncontrols framework for federal Cloud Service Providers (CSPs) • A standard approach for conducting security assessments of cloud-based systems by Third Party Assessment Organization (3PAO) • Published controls that are entry into market • Positive trend toward reuse/reapplication Yet another compliance requirement?
Integrated ComplianceIntegrate Cloud Compliance with Existing Control Frameworks Taking Requirements….. Identifying Common Controls or Processes…. FISMA / FedRAMP Access Controls PCI Passwords HIPAA Encryption ISO Training Other Requirements Risk Assessments Execute Integrated Program Identify Data Sources Integrated Control Framework Define & Assess Risk Develop & Implement Controls Audit and Correct Enforce, Monitor & Support Executing the program with the integrated framework. Documenting policy, controls , and criteria that meet minimum requirements across standards…. 6
Critical Success Factors for Cloud Compliance • Cloud environments, and more so public cloud environments, present a unique challenge with respect to the sharing of responsibilities for security controls between the CSP and the user organization • Appropriate scoping of the environment, location of data, boundary definition, security controls demarcation and clarity about responsibility is critical!
Critical Success Factors for Cloud Compliance • Understanding data access controls, specifically: • How is data classified in a multi-tenant environment? • How is data classified if multiple organizations are stored in the same data set? • How is logical access granted to specific data sets? • What access control mechanisms are used? • Development, deployment and ongoing management of a cloud environment require significant attention to governance. • A cloud environment by nature cannot be static as customers and capabilities are changing constantly, and must scale to meet changing business objectives and regulatory requirements.
Critical Success Factors for Cloud Compliance • Definition of what qualifies as a “Significant Change” • CSPs and their customers each have a point of view • Dialogue between CSPs and their customers to come to joint agreement on what might trigger re-accreditation or re-assessment • Collaboration between subscribers (federal agencies), CSPs, authoritative bodies, assessors/auditors, member organizations and software vendors is critical to the success of federal cloud computing • Design and development of robust SLAs, legal agreements • Agreement on applicable control requirements and areas where “scale-up” may be necessary • Government is doing good job of outreach
PwC’s Washington Federal Practice assists our federal and commercial clients with their IT regulatory and cloud compliance challenges Christopher P. Dodorico, Director christopher.p.dodorico@us.pwc.com 703-861-2205