170 likes | 422 Views
Developing a Baseline On Cloud Security. Jim Reavis, Executive Director Cloud Security Alliance November 22, 2010. Purpose & Agenda. Purpose
E N D
Developing a Baseline On Cloud Security Jim Reavis, Executive Director Cloud Security Alliance November 22, 2010
Purpose & Agenda Purpose Provide information about the current state of industry understanding and activities related to securing cloud computing, as a foundation for today’s collaboration Defining Cloud Reference Model Architecture FedRAMP Cloud Guidance Relating to Tracks 2 9/18/2014 4:46 PM
What is Cloud Computing? Compute as a utility: third major era of computing Mainframe PC Client/Server Cloud computing: On demand model for allocation and consumption of computing Cloud enabled by Moore’s Law: Costs of compute & storage approaching zero Hyperconnectivity: Robust bandwidth from dotcom investments Service Oriented Architecture (SOA) Scale: Major providers create massive IT capabilities
Broad Private/Public View Ecosystem Definitions/Onotology/Taxonomy Architecture Compliance Threat research & modeling Domains of Concern
NIST: Defining Cloud Characteristics On demand provisioning Elasticity Multi-tenancy Measured service Delivery Models Infrastructure as a Service (IaaS): basic O/S & storage Platform as a Service (PaaS): IaaS + rapid dev Software as a Service (SaaS): complete application • Deployment Modes • Public • Private • Hybrid • Community
CSA Cloud Reference Model • From CSA Architectural WG • 10 Layer reference model view of Cloud Computing • Encourages cumulative view of SaaS/PaaS/IaaS delivery
S-P-I context IaaS Infrastructure as a Service You “RFP” security in SaaS Software as a Service You build security in PaaS Platform as a Service
Architectural Depictions • From Open Security Architecture • Actor-centric view of cloud architecture
Architectural Depictions Service-centric architectural model from CSA
Federal Risk & Authorization Management Program (FedRAMP) • A government-wide initiative to provide joint authorization services • FedRAMP PMO in GSA • Unified government-wide risk management • Agencies would leverage FedRAMP authorizations (when applicable) • Agencies retain their responsibility and authority to ensure use of systems that meet their security needs • FedRAMP would provide an optional service to agencies
Federal Risk & Authorization Management Program (FedRAMP) Agency A&A Vendor Agency A&A Vendor FedRAMP AFTER BEFORE • Unified Risk management and associated cost savings • Inter-Agency vetted and compatible requirements using a shared cloud service • Effective and consistent assessment of cloud services • Duplicative risk management efforts • Incompatible requirements • Potential for inconsistent application and interpretation of Federal security requirements
FedRAMP Authorization Request Process There are 3 ways a Cloud Service can be proposed for FedRAMP Authorization: Cloud BPA Government Cloud Systems Agency Sponsorship 1 2 3 Primary Agency Sponsorship Cloud Services through FCCI BPAs Services must be intended for use by multiple agencies Primary Agency Contract Secondary Agency Sponsorship
CSA Guidance Research 13 Domains of concern in 3 main groupings Architecture Governance Operations Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Governing the Cloud Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Operating in the Cloud Encryption and Key Management Identity and Access Management Virtualization
Track 1 - Cloud Security Policy and Guidance Consensus issues identified from industry research Auditing capabilities Rogue insiders 3rd party management Transparency Data governance: leakage, persistence, destruction, commingling Understand risk profile & align key risk indicators Translating legacy controls Lock-in
Track 2 - Cloud Security Architecture and Technology Consensus issues identified from industry research Lack of purpose-built multi-tenant technology Federating hybrid clouds Duplicating granular defense in depth Hardware exploits: CPU, DMA, Bus, I/O Hardening virtualization Segregation of encryption and key mgt Developing layers of abstractions, SOA principles Vulnerability scanning Software development lifecycle impact Threat modeling
Track 3 – Secure Cloud Operations Consensus issues identified from industry research Forensics Patch management Malware Logging Monitoring & visibility Account, service, traffic hijacking Suboptimal resource sharing & time slicing Compartmentalization of operational activities
Thank You! Questions?