a federal cloud computing roadmap
DESCRIPTION
Presentation summarizing present issues with use of Cloud Computing for Federal applications including potential steps forward.TRANSCRIPT
Slide 1“A Federal Cloud Computing Roadmap”
A Federal Cloud ComputingRoadmap
John CurranServerVault Corp
Slide 2“A Federal Cloud Computing Roadmap”
A Federal Cloud Computing RoadmapProvides one possible answer to the question:
“What set of actions by the cloud computing industry(and related parties) would allow Federal agencies togain the benefits of cloud computing while maintainingcompliance with Federal IT policy?”
Why is this important to discuss?• US Government is a potentially large, influential customer for the cloud computing community• The closer we are to consensus on a roadmap for the solution, the less fear, uncertainty & doubt will remain in circulation for our industry• Some technical controls may have interoperability or coordination aspects that have long lead times
Slide 3“A Federal Cloud Computing Roadmap”
Cloud Computing is “Outsourced IT”FISMA (Title III, Pub. L. No. 107-347), Section 3544(b)requires each agency to provide information security forthe information and “information systems that supportthe operations and assets of the agency, including thoseprovided or managed by another agency, contractor, orother source.”
OMB M-08-21 includes specific guidance for use of contractor,outsourced, and/or SaaS services:
• Security controls must be provided commensurate with the risk and magnitude of harm of damage to the information system (Risk Impact Level)• Agencies must insure all FISMA policy requirements are met, including identical (not “equivalent”) security procedures and processes• Service providers must work with agencies to meet all requirements including an annual agency audit/evaluation
Slide 4“A Federal Cloud Computing Roadmap”
Risk Impact Level & AuthorizationFIPS Publication 199 requires that agencies categorize the risk of theirunclassified information systems and their data into three levels of potentialimpact on organizations/agency or individuals should there be a breach ofsecurity (i.e., a loss of confidentiality, integrity, or availability):
The potential impact is LOW if − The loss of confidentiality, integrity,or availability could be expected to have a limited adverse effect onorganizational operations, organizational assets, or individuals.
The potential impact is MODERATE if − The loss of confidentiality,integrity, or availability could be expected to have a serious adverseeffect on organizational operations, organizational assets, or individuals.
The potential impact is HIGH if − The loss of confidentiality, integrity, oravailability could be expected to have a severe or catastrophic adverseeffect on organizational operations, organizational assets, or individuals.
FIPS Publication 200 requires that agencies employ, at minimum, anappropriately tailored set of security controls (i.e. security plan) fromthe corresponding security control baseline in NIST 800-53, based onthe highest risk impact level of all information contained in the system.
The Security Authorization Process requires preparation of a security plan, anassessment of security controls, and plan to address any outstanding issues.
Slide 5“A Federal Cloud Computing Roadmap”
The Federal CIO’s Dilemma
1. Enormous pressure to deploy timely, cost-effective IT systems
2. Administration agenda includes expectations of the benefits ofnew IT technologies including virtualization, collaboration, utility& cloud computing
3. Responsibility for compliance with numerous IT policy mandatesincluding both federal and agency-specific.
4. Varying financial and organizational support for commoninfrastructure (e.g. authentication, change control systems)and fear of vendor lock-in with any sizable deployment
5. The FISMA-specific compliance requirement to explicitly definethe security controls for authorization of any new IT system
Cloud Computing can address #1 & #2 today.
With some common industry effort, Cloud Computing can help with#3, #4, and #5.
Slide 6“A Federal Cloud Computing Roadmap”
Federal Cloud Computing & Compliance
For many agency applications, stringent compliance requirementsin areas such as privacy, financial controls, and health informationwill preclude use of “public clouds”, regardless of the actualsecurity controls of the provider.
The cloud computing industry needs to recognize that there’s adifference between security [providing adequate protection fromrisks] and compliance [performing in specific documentedadherence to policy], and that will result in agencies having toestablish their own private cloud infrastructures.
The technical standards that allow private clouds to interface topublic clouds for workload surge, segmentation of processing,continuity of operations, etc. is therefore an important topic fordiscussion in the cloud community.
Slide 7“A Federal Cloud Computing Roadmap”
Federal Cloud Computing & Lock-In
Federal procurement goes through significant contractuallengths to insure that the government can obtain full productiveuse of anything it procures, and in the past that has meantinteresting terminology in areas such as software licensing,technology rights, etc.
The cloud computing industry needs technical standards forinteroperability not only to meet agency requirements formobility of applications and data between providers, but also toavoid the alternative of having to provide technology & softwarerights (for theoretical relief of vendor lock-in) which willotherwise be sought.
This makes technical standards for migration of systemsbetween providers [servers, data volumes, network devices, andentire application environments] also an important topic fordiscussion in the cloud community.
Slide 8“A Federal Cloud Computing Roadmap”
Federal Cloud Computing & FISMA
The Federal CIO Council has established a cloud computingworking group which is looking into this issue, and will makethe recommendations for the best path forward for agencieswhich wish to utilize cloud service providers.
Explicit documentation of FISMA security controls and theirimplementation is required for all Federal IT securityauthorization decisions presently, and it seems improbablethat requirement would change for federal applications whichcould have serious or catastrophic effects to the organizationif disclosed, compromised or made unavailable.
However, there are existing, proven mechanisms fordocumenting security controls in commercial providers [e.g.WebTrust/SysTrust, SAS 70, and PCI DSS] that these mightbe deemed appropriate compensating controls for Low ImpactIT systems. Cloud providers should consider exploration ofthese programs in preparation.
Slide 9“A Federal Cloud Computing Roadmap”
Thank You!
• Questions?
• Contact Information:
John CurranCTO & COOServerVault Corp
+1 703 652 [email protected]