Continuity and Security Considerations for Cloud Computing Implementation

Organizational Readiness and Cloud Computing

byBill Hummelhummel_william@bah.com

Ken Linlin_kenneth@bah.com

Lauren Piercepierce_lauren@bah.com

Holly Lynne Schmidtschmidt_holly_lynne@bah.com

This white paper includes proprietary and confidential information and other data that shall not be disclosed out-side the government and shall not be duplicated, used, or disclosed in whole or in part for any purpose other than to support the client. This restriction does not limit the government’s right to use information contained in this white paper if it is obtained from another source without restriction. The data contained in all of the pages of this white paper is subject to this restriction.

Table of Contents

Introduction .......................................................................................................................2

Definition of Cloud Computing Services ................................................................................2

Considerations for Security and Privacy in the Cloud .............................................................3

Information Storage ............................................................................................................5

Information Protection ........................................................................................................5

Liabilities ...........................................................................................................................6

Legal and Regulation Mandates ..........................................................................................6

Mission Assurance Considerations ......................................................................................7

Operation Assurance ..........................................................................................................7

Conclusion.........................................................................................................................8

About Booz Allen ................................................................................................................9

Principal Offices ...................................................................................................Back Cover

2

1 http://en.wikipedia.org/wiki/Software_as_a_service 2 http://en.wikipedia.org/wiki/Platform_as_a_service 3 http://en.wikipedia.org/wiki/Infrastructure_as_a_service

Introduction To incorporate Cloud Computing services into IT portfolios, government agencies need to determine the usage, services, capabilities, and trust required in the cloud to assure data and services. The purpose of this paper is to highlight some critical considerations for determining whether a Cloud Computing environment is right for your organization.

This paper first presents a basic definition of Cloud Computing and the services provided in the cloud environment. It then presents a discussion on meeting federal mandates for continuity of operations when using a cloud architecture and describing the distinct objectives, overlapping requirements, and integrated implementation of security and privacy in the cloud.

Definition of Cloud Computing ServicesCloud Computing is an infrastructure service architecture where data and applications are decoupled from physical infrastructure and provided as a service to end users. It provides several service offerings to clients so they can have different levels of control. As described on www.Wikipedia.org, these offerings include delivery of software, platform, and infrastructure services.

• Software as a Service (SaaS) is a model of software deployment where an application is hosted as a service provided to customers across the Internet. By eliminating the need to install and run the application on the customer’s own computer, SaaS alleviates the customer’s burden of software maintenance, ongoing operation, and support. Customers relinquish control over software versions or changing requirements, and costs to use the service become a continuous expense rather than a single expense at the time of purchase. Using SaaS can conceivably reduce the

upfront expense of software purchases through less costly on-demand pricing.1

• Platform as a Service (PaaS) is an outgrowth of the SaaS application delivery model. The PaaS model makes all of the facilities required to support the end-to-end life cycle of building and delivering Web applications and services available entirely over the Internet—with no software downloads or installation for developers, IT managers, or end users. PaaS offerings include workflow facilities for application design, application development, testing, deployment, and hosting, as well as application services, such as team collaboration, Web service integration and marshalling, database integration, security, scalability, storage, persistence, state management, application versioning, application instrumentation, and developer community facilitation. PaaS is a purchasing strategy as well as a usage strategy for provisioning platforms as an integrated solution over the Internet.2

• Infrastructure as a Service (IaaS) is the delivery of computer infrastructure, typically a platform virtualization environment, as a service. The key components consist of a platform virtualization environment to run client-specified virtual machines, Internet service providers (ISP), computing resources, network resources, and virtual machines and servers. Rather than purchasing servers, software, data center space, or network equipment, clients instead buy those resources as a fully outsourced service. The service is typically billed on a utility computing basis, and the amount of resources consumed (and therefore the cost) typically reflects the level of activity. It is an evolution of Web hosting and virtual private server offerings.3

Organizational Readiness and Cloud Computing Continuity and Security Considerations for Cloud Computing Implementation

In addition to these service offerings, other distinguishing models of Cloud Computing include public, private, and data storage cloud-based service offerings. Public cloud-based services are available to users via the Internet from a third-party service provider. Gartner defines this model as a “style of computing in which massively scalable IT-related capabilities are provided ‘as a service’ using Internet technologies to multiple external customers.” In private cloud-based services, data and processes are managed within the organization and offered to sub-organizations and entities in that organization. Cloud storage involves the delivery of data storage as a service, including database-like services. These three models are often billed on a utility computing basis (e.g., per gigabyte per month).

Considerations for Security and Privacy in the CloudThe intersection of security and privacy has been described in various ways; this paper uses an illustrated definition of how these two concepts relate. As shown in Exhibit 1, security and privacy have distinct objectives, overlapping requirements, and integrated implementation.

Broadly defined, security’s objective is to protect the confidentiality, integrity, and availability of information with various sensitivity levels. Privacy, focusing on the role of the data subject, considers the individual’s contractual and statutory rights to control his or her own information, including decisions about submitting, using, disclosing, and protecting it.

Implementation

Requirements

Objectives

)

Exhibit 1 | Security and Privacy Considerations

3

Source: Booz Allen Hamilton

4

Diagnostic Category

Sample Diagnostic Questions

Security

Privacy

• Does the system contain personally identifiable information (PII) (e.g.,Health

Insurance Portability and Accountability Act [HIPAA)?

• Does the system contain taxpayer identifier information

• What protections are in place to limit the exposure of the data?

• How long is the PII data maintained?

• Who has access to the data (administrators, operations staff, system

administrators, etc

• What privacy training is required?

• Does the cloud provider need to take privacy training?

• What are the enforcement mechanisms for privacy violations?

• What is the security categorization of the cloud environment?

• How is the system or application segregated from other application systems

in the cloud?

• Does the cloud environment meet federal security controls (e.g., National

Institute of Standards and Technology [NIST] SP 800-53, Director of Central

Intelligence Directive [DCID] 6/3)?

• Has any other agency accredited the system?

• Has the cloud infrastructure had a security audit (e.g., International

Organization for Standardization [ISO], NIST, Information Systems Audit and

Control Association [ISACA])?

• What is the sensitivity of the data (e.g., for official use only [FOUO], sensitive

but unclassified [SBU])?

• Who are the end users of the system?

• Does the system integrate with the Federal e-Authentication Initiative?

• How are the security logs maintained?

• What products in the system have completed security validations (e.g., Federal

Information Processing Standards [FIPS], Common Criteria)?

• What access is required for the cloud system administrator?

• What protections limit cloud provider access to system processes, services,

and data?

• Do the cloud providers have federal physical security site accreditations?

• Does the cloud provider administrator have a federal background investigation?

• Will the cloud disclose design information required for security validation?

• Does the cloud provider report cloud security incidents to the agency and/or the

U.S. Computer Emergency Readiness Team (US-CERT)?

• What monitoring is performed on the cloud (i.e., what data is recorded/viewed by

the cloud operations staff)?

• Do the cloud provider’s security processes and procedures meet federal

requirements?

• What independent testing is required to verify that system security has been

properly implemented?

• What are the trust boundaries?

Exhibit 2 | The Relationship Between Security and Privacy

Source: Booz Allen Hamilton

5

Security and privacy requirements overlap in some areas and are distinct in others. Security requirements relate to protecting the confidentiality, integrity, and availability of information, including private information. Privacy mostly concerns developing policies that will satisfy the rights and expectations of data subjects.

Security and privacy are inseparable in the implementation phase. For example, the way a data custodian implements “fair access” under privacy requirements will need to be integrated into the authentication and authorization protocol—which is often thought of as primarily a security function. Certification and accreditation (C&A) is required for government systems and applications before authorization to operate. Clouds can house many systems and applications. Early in the planning phase, the Cloud Computing consumer should establish the evidence that will be required to support an assurance case for the successful accreditation of a cloud implementation.

To reemphasize a critical point: security and privacy can and should be simultaneously addressed by identifying distinct objectives, overlapping requirements, and integrated implementations in evaluating Cloud Computing service offerings.

Information StorageUsing Cloud Computing services often requires storing sensitive or proprietary information on providers’ infrastructure. To gain an appropriate confidence level, agencies need to consider the following: assurance levels, information protection, and liabilities.

Assurance Levels Assurance levels measure the level of acceptable risk in leveraging Cloud Computing capabilities and services. The required assurance level depends on threats, vulnerabilities, exposure, and the system’s likelihood to compromise information. Agencies should conduct a comprehensive risk assessment measuring the required confidentiality, availability, and integrity,

along with system exposure, to decide the assurance level needed for a specific operation.

However, one major challenge is that no standard assurance levels are currently defined for Cloud Computing services. Agencies need to be specific about the requirements, standards, and technologies required to achieve their assurance level.

Information ProtectionWhile a system categorization establishes security and privacy requirements, information protection evaluates security and privacy controls that protect the information. Information protection could include identity management, access controls, system segmentation, audit, information backup, disaster recovery, business continuity and resiliency, and physical protection. All of these protection mechanisms are further challenged once the agency no longer has constant physical access to the data or once the data is dispersed to servers in disparate locations. Agencies will want to take advantage of cloud elasticity features and will need to adapt their security controls accordingly.

Agencies must realize that using Cloud Computing will change how they define their system security boundaries. Information protection mechanisms need to be evaluated for—

• Inspection and awareness sensors

• Audit methods

• Information control

• Segmentation methods

• Agency systems that connect to the cloud

• Connection between agency systems and the cloud

• Disclosure/non-disclosure requirements for federal information systems

• Architecture of the cloud provider

• Technology leveraged by the cloud provider

6

• Network topologies

• Data encryption strategies

• Service-to-service security and messaging controls

• Layered architecture security strategies

• Method of the cloud environment’s operation and administration.

In addition, because the cloud environment allocates data across multiple servers, physical data theft could have broader effects. For example, a stolen or damaged drive could affect a significant number of clients. Agencies must consider and ensure physical security and data protection.

LiabilitiesMost government agency information must be kept secure and private (e.g., taxpayer information, veteran information, national security, public health information). The identification of these obligations, the requirements imposed by these obligations, and the method in which service providers help fulfill these requirements are critical elements of successful cloud deployment.

Ensuring compliance with these security privacy requirements requires some transparency into the operations of service providers and might demand that service providers modify their infrastructure or build additional security and privacy controls for government agencies. For example, in the event of a data spill, it would be essential to understand the provider’s data cleansing strategy for data storage and backups.

Legal and Regulation Mandates Legal requirements always influence the implementation of information security and privacy controls. The architecture used for Cloud Computing services creates unique legal and regulatory situations, including export concerns, data control and ownership, international standards, and enforcement of memoranda of understanding (MOU) and memoranda of agreement (MOA).

If a current application service provider or host migrates to a Cloud Computing architecture, all binding agreements regarding the storage, transmission, and use of data must be updated. U.S. export controls on encrypted material are strict and regulated by the Department of Commerce’s Bureau of Industry and Security. The potential for unintentional export of any data is of significant concern for all government agencies. In addition, the European Union’s (E.U.) data protection law prevents any personal data from being transferred to any non-E.U. nation that does not meet the “adequacy” standard for privacy protection. Some public Cloud Computing providers have data centers outside of the United States and cannot guarantee that customer data will remain in the United States. For that reason, the E.U. data protection law and other international regulations must be applied universally.

Cloud Computing vendors must focus on data control and ownership in vendor-client agreements. Whether the cloud service is a PaaS, SaaS, or IaaS, all agreements must address the protection of data in transit and at rest. Because laws in an overseas country may regulate data centers in that country, vendors should hold appropriate discussions with legal counsel to ensure compliance with all relevant laws, such as Great Britain’s Data Protection Act. In the United States, state and county boundaries may affect the preferences of a client who desires to dictate the location of data centers. Physical presence and data location are important in the event of a lawsuit. Vendors must address copyright control as well.

The development and enforcement of specific MOUs and MOAs are important to ensure providers and clients are aware of the binding contract and the legal ramifications of breaking the contract. Furthermore, from a client perspective, it is important that providers disclose their legal requirement to share records or access privileges when law enforcement or another government authority presents a subpoena.

Cloud vendors, such as Nirvanix Inc., 3tera, Inc., Microsoft, Google, and Amazon, are challenged with meeting and guaranteeing both U.S. regulatory

requirements and ISO standards. The contracting government agency must detail and write into agreements ISO and other requirements for privacy and security to assure customers that vendors—

• Have the capability to support agency needs

• Provide continuity of services irrespective of disruptive events

• Are committed to implementing and maintaining regulatory compliance

• Provide low computing costs for government agencies.

Mission Assurance Considerations Regardless of the definition, Cloud Computing is an IT service delivery and acquisition model that can deliver great benefits if properly leveraged to maintain an agency’s ability to execute its mission. However, government agencies face a broad array of implementation challenges, including adhering to federal continuity mandates and standards to ensure continuity of government and operations, as well as changing the way agencies contract with vendors.

IT infrastructures must support agencies in meeting various federal directives (e.g., NSPD51/HSPD20, FCD-1, FCD-2) and must adhere to NIST special publications and guidelines for continuity and disaster recovery preparedness. Regardless of whether an IT infrastructure is centralized, distributed, or cloud based, it must adhere to these standards and guidelines. In addition, agencies should carefully review the key considerations and evaluate the costs, benefits, and risks of the cloud architecture before implementing a cloud architecture. These considerations include the following:

• Does the cloud architecture provide geographic resilience in the event of regional or large-scale disasters?

• Are the individual physical buildings that house components of the cloud infrastructure secure both physically and in a cyber sense?

• How does the Cloud Computing architecture unrelated to technology (people and processes) provide the required levels of operations resilience, reliability, availability, and serviceability?

• If using a third-party cloud, what are the service providers’ capabilities, processes, controls, and skill sets? How do these elements fit into the agency’s long-term IT and mission strategies?

• What are the roles, responsibilities, and accountabilities for vendors and customers in a Cloud Computing services contract?

• What are the key provisions (service-level agreements [SLA], service management, etc.) that need to be included in a Cloud Computing services contract?

• What are the cloud architecture’s overall impacts on continuity plans and disaster recovery plans? Does the implementation of a cloud architecture increase or decrease the plan maintenance effort?

• Will the cloud service providers allow the testing of continuity and disaster recovery plans?

Agencies should conduct a comprehensive risk analysis of the cloud service provider to evaluate its controls, processes, and service management capabilities; identify gaps; and recommend mitigation strategies. The results of the mitigation strategies can serve as input for the contract language.

Operation AssuranceAnother consideration for an agency contemplating Cloud Computing is ensuring that the operation of the cloud environment would meet the agency’s mission and requirements.

Cloud Computing is built on the theory that infrastructure, software, and platform as shared services will result in reduced costs and improved computing resources for government agencies. Cloud vendors assume the significant responsibility of proving their ability to meet government agencies’ demands for confidentiality, integrity, and availability.

7

The responsibility assumed by vendors does not absolve agencies of their responsibility to customers and taxpayers. Each agency must assess cloud vendors’ operation assurance levels using architectural and operational models. If improvements in an agency’s confidentiality, integrity, and availability measurements are shown to be possible through the implementation of a cloud environment, then the cloud should also improve that agency’s cost value, compliance, capability, and continuity.

The Cloud Computing environment relieves government agencies of traditional system operations roles and responsibilities, resulting in greater focus on operation assurance. Because agencies will be largely dependent on Cloud Computing service providers for mission-critical services, a comprehensive and effective contract between vendor and agency is crucial to ensure the agency’s needs are met and that recourse for non-performance exists. Key elements are SLAs, clauses for non-compliance and non-performance, and regulatory compliance requirements. Both the vendor and the customer should clearly document and

agree to processes and procedures for escalation, change management, patch management, incident management, infrastructure upgrades, application upgrades, monitoring, and user acceptance testing. Furthermore, the contract should include provisions for annual vendor assessments, including continuity, disaster recovery, and security assessments.

ConclusionCloud Computing is a flexible and highly adaptable method for ensuring continuity and availability of data and applications for end users. This paper discusses initial considerations for agencies interested in Cloud Computing technology and focuses on information storage, continuity planning, and operation assurance as starting points for discussions about security and mission assurance requirements. After balancing agency mission requirements against continuity, security, and operational requirements, organizations can begin incorporating Cloud Computing services into their IT portfolios.

8

About Booz Allen

To learn more about the firm and to download digital versions of this article and other Booz Allen Hamilton publications, visit www.boozallen.com/rfwn.

Booz Allen Hamilton has been at the forefront of strategy and technology consulting for 95 years. Every day, government agencies, institutions, corporations, and infrastructure organizations rely on the firm’s expertise and objectivity, and on the combined capabilities and dedication of our exceptional people to find solutions and seize opportunities. We combine a consultant’s unique problem-solving orientation with deep technical knowledge and strong execution to help clients achieve success in their most critical missions. Providing a broad range of services in strategy, operations, organization and change,

information technology, systems engineering, and program management, Booz Allen is committed to delivering results that endure.

With 20,000 people and $4 billion in annual revenue, Booz Allen is continually recognized for its quality work and corporate culture. In 2009, for the fifth consecutive year, Fortune magazine named Booz Allen one of “The 100 Best Companies to Work For,” and Working Mother magazine has ranked the firm among its “100 Best Companies for Working Mothers” annually since 1999.

9

www.boozallen.com

The most complete, recent list of offices and their and addresses and telephone numbers can be found on www.boozallen.com by clicking the “Offices” link under “About Booz Allen.”

Principal OfficesALABAMAHuntsville

CALIFORNIALos AngelesSan DiegoSan Francisco

COLORADOColorado SpringsDenver

FLORIDAPensacolaSarasotaTampa

GEORGIAAtlanta

HAWAIIHonolulu

ILLINOISO’Fallon

OHIODayton

PENNSYLVANIAPhiladelphia

SOUTH CAROLINACharleston

TEXASHoustonSan Antonio

VIRGINIAArlingtonChantillyFalls ChurchHerndon McLean NorfolkStafford

WASHINGTON, DC

KANSASLeavenworth

MARYLANDAberdeenAnnapolis JunctionLexington ParkLinthicum Rockville

MICHIGANTroy

NEBRASKAOmaha

NEW JERSEYEatontown

NEW YORKRome

©2009 Booz Allen Hamilton Inc.

BAH-024 Report