Securing Government Cloudsphiconference.org/wp-content/uploads/2013/09/Thur-8.30... · 2014. 5....

Securing Government Clouds Preparing for the Rainy Days

Majed Saadi

Director, Cloud Computing Practice

Title

color

Additio

nal

color

Additio

nal

color

Additio

nal

color

Text

color

Agenda

1. The Cloud: Opportunities and

Challenges

2. Cloud’s Potential for Providing

Government Services

3. Strategizing for a Cloud-Based

Government

4. Stratify: a Cloud Security

Framework

5. Questions

SRA at a Glance…

More than 6,300 employees across the country and around the world

90% of FY11 $1.7 billion in revenue generated as a prime contractor

Founded in 1978, SRA is dedicated to delivering

innovative solutions to the US Federal

Government.

Updated: 6/15/2012

SRA Proprietary 3

Approved FedRAMP

3PAO Assessor

Current Cloud Vehicles

Army Private Cloud (APC2)

GSA Email as a Service (EaaS) GWAC

FedRAMP 3PAO

Title

color

Additio

nal

color

Additio

nal

color

Additio

nal

color

Text

color

SRA Wins a Seat on the DHS CMaaS BPA

SRA’s Cyber Security Heritage

2000 2012 2002 2004 2006 2008 2010 1998

Privacy Practice Established (DHS

First Client)

Developed the First Automated System Security Evaluation

and Remediation Tracking Tool with the EPA (ASSERT)

Received Highest DoD CCRI Rating to Date

(JSIN and EUCOM/ AFRICOM Projects)

One of the First Federal ISO 27001 Certs for TSA SOC

Accredited FedRAMP Independent Third Party

Assessment Organization (Type C)

SRA has always been focused on the protection of the Federal Government, beginning with Continuity of

Operations work in the late 80s…

…moving to Critical Infrastructure Protection and cybersecurity in the 2000s, focusing on continuous diagnostics and mitigation, SOC

operations, and cybersecurity preparedness…

Architect (Committers) of NSA Accumulo Secure Cloud

4

Cybersecurity Big Data Capability using

HADOOP

Computer Network Exploitation Software and

Services for the IC

Cyber Security SOC Maturity Model

Developed

Received NSA IA-CMM Rating

(Highest Rating Across Federal Contractors)

SecureElite SRA SDLC Finalized

Cyber Security Practice Established

CyberRisk Compliance Process Developed

Security Program Maturity Model

Congressional Scorecards

(5 of the 7 ‘A’ Scores are SRA Customers)

The Cloud: Opportunities and Challenges What do you need to know about government and the cloud?

And why should you care?

Title

color

Additio

nal

color

Additio

nal

color

Additio

nal

color

Text

color

Cloud & Cloud Security Trends

Title

color

Additio

nal

color

Additio

nal

color

Additio

nal

color

Text

color

Government Cloud Computing Drivers

• Reduce infrastructure overhead (equipment &

personnel) using cost controlled, easy to manage

processing power

• Complying with federal mandates (Cloud First)

• Transfer infrastructure risks to contractors or

service providers

• Satisfy short-term & short notice needs (Surges)

• Enhance service availability & remote

accessibility options

• Increase agility in responding to infrastructure

change requirements

• Facilitate proprietary application modernization,

development and integration

• Improve business continuity & disaster recovery

• Improve the enterprise Green IT posture

Why move to the

Cloud?

IT Efficiency

Flexibility & Elasticity

Compliance

Title

color

Additio

nal

color

Additio

nal

color

Additio

nal

color

Text

color

Questions on Our Customer Minds

How do I ensure that

I have complete

FISMA compliance

with a FedRAMP

cloud???

How do I transform

my IT shop to allow

my customers to

consume cloud

services from a

centralized service

catalog ???

How do I enable my

agency to benefit

from commodity

cloud services while

ensuring compliance

and security ???

Title

color

Additio

nal

color

Additio

nal

color

Additio

nal

color

Text

color

The US Government & The Cloud – An Update

• Cloud First Initiative – Potential Savings ~$20 Billion

– 25% of IT Budget

• Federal Data Center Consolidation Initiative (FDCCI) – Close or consolidate ~1,200 of

~2,900 federal data centers

– Expected savings ~$2.4-$5 billion

• IaaS & EaaS BPAs

• Other Initiatives – PortfolioStat

– Mobility

– Digital Government Strategy

Source: FCW.com

Privacy and Security Legal Requirements

• Federal

– GLBA

– FTCA

– SOX

– FCRA/FACTA

– HIPAA

– FISMA, DIACAP

– FERPA

– 21 C.F.R. Part 11 (FDA Regulations)

– Executive Orders and Agency Memoranda

– COPPA

– Federal Risk and Authorization Management Program (FedRAMP)

10

• State

• Notice of Security Breach

• Other State Laws

• International

• EU Data Protection Directive Member Countries

• Canada PIPEDA

• Others (e.g., UK, Japan, Australia)

• Private Contractual Requirements and Standards

• PCI DSS

• Business Associate Agreements

• Service Provider Agreements

• NIST

• MPAA

• ISO 27001, 27002, etc.

• Cloud Security Association

FedRAMP’s Purpose

• A duplicative, inconsistent, time consuming, costly and inefficient cloud security risk management approach with little incentive to leverage existing Authorizations to Operate (ATOs) among agencies.

• Unified risk management approach • Uniform set of approved, minimum

security controls (FISMA Low and Moderate Impact)

• Consistent assessment process • Provisional ATO

The Problem The Solution: FedRAMP

Slide 11 4/21/2014

FedRAMP Executive Sponsors

•US-CERT Incident Coordination

•CyberScope Continuous Monitoring

Data Analysis

Office of Management and

Budget

Slide 12 4/21/2014

Cloud’s Potential for Providing Government Services

Is the cloud really the solution?

Title

color

Additio

nal

color

Additio

nal

color

Additio

nal

color

Text

color

The Demand for Change is Great

Sequestration

Budget Cuts

Mobile Workforce Shadow IT

Mandates

Title

color

Additio

nal

color

Additio

nal

color

Additio

nal

color

Text

color

Dad, What is This?

Title

color

Additio

nal

color

Additio

nal

color

Additio

nal

color

Text

color

The Digital Natives are Here!

• Buy hardware for that

• I need an iron clad application

• License to own a product

• Build to last

• Expect it to be $$$

• There is an app for that

• I need an app store

• License to use a service

• Build to replace

• $1.00 maybe?

Title

color

Additio

nal

color

Additio

nal

color

Additio

nal

color

Text

color

A New Paradigm for a New IT Worker

• Designed for endurance

• Operated with a tech sense

• Service optional

• Designed to accept failure

• Operated with a business sense

• Service first

Title

color

Additio

nal

color

Additio

nal

color

Additio

nal

color

Text

color

Is Cloud a Tipping Point?

• Cloud Computing is mature IT, but its also

flexible IT, mission aligned IT and for some it’s

also cool IT

• Cloud Computing changes users’ expectations;

and promises a simplified business oriented

approach

• What IT organizations fear about the cloud is

the potential of losing control.

• Cloud Computing does force IT organizations

out of their comfort zone

Cloud Computing will soon become

“IT as usual”

But it will surely impact all IT

organizations

Strategizing for a Cloud-Based

Government Yes. We do need a strategy!

Title

color

Additio

nal

color

Additio

nal

color

Additio

nal

color

Text

color

Government Specific Considerations

• Procurement Vehicles

• Budget Cycles

• Security & Compliance

• Service Level Management

• Portability & Interoperability

• Organizational Change Management

• Politics

Title

color

Additio

nal

color

Additio

nal

color

Additio

nal

color

Text

color

A Gap Example:

The Power Grid Analogy

One Metric = One SLA = Life is

Simple

Title

color

Additio

nal

color

Additio

nal

color

Additio

nal

color

Text

color

Many Metrics = Many SLAs = Life is

Complicated

A Gap Example:


Title

color

Additio

nal

color

Additio

nal

color

Additio

nal

color

Text

color


Who reads the meters?

Who trusts the readings?

Who controls Spending?

Who makes the decisions?

?

Title

color

Additio

nal

color

Additio

nal

color

Additio

nal

color

Text

color

Developing a Realistic Cloud Plan

• Understand the Cloud Concepts

• Approach cloud as part of your strategy, but not as an ultimate

solution!

• Identify the cloud solutions or technology components that make

sense to your organization

• First envision, then architect

• Do not keep your strategy a secret

– Visualize

– Communicate

– Publicize

• Use proven framework to reduce risks

– TOGAF, DODAF, FEAF, ITIL

Title

color

Additio

nal

color

Additio

nal

color

Additio

nal

color

Text

color

SRA’s Cloud Computing Support Services

Strategy

Cloud

Strategy Development

Readiness

Cloud Readiness

Assessment

Engineering

Cloud Architecture

Modernization

Cloud Migration

Planning and Execution

Cloud Software

Modernization

Cloud Software & Services Integration

Management

Cloud Service Management

& Governance

Cloud Security

Management

SRA Cloud Computing Support Services cover the complete cloud lifecycle to

ensure comprehensive alignment of Cloud Services with our customers’

business and mission objectives

Title

color

Additio

nal

color

Additio

nal

color

Additio

nal

color

Text

color

SRA’s Cloud Brokerage CONOPS

Federal Cloud Consumers

Application Management

and Oversight

FedRAMP 3PAOs Initial & Periodic Security

Control Assessment Security Control

Documentation Auditing

Program & Portfolio

Management Project Management

Cloud Service Enabler (Full Broker)

Cloud Service Providers (AWS)

Service Levels

Security & Compliance Warranty Support

Response Support Cloud Service

Orchestration

Cloud Backbone Management (IaaS, PaaS, SaaS)

Discovery Support

Mission and

Architectural

Requirements

and Objectives

Requirements

Changes

Architectural

Options

Unified Service,

Performance &

Financial

Reporting

Trend &

Predictive

Analysis

Service

Management

Cloud Lifecycle

Management

Portability &

Interoperability

Management

Cloud On-

Boarding & Off-

Boarding

Pre-negotiated

SLAs & Pricing

Cloud APIs

Security

Controls

Documentation

Cloud

Assessment

Title

color

Additio

nal

color

Additio

nal

color

Additio

nal

color

Text

color

Transport Systems

Service Management

Engineering & Administration

Personnel

Operating Systems

Data

Applications

Datacenter Personnel

Physical Infrastructure

Physical Servers

Hypervisors

Cloud Security is a Shared Responsibility

27

Customer and Cloud

Systems Integrator

Responsibility

Cloud Service Provider

Responsibility

Joint Responsibility

SRA’s Stratify

allows federal

CIOs and CSOs

to address

cloud security

and compliance

gaps by

bridging

FedRAMP and

FISMA moderate

controls with a

realistic,

practical and

cloud-centric

architecture

Stratify™

The Stratify

Reference Architecture Model

28

Title

color

Additio

nal

color

Additio

nal

color

Additio

nal

color

Text

color

Anatomy of a Cloud

A successful cloud implementation requires providing solution(s) for all

required components as well as all the optional components required by

the environment.

Title

color

Additio

nal

color

Additio

nal

color

Additio

nal

color

Text

color

Anatomy of a Secure Cloud

Go

ve

rna

nc

e &

Co

ntin

ua

l

Imp

rove

me

nt

Compliance Validation

Security Technology

Se

cu

rity

Re

po

rtin

g

To be able to call a cloud solution a “Secure” one, four elements should be introduced:

Security Technology, Security Reporting, Governance & Continual Improvement, and

Compliance Validation

Stratify – a Reference Architecture

Data Security Management

Physical Security

Se

cu

rity

Re

po

rtin

g

Data-at-Rest Encryption

Logs Collection & Analysis

Data-in-Transit Encryption

Intrusion Detection & Prevention

Security Audit Management

Co

mplia

nce D

ashboard

s

Incident Response, Notification and Remediation

Network Behavioral Anomaly Detection

Continuous Vulnerability Monitoring & Remediation

Network Access Controls Managed Security Devices

Data Loss Prevention

Configuration Management

Asset Discovery & Control Configuration Control Image Management Baseline Compliance

Ale

rts M

anagem

ent

Identity & Access Management

Multi-factor Authentication Single-Sign-On

Malware Defense

Application Software Security

Data Resilience

Go

ve

rna

nce

& C

on

tinua

l Impro

ve

me

nt

Pers

onnel S

ecurity

T

rain

ing &

Tale

nt M

anagem

ent

Authorization Management

Perimeter Defense

External Penetration Testing & Compliance Validation

Reference Architecture – Applicability Example

Key Must Have Good to Have


Physical Security

Security

Report

ing






Com

plia

nce D

ashboard

s








Ale

rts M

anagem

ent



Malware Defense


Data Resilience

Govern

ance &

Contin

ual Im

pro

vem

ent

Pers

onnel S

ecurity

Tra

inin

g &

Tale

nt M

anagem

ent


Perimeter Defense


The applicability

of certain

architectural

components to a

specific

environment is

highly influenced

by SRA’s

customer

intimacy,

understanding of

strategic goals,

and the applied

use case

Key

Reference Architecture – Responsibilities & Ownership

Example

CSP Enabler Joint


Physical Security

Security

Report

ing






Com

plia

nce D

ashboard

s








Ale

rts M

anagem

ent



Malware Defense


Data Resilience

Govern

ance &

Contin

ual Im

pro

vem

ent

Pers

onnel S

ecurity

Tra

inin

g &

Tale

nt M

anagem

ent


Perimeter Defense

External Penetration Testing & Compliance Validation Understanding the

scope of

ownership and

responsibility for

each of the

architectural

components is

essential, as Cloud

Security cannot be

successful unless

its underlining

responsibilities

are well defined

and communicated

to each of the

players

Customer/SI

Title

color

Additio

nal

color

Additio

nal

color

Additio

nal

color

Text

color

Modular Implementations Approach

34


Physical Security

Securi

ty R

eport

ing










Malware Defense


Govern

ance &

Contin

ual Im

pro

vem

ent

Perimeter Defense



Physical Security

Securi

ty R

eport

ing










Malware Defense


Govern

ance &

Contin

ual Im

pro

vem

ent

Perimeter Defense


Stratify can be applied as a blueprint architecture where an

agency would map each of the architectural components to

existing and road-mapped investments in security products

The modular Stratify architecture enables

government agencies to utilize their existing

security product investments to secure their cloud

implementations. Using it as a target integration

architecture also highlights any gaps that could

be remediated using proven technology

It could also be applied holistically as a

turnkey packaged solution (with all its

recommended products). Especially when

new programs or green field initiatives are

commenced in the cloud

Title

color

Additio

nal

color

Additio

nal

color

Additio

nal

color

Text

color

Mapping to Key Security Frameworks

35

Partner & Product Selection Criteria

36

Tool Areas Mapping

Stable Business Model

Gartner/Forrester Assessment

Proven in Government

Thought Leader

Comprehensive

Feasible

Practical

Cost Effective

Stratify Partner

Cloud Offerings and Licensing Model

Integration Capabilities (APIs)

Partner Mapping to Reference Architecture

37

Title

color

Additio

nal

color

Additio

nal

color

Additio

nal

color

Text

color

My Final Message

• The Cloud is here, and the government is

starting to consider it in its strategy

• With new opportunities come new

challenges

• The Cloud will have an impact on the way

the government supports its mission

• It will also have an impact on how

commercial venders and FSI conduct

business with the government

• The impact should not be overlooked!!!

Title

color

Additio

nal

color

Additio

nal

color

Additio

nal

color

Text

color

Questions & Contact Information

Majed Saadi Director, Cloud Computing Practice

SRA International

Email: [email protected]

LinkedIn:

http://www.linkedin.com/in/majedsaadi

Twitter: @majedsaadi

ohCloud Blog: http://ohCloud.blogspot.com

mailto:[email protected]



http://ohcloud.blogspot.com/

Title

color

Additio

nal

color

Additio

nal

color

Additio

nal

color

Text

color

Key Stratify Outputs

details the different technology components that constitute secure

cloud environments and their interrelationships. Focus on common IaaS

use scenarios and provide the blueprints for

employing them.

Security Reference Architecture Model

to assist CIOs and CSOs in making the

cloud migration decision in the context of the

proven models (FISMA, SAN’s 20, FedRAMP,

etc.)

Mapping to Key Security Frameworks

and Controls

lists proven best-of-breed technical solutions

along with their associated vendors and

aligns them with the architectural

components detailed in the Security Reference

Architecture Models

Technology Recommendations

provides CSOs with the ability to monitor their

cloud environments with government-oriented

security metrics

Compliancy Dashboards

40

Stratify Demo

41

42

Ava

ila

bilit

y

Zo

ne B

Availability Zone A

App VPC Subnet DB VPC Subnet

GovCloud Region Agency

Data center

VPN

Gateway

Security VPC Subnet

Secure AMI

Library

Elastic Load

Balancing

Internet

Gateway

Auto scaling Group Auto scaling Group

Logs

Correlation

Tool

Penetration Testing

Tool

Anti-Virus Tool

Configuration

Control Tool Aggregation

Dashboards

Vulnerability

Scanning &

Monitoring Tool

Advanced

Firewall

Tool

Simulated

Attack

43

Ava

ila

bilit

y

Zo

ne B

Availability Zone A



Data center

VPN

Gateway

Security VPC Subnet

Secure AMI

Library

Elastic Load

Balancing

Internet

Gateway


Logs

Correlation

Tool

Penetration Testing

Tool

Anti-Virus Tool

Configuration


Dashboards

Vulnerability

Scanning &

Monitoring Tool

Advanced

Firewall

Tool

Simulated

Attack

44

Ava

ila

bilit

y

Zo

ne B

Availability Zone A



Data center

VPN

Gateway

Security VPC Subnet

Secure AMI

Library

Elastic Load

Balancing

Internet

Gateway


Logs

Correlation

Tool

Penetration Testing

Tool

Anti-Virus Tool

Configuration


Dashboards

Vulnerability

Scanning &

Monitoring Tool

Advanced

Firewall

Tool

Simulated

Attack

45

Ava

ila

bilit

y

Zo

ne B

Availability Zone A



Data center

VPN

Gateway

Security VPC Subnet

Secure AMI

Library

Elastic Load

Balancing

Internet

Gateway


Logs

Correlation

Tool

Penetration Testing

Tool

Anti-Virus Tool

Configuration


Dashboards

Vulnerability

Scanning &

Monitoring Tool

Advanced

Firewall

Tool

Simulated

Attack

46

Ava

ila

bilit

y

Zo

ne B

Availability Zone A



Data center

VPN

Gateway

Security VPC Subnet

Secure AMI

Library

Elastic Load

Balancing

Internet

Gateway


Logs

Correlation

Tool

Penetration Testing

Tool

Anti-Virus Tool

Configuration


Dashboards

Vulnerability

Scanning &

Monitoring Tool

Advanced

Firewall

Tool

Simulated

Attack

Attack Initiated

Clean Results

How Vulnerable Systems will

show

Date post:	16-Aug-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

Securing Government Cloudsphiconference.org/wp-content/uploads/2013/09/Thur-8.30... · 2014. 5....

Documents