Securing Government Clouds Preparing for the Rainy Days
Majed Saadi
Director, Cloud Computing Practice
Title
color
Additio
nal
color
Additio
nal
color
Additio
nal
color
Text
color
Agenda
1. The Cloud: Opportunities and
Challenges
2. Cloud’s Potential for Providing
Government Services
3. Strategizing for a Cloud-Based
Government
4. Stratify: a Cloud Security
Framework
5. Questions
SRA at a Glance…
More than 6,300 employees across the country and around the world
90% of FY11 $1.7 billion in revenue generated as a prime contractor
Founded in 1978, SRA is dedicated to delivering
innovative solutions to the US Federal
Government.
Updated: 6/15/2012
SRA Proprietary 3
Approved FedRAMP
3PAO Assessor
Current Cloud Vehicles
Army Private Cloud (APC2)
GSA Email as a Service (EaaS) GWAC
FedRAMP 3PAO
Title
color
Additio
nal
color
Additio
nal
color
Additio
nal
color
Text
color
SRA Wins a Seat on the DHS CMaaS BPA
SRA’s Cyber Security Heritage
2000 2012 2002 2004 2006 2008 2010 1998
Privacy Practice Established (DHS
First Client)
Developed the First Automated System Security Evaluation
and Remediation Tracking Tool with the EPA (ASSERT)
Received Highest DoD CCRI Rating to Date
(JSIN and EUCOM/ AFRICOM Projects)
One of the First Federal ISO 27001 Certs for TSA SOC
Accredited FedRAMP Independent Third Party
Assessment Organization (Type C)
SRA has always been focused on the protection of the Federal Government, beginning with Continuity of
Operations work in the late 80s…
…moving to Critical Infrastructure Protection and cybersecurity in the 2000s, focusing on continuous diagnostics and mitigation, SOC
operations, and cybersecurity preparedness…
Architect (Committers) of NSA Accumulo Secure Cloud
4
Cybersecurity Big Data Capability using
HADOOP
Computer Network Exploitation Software and
Services for the IC
Cyber Security SOC Maturity Model
Developed
Received NSA IA-CMM Rating
(Highest Rating Across Federal Contractors)
SecureElite SRA SDLC Finalized
Cyber Security Practice Established
CyberRisk Compliance Process Developed
Security Program Maturity Model
Congressional Scorecards
(5 of the 7 ‘A’ Scores are SRA Customers)
The Cloud: Opportunities and Challenges What do you need to know about government and the cloud?
And why should you care?
Title
color
Additio
nal
color
Additio
nal
color
Additio
nal
color
Text
color
Cloud & Cloud Security Trends
Title
color
Additio
nal
color
Additio
nal
color
Additio
nal
color
Text
color
Government Cloud Computing Drivers
• Reduce infrastructure overhead (equipment &
personnel) using cost controlled, easy to manage
processing power
• Complying with federal mandates (Cloud First)
• Transfer infrastructure risks to contractors or
service providers
• Satisfy short-term & short notice needs (Surges)
• Enhance service availability & remote
accessibility options
• Increase agility in responding to infrastructure
change requirements
• Facilitate proprietary application modernization,
development and integration
• Improve business continuity & disaster recovery
• Improve the enterprise Green IT posture
Why move to the
Cloud?
IT Efficiency
Flexibility & Elasticity
Compliance
Title
color
Additio
nal
color
Additio
nal
color
Additio
nal
color
Text
color
Questions on Our Customer Minds
How do I ensure that
I have complete
FISMA compliance
with a FedRAMP
cloud???
How do I transform
my IT shop to allow
my customers to
consume cloud
services from a
centralized service
catalog ???
How do I enable my
agency to benefit
from commodity
cloud services while
ensuring compliance
and security ???
Title
color
Additio
nal
color
Additio
nal
color
Additio
nal
color
Text
color
The US Government & The Cloud – An Update
• Cloud First Initiative – Potential Savings ~$20 Billion
– 25% of IT Budget
• Federal Data Center Consolidation Initiative (FDCCI) – Close or consolidate ~1,200 of
~2,900 federal data centers
– Expected savings ~$2.4-$5 billion
• IaaS & EaaS BPAs
• Other Initiatives – PortfolioStat
– Mobility
– Digital Government Strategy
Source: FCW.com
Privacy and Security Legal Requirements
• Federal
– GLBA
– FTCA
– SOX
– FCRA/FACTA
– HIPAA
– FISMA, DIACAP
– FERPA
– 21 C.F.R. Part 11 (FDA Regulations)
– Executive Orders and Agency Memoranda
– COPPA
– Federal Risk and Authorization Management Program (FedRAMP)
10
• State
• Notice of Security Breach
• Other State Laws
• International
• EU Data Protection Directive Member Countries
• Canada PIPEDA
• Others (e.g., UK, Japan, Australia)
• Private Contractual Requirements and Standards
• PCI DSS
• Business Associate Agreements
• Service Provider Agreements
• NIST
• MPAA
• ISO 27001, 27002, etc.
• Cloud Security Association
FedRAMP’s Purpose
• A duplicative, inconsistent, time consuming, costly and inefficient cloud security risk management approach with little incentive to leverage existing Authorizations to Operate (ATOs) among agencies.
• Unified risk management approach • Uniform set of approved, minimum
security controls (FISMA Low and Moderate Impact)
• Consistent assessment process • Provisional ATO
The Problem The Solution: FedRAMP
Slide 11 4/21/2014
FedRAMP Executive Sponsors
•US-CERT Incident Coordination
•CyberScope Continuous Monitoring
Data Analysis
Office of Management and
Budget
Slide 12 4/21/2014
Cloud’s Potential for Providing Government Services
Is the cloud really the solution?
Title
color
Additio
nal
color
Additio
nal
color
Additio
nal
color
Text
color
The Demand for Change is Great
Sequestration
Budget Cuts
Mobile Workforce Shadow IT
Mandates
Title
color
Additio
nal
color
Additio
nal
color
Additio
nal
color
Text
color
Dad, What is This?
Title
color
Additio
nal
color
Additio
nal
color
Additio
nal
color
Text
color
The Digital Natives are Here!
• Buy hardware for that
• I need an iron clad application
• License to own a product
• Build to last
• Expect it to be $$$
• There is an app for that
• I need an app store
• License to use a service
• Build to replace
• $1.00 maybe?
Title
color
Additio
nal
color
Additio
nal
color
Additio
nal
color
Text
color
A New Paradigm for a New IT Worker
• Designed for endurance
• Operated with a tech sense
• Service optional
• Designed to accept failure
• Operated with a business sense
• Service first
Title
color
Additio
nal
color
Additio
nal
color
Additio
nal
color
Text
color
Is Cloud a Tipping Point?
• Cloud Computing is mature IT, but its also
flexible IT, mission aligned IT and for some it’s
also cool IT
• Cloud Computing changes users’ expectations;
and promises a simplified business oriented
approach
• What IT organizations fear about the cloud is
the potential of losing control.
• Cloud Computing does force IT organizations
out of their comfort zone
Cloud Computing will soon become
“IT as usual”
But it will surely impact all IT
organizations
Strategizing for a Cloud-Based
Government Yes. We do need a strategy!
Title
color
Additio
nal
color
Additio
nal
color
Additio
nal
color
Text
color
Government Specific Considerations
• Procurement Vehicles
• Budget Cycles
• Security & Compliance
• Service Level Management
• Portability & Interoperability
• Organizational Change Management
• Politics
Title
color
Additio
nal
color
Additio
nal
color
Additio
nal
color
Text
color
A Gap Example:
The Power Grid Analogy
One Metric = One SLA = Life is
Simple
Title
color
Additio
nal
color
Additio
nal
color
Additio
nal
color
Text
color
Many Metrics = Many SLAs = Life is
Complicated
A Gap Example:
The Power Grid Analogy
Title
color
Additio
nal
color
Additio
nal
color
Additio
nal
color
Text
color
The Power Grid Analogy
Who reads the meters?
Who trusts the readings?
Who controls Spending?
Who makes the decisions?
?
Title
color
Additio
nal
color
Additio
nal
color
Additio
nal
color
Text
color
Developing a Realistic Cloud Plan
• Understand the Cloud Concepts
• Approach cloud as part of your strategy, but not as an ultimate
solution!
• Identify the cloud solutions or technology components that make
sense to your organization
• First envision, then architect
• Do not keep your strategy a secret
– Visualize
– Communicate
– Publicize
• Use proven framework to reduce risks
– TOGAF, DODAF, FEAF, ITIL
Title
color
Additio
nal
color
Additio
nal
color
Additio
nal
color
Text
color
SRA’s Cloud Computing Support Services
Strategy
Cloud
Strategy Development
Readiness
Cloud Readiness
Assessment
Engineering
Cloud Architecture
Modernization
Cloud Migration
Planning and Execution
Cloud Software
Modernization
Cloud Software & Services Integration
Management
Cloud Service Management
& Governance
Cloud Security
Management
SRA Cloud Computing Support Services cover the complete cloud lifecycle to
ensure comprehensive alignment of Cloud Services with our customers’
business and mission objectives
Title
color
Additio
nal
color
Additio
nal
color
Additio
nal
color
Text
color
SRA’s Cloud Brokerage CONOPS
Federal Cloud Consumers
Application Management
and Oversight
FedRAMP 3PAOs Initial & Periodic Security
Control Assessment Security Control
Documentation Auditing
Program & Portfolio
Management Project Management
Cloud Service Enabler (Full Broker)
Cloud Service Providers (AWS)
Service Levels
Security & Compliance Warranty Support
Response Support Cloud Service
Orchestration
Cloud Backbone Management (IaaS, PaaS, SaaS)
Discovery Support
Mission and
Architectural
Requirements
and Objectives
Requirements
Changes
Architectural
Options
Unified Service,
Performance &
Financial
Reporting
Trend &
Predictive
Analysis
Service
Management
Cloud Lifecycle
Management
Portability &
Interoperability
Management
Cloud On-
Boarding & Off-
Boarding
Pre-negotiated
SLAs & Pricing
Cloud APIs
Security
Controls
Documentation
Cloud
Assessment
Title
color
Additio
nal
color
Additio
nal
color
Additio
nal
color
Text
color
Transport Systems
Service Management
Engineering & Administration
Personnel
Operating Systems
Data
Applications
Datacenter Personnel
Physical Infrastructure
Physical Servers
Hypervisors
Cloud Security is a Shared Responsibility
27
Customer and Cloud
Systems Integrator
Responsibility
Cloud Service Provider
Responsibility
Joint Responsibility
SRA’s Stratify
allows federal
CIOs and CSOs
to address
cloud security
and compliance
gaps by
bridging
FedRAMP and
FISMA moderate
controls with a
realistic,
practical and
cloud-centric
architecture
Stratify™
The Stratify
Reference Architecture Model
28
Title
color
Additio
nal
color
Additio
nal
color
Additio
nal
color
Text
color
Anatomy of a Cloud
A successful cloud implementation requires providing solution(s) for all
required components as well as all the optional components required by
the environment.
Title
color
Additio
nal
color
Additio
nal
color
Additio
nal
color
Text
color
Anatomy of a Secure Cloud
Go
ve
rna
nc
e &
Co
ntin
ua
l
Imp
rove
me
nt
Compliance Validation
Security Technology
Se
cu
rity
Re
po
rtin
g
To be able to call a cloud solution a “Secure” one, four elements should be introduced:
Security Technology, Security Reporting, Governance & Continual Improvement, and
Compliance Validation
Stratify – a Reference Architecture
Data Security Management
Physical Security
Se
cu
rity
Re
po
rtin
g
Data-at-Rest Encryption
Logs Collection & Analysis
Data-in-Transit Encryption
Intrusion Detection & Prevention
Security Audit Management
Co
mplia
nce D
ashboard
s
Incident Response, Notification and Remediation
Network Behavioral Anomaly Detection
Continuous Vulnerability Monitoring & Remediation
Network Access Controls Managed Security Devices
Data Loss Prevention
Configuration Management
Asset Discovery & Control Configuration Control Image Management Baseline Compliance
Ale
rts M
anagem
ent
Identity & Access Management
Multi-factor Authentication Single-Sign-On
Malware Defense
Application Software Security
Data Resilience
Go
ve
rna
nce
& C
on
tinua
l Impro
ve
me
nt
Pers
onnel S
ecurity
T
rain
ing &
Tale
nt M
anagem
ent
Authorization Management
Perimeter Defense
External Penetration Testing & Compliance Validation
Reference Architecture – Applicability Example
Key Must Have Good to Have
Data Security Management
Physical Security
Security
Report
ing
Data-at-Rest Encryption
Logs Collection & Analysis
Data-in-Transit Encryption
Intrusion Detection & Prevention
Security Audit Management
Com
plia
nce D
ashboard
s
Incident Response, Notification and Remediation
Network Behavioral Anomaly Detection
Continuous Vulnerability Monitoring & Remediation
Network Access Controls Managed Security Devices
Data Loss Prevention
Configuration Management
Asset Discovery & Control Configuration Control Image Management Baseline Compliance
Ale
rts M
anagem
ent
Identity & Access Management
Multi-factor Authentication Single-Sign-On
Malware Defense
Application Software Security
Data Resilience
Govern
ance &
Contin
ual Im
pro
vem
ent
Pers
onnel S
ecurity
Tra
inin
g &
Tale
nt M
anagem
ent
Authorization Management
Perimeter Defense
External Penetration Testing & Compliance Validation
The applicability
of certain
architectural
components to a
specific
environment is
highly influenced
by SRA’s
customer
intimacy,
understanding of
strategic goals,
and the applied
use case
Key
Reference Architecture – Responsibilities & Ownership
Example
CSP Enabler Joint
Data Security Management
Physical Security
Security
Report
ing
Data-at-Rest Encryption
Logs Collection & Analysis
Data-in-Transit Encryption
Intrusion Detection & Prevention
Security Audit Management
Com
plia
nce D
ashboard
s
Incident Response, Notification and Remediation
Network Behavioral Anomaly Detection
Continuous Vulnerability Monitoring & Remediation
Network Access Controls Managed Security Devices
Data Loss Prevention
Configuration Management
Asset Discovery & Control Configuration Control Image Management Baseline Compliance
Ale
rts M
anagem
ent
Identity & Access Management
Multi-factor Authentication Single-Sign-On
Malware Defense
Application Software Security
Data Resilience
Govern
ance &
Contin
ual Im
pro
vem
ent
Pers
onnel S
ecurity
Tra
inin
g &
Tale
nt M
anagem
ent
Authorization Management
Perimeter Defense
External Penetration Testing & Compliance Validation Understanding the
scope of
ownership and
responsibility for
each of the
architectural
components is
essential, as Cloud
Security cannot be
successful unless
its underlining
responsibilities
are well defined
and communicated
to each of the
players
Customer/SI
Title
color
Additio
nal
color
Additio
nal
color
Additio
nal
color
Text
color
Modular Implementations Approach
34
Data Security Management
Physical Security
Securi
ty R
eport
ing
Logs Collection & Analysis
Intrusion Detection & Prevention
Security Audit Management
Incident Response, Notification and Remediation
Network Behavioral Anomaly Detection
Continuous Vulnerability Monitoring & Remediation
Network Access Controls Managed Security Devices
Configuration Management
Identity & Access Management
Malware Defense
Application Software Security
Govern
ance &
Contin
ual Im
pro
vem
ent
Perimeter Defense
External Penetration Testing & Compliance Validation
Data Security Management
Physical Security
Securi
ty R
eport
ing
Logs Collection & Analysis
Intrusion Detection & Prevention
Security Audit Management
Incident Response, Notification and Remediation
Network Behavioral Anomaly Detection
Continuous Vulnerability Monitoring & Remediation
Network Access Controls Managed Security Devices
Configuration Management
Identity & Access Management
Malware Defense
Application Software Security
Govern
ance &
Contin
ual Im
pro
vem
ent
Perimeter Defense
External Penetration Testing & Compliance Validation
Stratify can be applied as a blueprint architecture where an
agency would map each of the architectural components to
existing and road-mapped investments in security products
The modular Stratify architecture enables
government agencies to utilize their existing
security product investments to secure their cloud
implementations. Using it as a target integration
architecture also highlights any gaps that could
be remediated using proven technology
It could also be applied holistically as a
turnkey packaged solution (with all its
recommended products). Especially when
new programs or green field initiatives are
commenced in the cloud
Title
color
Additio
nal
color
Additio
nal
color
Additio
nal
color
Text
color
Mapping to Key Security Frameworks
35
Partner & Product Selection Criteria
36
Tool Areas Mapping
Stable Business Model
Gartner/Forrester Assessment
Proven in Government
Thought Leader
Comprehensive
Feasible
Practical
Cost Effective
Stratify Partner
Cloud Offerings and Licensing Model
Integration Capabilities (APIs)
Partner Mapping to Reference Architecture
37
Title
color
Additio
nal
color
Additio
nal
color
Additio
nal
color
Text
color
My Final Message
• The Cloud is here, and the government is
starting to consider it in its strategy
• With new opportunities come new
challenges
• The Cloud will have an impact on the way
the government supports its mission
• It will also have an impact on how
commercial venders and FSI conduct
business with the government
• The impact should not be overlooked!!!
Title
color
Additio
nal
color
Additio
nal
color
Additio
nal
color
Text
color
Questions & Contact Information
Majed Saadi Director, Cloud Computing Practice
SRA International
Email: [email protected]
LinkedIn:
http://www.linkedin.com/in/majedsaadi
Twitter: @majedsaadi
ohCloud Blog: http://ohCloud.blogspot.com
Title
color
Additio
nal
color
Additio
nal
color
Additio
nal
color
Text
color
Key Stratify Outputs
details the different technology components that constitute secure
cloud environments and their interrelationships. Focus on common IaaS
use scenarios and provide the blueprints for
employing them.
Security Reference Architecture Model
to assist CIOs and CSOs in making the
cloud migration decision in the context of the
proven models (FISMA, SAN’s 20, FedRAMP,
etc.)
Mapping to Key Security Frameworks
and Controls
lists proven best-of-breed technical solutions
along with their associated vendors and
aligns them with the architectural
components detailed in the Security Reference
Architecture Models
Technology Recommendations
provides CSOs with the ability to monitor their
cloud environments with government-oriented
security metrics
Compliancy Dashboards
40
Stratify Demo
41
42
Ava
ila
bilit
y
Zo
ne B
Availability Zone A
App VPC Subnet DB VPC Subnet
GovCloud Region Agency
Data center
VPN
Gateway
Security VPC Subnet
Secure AMI
Library
Elastic Load
Balancing
Internet
Gateway
Auto scaling Group Auto scaling Group
Logs
Correlation
Tool
Penetration Testing
Tool
Anti-Virus Tool
Configuration
Control Tool Aggregation
Dashboards
Vulnerability
Scanning &
Monitoring Tool
Advanced
Firewall
Tool
Simulated
Attack
43
Ava
ila
bilit
y
Zo
ne B
Availability Zone A
App VPC Subnet DB VPC Subnet
GovCloud Region Agency
Data center
VPN
Gateway
Security VPC Subnet
Secure AMI
Library
Elastic Load
Balancing
Internet
Gateway
Auto scaling Group Auto scaling Group
Logs
Correlation
Tool
Penetration Testing
Tool
Anti-Virus Tool
Configuration
Control Tool Aggregation
Dashboards
Vulnerability
Scanning &
Monitoring Tool
Advanced
Firewall
Tool
Simulated
Attack
44
Ava
ila
bilit
y
Zo
ne B
Availability Zone A
App VPC Subnet DB VPC Subnet
GovCloud Region Agency
Data center
VPN
Gateway
Security VPC Subnet
Secure AMI
Library
Elastic Load
Balancing
Internet
Gateway
Auto scaling Group Auto scaling Group
Logs
Correlation
Tool
Penetration Testing
Tool
Anti-Virus Tool
Configuration
Control Tool Aggregation
Dashboards
Vulnerability
Scanning &
Monitoring Tool
Advanced
Firewall
Tool
Simulated
Attack
45
Ava
ila
bilit
y
Zo
ne B
Availability Zone A
App VPC Subnet DB VPC Subnet
GovCloud Region Agency
Data center
VPN
Gateway
Security VPC Subnet
Secure AMI
Library
Elastic Load
Balancing
Internet
Gateway
Auto scaling Group Auto scaling Group
Logs
Correlation
Tool
Penetration Testing
Tool
Anti-Virus Tool
Configuration
Control Tool Aggregation
Dashboards
Vulnerability
Scanning &
Monitoring Tool
Advanced
Firewall
Tool
Simulated
Attack
46
Ava
ila
bilit
y
Zo
ne B
Availability Zone A
App VPC Subnet DB VPC Subnet
GovCloud Region Agency
Data center
VPN
Gateway
Security VPC Subnet
Secure AMI
Library
Elastic Load
Balancing
Internet
Gateway
Auto scaling Group Auto scaling Group
Logs
Correlation
Tool
Penetration Testing
Tool
Anti-Virus Tool
Configuration
Control Tool Aggregation
Dashboards
Vulnerability
Scanning &
Monitoring Tool
Advanced
Firewall
Tool
Simulated
Attack
Attack Initiated
Clean Results
How Vulnerable Systems will
show