Securing Government Clouds Preparing for the Rainy Days

(1)

Securing Government Clouds

Preparing for the Rainy Days

Majed Saadi

(2)

Title color Additio nal color Additio nal color Additio nal color Text color

Agenda

1. The Cloud: Opportunities and

Challenges

2. Cloud’s Potential for Providing

Government Services

3. Strategizing for a Cloud-Based

Government

4. Stratify: a Cloud Security

Framework

(3)

SRA at a Glance…

More than 6,300 employees across the country and around the world

90% of FY11 $1.7 billion in revenue generated as a prime contractor

Founded in 1978, SRA is dedicated to delivering

innovative solutions to the US Federal

Government.

Updated: 6/15/2012

SRA Proprietary 3

Approved FedRAMP

3PAO Assessor

Current Cloud Vehicles

Army Private Cloud (APC2)

GSA Email as a Service (EaaS) GWAC

FedRAMP 3PAO

(4)

SRA Wins a Seat

on the DHS

CMaaS BPA

SRA’s Cyber Security Heritage

2000

2002

2004

2006

2008

2010

2012

1998

Privacy Practice

Established (DHS

First Client)

Developed the First Automated

System Security Evaluation

and Remediation Tracking Tool

with the EPA (ASSERT)

Received Highest DoD

CCRI Rating to Date

(JSIN and EUCOM/

AFRICOM Projects)

One of the First

Federal ISO 27001

Certs for TSA SOC

Accredited FedRAMP

Independent Third Party

Assessment Organization

(Type C)

SRA has always been focused on the protection of the

Federal Government, beginning with Continuity of

Operations work in the late 80s…

…moving to Critical Infrastructure Protection and cybersecurity in the

2000s, focusing on continuous diagnostics and mitigation, SOC

operations, and cybersecurity preparedness…

Architect

(Committers) of

NSA Accumulo

Secure Cloud

4 Cybersecurity Big

Data Capability using

HADOOP

Computer Network

Exploitation Software and

Services for the IC

Cyber Security SOC

Maturity Model

Developed

Received NSA IA-CMM

Rating

(Highest Rating Across

Federal Contractors)

SecureElite SRA

SDLC Finalized

Cyber Security

Practice Established

CyberRisk Compliance

Process Developed

Security Program

Maturity Model

Congressional

Scorecards

(5 of the 7 ‘A’ Scores

are SRA Customers)

(5)

The Cloud: Opportunities and Challenges

What do you need to know about government and the cloud?

And why should you care?

(6)

Cloud & Cloud Security Trends

(7)

Government Cloud Computing Drivers

• Reduce infrastructure overhead (equipment &

personnel) using cost controlled, easy to manage

processing power

• Complying with federal mandates (Cloud First)

• Transfer infrastructure risks to contractors or

service providers

• Satisfy short-term & short notice needs (Surges)

• Enhance service availability & remote

accessibility options

• Increase agility in responding to infrastructure

change requirements

• Facilitate proprietary application modernization,

development and integration

• Improve business continuity & disaster recovery

• Improve the enterprise Green IT posture

Why move

to the

Cloud?

IT Efficiency

Flexibility &

Elasticity

Compliance

(8)

Questions on Our Customer Minds

How do I ensure that

I have complete

FISMA compliance

with a FedRAMP

cloud???

How do I transform

my IT shop to allow

my customers to

consume cloud

services from a

centralized service

catalog ???

How do I enable my

agency to benefit

from commodity

cloud services while

ensuring compliance

(9)

The US Government & The Cloud – An Update

• Cloud First Initiative

– Potential Savings ~$20 Billion

– 25% of IT Budget

• Federal Data Center

Consolidation Initiative (FDCCI)

– Close or consolidate ~1,200 of

~2,900 federal data centers

– Expected savings ~$2.4-$5 billion

• IaaS & EaaS BPAs

• Other Initiatives

– PortfolioStat

– Mobility

– Digital Government Strategy

(10)

Privacy and Security Legal Requirements

• Federal

– GLBA

– FTCA

– SOX

– FCRA/FACTA

– HIPAA

– FISMA, DIACAP

– FERPA

– 21 C.F.R. Part 11 (FDA

Regulations)

– Executive Orders and Agency

Memoranda

– COPPA

– Federal Risk and Authorization

Management Program

(FedRAMP)

10

• State

• Notice of Security Breach

• Other State Laws

• International

• EU Data Protection Directive Member

Countries

• Canada PIPEDA

• Others (e.g., UK, Japan, Australia)

• Private Contractual Requirements and

Standards

• PCI DSS

• Business Associate Agreements

• Service Provider Agreements

• NIST

• MPAA

• ISO 27001, 27002, etc.

(11)

FedRAMP’s Purpose

• A duplicative, inconsistent, time

consuming, costly and inefficient cloud

security risk management approach

with little incentive to leverage

existing Authorizations to Operate

(ATOs) among agencies.

• Unified risk management approach

• Uniform set of approved, minimum

security controls (FISMA Low and

Moderate Impact)

• Consistent assessment process

• Provisional ATO

The Problem

The Solution: FedRAMP

Slide 11 4/21/2014

(12)

FedRAMP Executive Sponsors

•US-CERT Incident Coordination

•CyberScope Continuous Monitoring

Data Analysis

Office of Management and

Budget

Slide 12 4/21/2014

(13)

Cloud’s Potential for Providing Government Services

(14)

The Demand for Change is Great

Sequestration

Budget Cuts

Mobile Workforce

Shadow IT

(15)

(16)

The Digital Natives are Here!

• Buy hardware for that

• I need an iron clad application

• License to own a product

• Build to last

• Expect it to be $$$

• There is an app for that

• I need an app store

• License to use a service

• Build to replace

(17)

A New Paradigm for a New IT Worker

• Designed for endurance

• Operated with a tech sense

• Service optional

• Designed to accept failure

• Operated with a business sense

• Service first

(18)

Is Cloud a Tipping Point?

• Cloud Computing is mature IT, but its also

flexible IT, mission aligned IT and for some it’s

also cool IT

• Cloud Computing changes users’ expectations;

and promises a simplified business oriented

approach

• What IT organizations fear about the cloud is

the potential of losing control.

• Cloud Computing does force IT organizations

out of their comfort zone

Cloud Computing will soon become

“IT as usual”

But it will surely impact all IT

organizations

(19)

Strategizing for a Cloud-Based

Government

(20)

Government Specific Considerations

• Procurement Vehicles

• Budget Cycles

• Security & Compliance

• Service Level Management

• Portability & Interoperability

• Organizational Change

Management

• Politics

(21)

A Gap Example:

The Power Grid Analogy

One Metric = One SLA = Life is

Simple

(22)

Many Metrics = Many SLAs = Life is

Complicated

A Gap Example:

(23)

The Power Grid Analogy

Who reads the meters?

Who trusts the readings?

Who controls Spending?

Who makes the decisions?

(24)

Developing a Realistic Cloud Plan

• Understand the Cloud Concepts

• Approach cloud as part of your strategy, but not as an ultimate

solution!

• Identify the cloud solutions or technology components that make

sense to your organization

• First envision, then architect

• Do not keep your strategy a secret

– Visualize

– Communicate

– Publicize

• Use proven framework to reduce risks

– TOGAF, DODAF, FEAF, ITIL

(25)

SRA’s Cloud Computing Support Services

Strategy

Cloud

Strategy

Development

Readiness

Cloud

Readiness

Assessment

Engineering

Cloud

Architecture

Modernization

Cloud

Migration

Planning and

Execution

Cloud

Software

Modernization

Cloud Software

& Services

Integration

Management

Cloud Service

Management

& Governance

Cloud

Security

Management

SRA Cloud Computing Support Services cover the complete cloud lifecycle to

ensure comprehensive alignment of Cloud Services with our customers’

(26)

SRA’s Cloud Brokerage CONOPS

Federal Cloud Consumers

Application Management and Oversight

FedRAMP 3PAOs

Initial & Periodic Security Control Assessment

Security Control Documentation Auditing Program & Portfolio

Management Project Management

Cloud Service Enabler

(Full Broker)

Cloud Service Providers (AWS)

Service Levels

Security & Compliance Warranty Support

Response Support Cloud Service

Orchestration Cloud Backbone Management (IaaS, PaaS, SaaS)

Discovery Support Mission and Architectural Requirements and Objectives Requirements Changes Architectural Options Unified Service, Performance & Financial Reporting Trend & Predictive Analysis Service Management Cloud Lifecycle Management Portability & Interoperability Management Cloud On-Boarding & Off-Boarding Pre-negotiated

SLAs & Pricing

Cloud APIs Security Controls Documentation Cloud Assessment

(27)

Transport Systems

Service Management

Engineering & Administration

Personnel

Operating Systems

Data

Applications

Datacenter Personnel

Physical Infrastructure

Physical Servers

Hypervisors

Cloud Security is a Shared Responsibility

27

Customer and Cloud

Systems Integrator

Responsibility

Cloud Service Provider

Responsibility

Joint Responsibility

SRA’s Stratify

allows federal

CIOs and CSOs

to address

cloud security

and compliance

gaps by

bridging

FedRAMP and

FISMA moderate

controls with a

realistic,

practical and

cloud-centric

architecture

Stratify™

(28)

The Stratify

Reference Architecture Model

(29)

Anatomy of a Cloud

A successful cloud implementation requires providing solution(s) for all

required components as well as all the optional components required by

(30)

Anatomy of a Secure Cloud

Go

v

er

n

an

ce

&

C

o

n

ti

n

u

al

Imp

ro

v

emen

t

Compliance Validation

Security Technology

Secu

ri

ty

R

ep

o

rti

n

g

To be able to call a cloud solution a “Secure” one, four elements should be introduced:

Security Technology, Security Reporting, Governance & Continual Improvement, and

(31)

Stratify – a Reference Architecture

Data Security Management

Physical Security

S

e

cu

ri

ty

Re

p

o

rting

Data-at-Rest Encryption

Logs Collection & Analysis

Data-in-Transit Encryption

Intrusion Detection & Prevention

Security Audit Management

Com p lia n c e Das h b o a rd s

Incident Response, Notification and Remediation

Network Behavioral Anomaly Detection

Continuous Vulnerability Monitoring & Remediation

Network Access Controls

Managed Security Devices

Data Loss Prevention

Configuration Management

Asset Discovery & Control Configuration Control Image Management Baseline Compliance

A le rts M a n a g e m e n t

Identity & Access Management

Multi-factor Authentication Single-Sign-On

Malware Defense

Application Software Security

Data Resilience

Go

v

erna

nce

&

C

on

tinu

al

Im

p

rov

emen

t

P ers on ne l S ec urit y T rai ni ng & T al en t Ma na ge m en t Authorization Management

Perimeter Defense

(32)

Reference Architecture – Applicability Example

Key

Must Have Good to Have Data Security Management

Physical Security S ec urit y Repo rti ng Data-at-Rest Encryption

Logs Collection & Analysis

Intrusion Detection & Prevention Security Audit Management

Com p lia n ce Dash b o a rd s

Incident Response, Notification and Remediation

Network Behavioral Anomaly Detection Continuous Vulnerability Monitoring & Remediation

Network Access Controls Managed Security Devices

Configuration Management

A ler ts M a n a g e m e n t

Identity & Access Management

Malware Defense Application Software Security

Data Resilience G ov ernanc e & Con ti nu al Im prov em en t P e rso n n e l S e cu rity T ra inin g & T a len t M a n a g e m e n t Authorization Management Perimeter Defense

External Penetration Testing & Compliance Validation

The applicability

of certain

architectural

components to a

specific

environment is

highly influenced

by SRA’s

customer

intimacy,

understanding of

strategic goals,

and the applied

use case

(33)

Key

Reference Architecture – Responsibilities & Ownership

Example

CSP Enabler Joint Data Security Management

Physical Security S ec urit y Repo rti ng Data-at-Rest Encryption

Com p lia n ce Dash b o a rd s

A ler ts M a n a g e m e n t

Data Resilience G ov ernanc e & Con ti nu al Im prov em en t P e rso n n e l S e cu rity T ra inin g & T a len t M a n a g e m e n t Authorization Management Perimeter Defense

Understanding the

scope of

ownership and

responsibility for

each of the

architectural

components is

essential, as Cloud

Security cannot be

successful unless

its underlining

responsibilities

are well defined

and communicated

to each of the

players

(34)

Modular Implementations Approach

34

Data Security Management

Physical Security Se cu ri ty R e p o rt in g

G o v e rn a n ce & C o n tin u a l I m p ro v e me n t Perimeter Defense

Data Security Management

Physical Security Se cu ri ty R e p o rt in g

G o v e rn a n ce & C o n tin u a l I m p ro v e me n t Perimeter Defense

Stratify can be applied as a blueprint architecture where an

agency would map each of the architectural components to

existing and road-mapped investments in security products

The modular Stratify architecture enables

government agencies to utilize their existing

security product investments to secure their cloud

implementations. Using it as a target integration

architecture also highlights any gaps that could

be remediated using proven technology

It could also be applied holistically as a

turnkey packaged solution (with all its

recommended products). Especially when

new programs or green field initiatives are

commenced in the cloud

(35)

Mapping to Key Security Frameworks

(36)

Partner & Product Selection Criteria

36

Tool Areas Mapping

Stable Business Model

Gartner/Forrester Assessment

Proven in Government

Thought Leader

Comprehensive

Feasible

Practical

Cost Effective

Stratify Partner

Cloud Offerings and Licensing Model

Integration Capabilities (APIs)

(37)

Partner Mapping to Reference Architecture

(38)

My Final Message

• The Cloud is here, and the government is

starting to consider it in its strategy

• With new opportunities come new

challenges

• The Cloud will have an impact on the way

the government supports its mission

• It will also have an impact on how

commercial venders and FSI conduct

business with the government

(39)

Questions & Contact Information

Majed Saadi

Director, Cloud Computing Practice

SRA International

Email:

majed_saadi@sra.com

LinkedIn:

http://www.linkedin.com/in/majedsaadi

Twitter: @majedsaadi

(40)

Key Stratify Outputs

details the different

technology components

that constitute secure

cloud environments and

their interrelationships.

Focus on common IaaS

use scenarios and

provide the blueprints for

employing them.

Security Reference

Architecture Model

to assist CIOs and

CSOs in making the

cloud migration decision

in the context of the

proven models (FISMA,

SAN’s 20, FedRAMP,

etc.)

Mapping to Key

Security Frameworks

and Controls

lists proven

best-of-breed technical solutions

along with their

associated vendors and

aligns them with the

architectural

components detailed in

the Security Reference

Architecture Models

Technology

Recommendations

provides CSOs with the

ability to monitor their

cloud environments with

government-oriented

security metrics

Compliancy

Dashboards

(41)

Stratify Demo

(42)

42

A

v

a

il

a

bili

ty

Zone

B

Availability Zone A

App VPC Subnet DB VPC Subnet

GovCloud Region

Agency

Data center

VPN Gateway Security VPC Subnet Secure AMI Library Elastic Load Balancing Internet Gateway

Auto scaling Group Auto scaling Group

Logs Correlation Tool Penetration Testing Tool Anti-Virus Tool Configuration

Control Tool Aggregation

Dashboards Vulnerability Scanning & Monitoring Tool Advanced Firewall Tool Simulated Attack