Jim Reavis, Executive Director

1
Developing a Baseline On Cloud Security

• Jim Reavis, Executive Director
• Cloud Security Alliance
• November 22, 2010

2
Purpose Agenda

• Purpose
• Provide information about the current state of
  industry understanding and activities related to
  securing cloud computing, as a foundation for
  todays collaboration
• Defining Cloud
• Reference Model
• Architecture
• FedRAMP
• Cloud Guidance
• Relating to Tracks

2
4/29/2017 955 PM
3
What is Cloud Computing?

• Compute as a utility third major era of
  computing
• Mainframe
• PC Client/Server
• Cloud computing On demand model for allocation
  and consumption of computing
• Cloud enabled by
• Moores Law Costs of compute storage
  approaching zero
• Hyperconnectivity Robust bandwidth from dotcom
  investments
• Service Oriented Architecture (SOA)
• Scale Major providers create massive IT
  capabilities

4
Broad Private/Public View

• Ecosystem
• Definitions/Onotology/Taxonomy
• Architecture
• Compliance
• Threat research modeling
• Domains of Concern

5
NIST Defining Cloud

• Characteristics
• On demand provisioning
• Elasticity
• Multi-tenancy
• Measured service
• Delivery Models
• Infrastructure as a Service (IaaS) basic O/S
  storage
• Platform as a Service (PaaS) IaaS rapid dev
• Software as a Service (SaaS) complete application

• Deployment Modes
• Public
• Private
• Hybrid
• Community

6
CSA Cloud Reference Model

• From CSA Architectural WG
• 10 Layer reference model view of Cloud Computing
• Encourages cumulative view of SaaS/PaaS/IaaS
  delivery

7
S-P-I context
You RFP security in
SaaS Software as a Service
You build security in
PaaS Platform as a Service

• IaaS
• Infrastructure as a Service

8
Architectural Depictions

• From Open Security Architecture
• Actor-centric view of cloud architecture

9
Architectural Depictions
Service-centric architectural model from CSA
10
Federal Risk Authorization Management Program
(FedRAMP)

• A government-wide initiative to provide joint
  authorization services
• FedRAMP PMO in GSA
• Unified government-wide risk management
• Agencies would leverage FedRAMP authorizations
  (when applicable)
• Agencies retain their responsibility and
  authority to ensure use of systems that meet
  their security needs
• FedRAMP would provide an optional service to
  agencies

11
Federal Risk Authorization Management Program
(FedRAMP)
12
FedRAMP Authorization Request Process
There are 3 ways a Cloud Service can be proposed
for FedRAMP Authorization
Cloud BPA
Government Cloud Systems
Agency Sponsorship
3
1
2
Primary Agency Sponsorship
Cloud Services through FCCI BPAs
Services must be intended for use by multiple
agencies
Primary Agency Contract
Secondary Agency Sponsorship
13
CSA Guidance Research

• 13 Domains of concern in 3 main groupings
• Architecture
• Governance
• Operations

14
Track 1 - Cloud Security Policy and Guidance

• Consensus issues identified from industry
  research
• Auditing capabilities
• Rogue insiders
• 3rd party management
• Transparency
• Data governance leakage, persistence,
  destruction, commingling
• Understand risk profile align key risk
  indicators
• Translating legacy controls
• Lock-in

15
Track 2 - Cloud Security Architecture and
Technology

• Consensus issues identified from industry
  research
• Lack of purpose-built multi-tenant technology
• Federating hybrid clouds
• Duplicating granular defense in depth
• Hardware exploits CPU, DMA, Bus, I/O
• Hardening virtualization
• Segregation of encryption and key mgt
• Developing layers of abstractions, SOA principles
• Vulnerability scanning
• Software development lifecycle impact
• Threat modeling

16
Track 3 Secure Cloud Operations

• Consensus issues identified from industry
  research
• Forensics
• Patch management
• Malware
• Logging
• Monitoring visibility
• Account, service, traffic hijacking
• Suboptimal resource sharing time slicing
• Compartmentalization of operational activities

17
Thank You!

• Questions?