1 / 17

Jim Reavis, Executive Director Cloud Security Alliance November 22, 2010

Developing a Baseline On Cloud Security. Jim Reavis, Executive Director Cloud Security Alliance November 22, 2010. Purpose & Agenda. Purpose

kimo
Télécharger la présentation

Jim Reavis, Executive Director Cloud Security Alliance November 22, 2010

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Developing a Baseline On Cloud Security Jim Reavis, Executive Director Cloud Security Alliance November 22, 2010

  2. Purpose & Agenda Purpose Provide information about the current state of industry understanding and activities related to securing cloud computing, as a foundation for today’s collaboration Defining Cloud Reference Model Architecture FedRAMP Cloud Guidance Relating to Tracks 2 9/18/2014 4:46 PM

  3. What is Cloud Computing? Compute as a utility: third major era of computing Mainframe PC Client/Server Cloud computing: On demand model for allocation and consumption of computing Cloud enabled by Moore’s Law: Costs of compute & storage approaching zero Hyperconnectivity: Robust bandwidth from dotcom investments Service Oriented Architecture (SOA) Scale: Major providers create massive IT capabilities

  4. Broad Private/Public View Ecosystem Definitions/Onotology/Taxonomy Architecture Compliance Threat research & modeling Domains of Concern

  5. NIST: Defining Cloud Characteristics On demand provisioning Elasticity Multi-tenancy Measured service Delivery Models Infrastructure as a Service (IaaS): basic O/S & storage Platform as a Service (PaaS): IaaS + rapid dev Software as a Service (SaaS): complete application • Deployment Modes • Public • Private • Hybrid • Community

  6. CSA Cloud Reference Model • From CSA Architectural WG • 10 Layer reference model view of Cloud Computing • Encourages cumulative view of SaaS/PaaS/IaaS delivery

  7. S-P-I context IaaS Infrastructure as a Service You “RFP” security in SaaS Software as a Service You build security in PaaS Platform as a Service

  8. Architectural Depictions • From Open Security Architecture • Actor-centric view of cloud architecture

  9. Architectural Depictions Service-centric architectural model from CSA

  10. Federal Risk & Authorization Management Program (FedRAMP) • A government-wide initiative to provide joint authorization services • FedRAMP PMO in GSA • Unified government-wide risk management • Agencies would leverage FedRAMP authorizations (when applicable) • Agencies retain their responsibility and authority to ensure use of systems that meet their security needs • FedRAMP would provide an optional service to agencies

  11. Federal Risk & Authorization Management Program (FedRAMP) Agency A&A Vendor Agency A&A Vendor FedRAMP AFTER BEFORE • Unified Risk management and associated cost savings • Inter-Agency vetted and compatible requirements using a shared cloud service • Effective and consistent assessment of cloud services • Duplicative risk management efforts • Incompatible requirements • Potential for inconsistent application and interpretation of Federal security requirements

  12. FedRAMP Authorization Request Process There are 3 ways a Cloud Service can be proposed for FedRAMP Authorization: Cloud BPA Government Cloud Systems Agency Sponsorship 1 2 3 Primary Agency Sponsorship Cloud Services through FCCI BPAs Services must be intended for use by multiple agencies Primary Agency Contract Secondary Agency Sponsorship

  13. CSA Guidance Research 13 Domains of concern in 3 main groupings Architecture Governance Operations Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Governing the Cloud Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Operating in the Cloud Encryption and Key Management Identity and Access Management Virtualization

  14. Track 1 - Cloud Security Policy and Guidance Consensus issues identified from industry research Auditing capabilities Rogue insiders 3rd party management Transparency Data governance: leakage, persistence, destruction, commingling Understand risk profile & align key risk indicators Translating legacy controls Lock-in

  15. Track 2 - Cloud Security Architecture and Technology Consensus issues identified from industry research Lack of purpose-built multi-tenant technology Federating hybrid clouds Duplicating granular defense in depth Hardware exploits: CPU, DMA, Bus, I/O Hardening virtualization Segregation of encryption and key mgt Developing layers of abstractions, SOA principles Vulnerability scanning Software development lifecycle impact Threat modeling

  16. Track 3 – Secure Cloud Operations Consensus issues identified from industry research Forensics Patch management Malware Logging Monitoring & visibility Account, service, traffic hijacking Suboptimal resource sharing & time slicing Compartmentalization of operational activities

  17. Thank You! Questions?

More Related