A Federal Cloud Computing Roadmap
John Curran ServerVault Corp
“A Federal Cloud Computing Roadmap”
Slide 1
A Federal Cloud Computing Roadmap Provides one possible answer to the question: “What set of actions by the cloud computing industry (and related parties) would allow Federal agencies to gain the benefits of cloud computing while maintaining compliance with Federal IT policy?” Why is this important to discuss? • US Government is a potentially large, influential customer for the cloud computing community • The closer we are to consensus on a roadmap for the solution, the less fear, uncertainty & doubt will remain in circulation for our industry • Some technical controls may have interoperability or coordination aspects that have long lead times “A Federal Cloud Computing Roadmap”
Slide 2
Cloud Computing is “Outsourced IT” FISMA (Title III, Pub. L. No. 107-347), Section 3544(b) requires each agency to provide information security for the information and “information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.” OMB M-08-21 includes specific guidance for use of contractor, outsourced, and/or SaaS services: • Security controls must be provided commensurate with the risk and magnitude of harm of damage to the information system (Risk Impact Level) • Agencies must insure all FISMA policy requirements are met, including identical (not “equivalent”) security procedures and processes • Service providers must work with agencies to meet all requirements including an annual agency audit/evaluation “A Federal Cloud Computing Roadmap”
Slide 3
Risk Impact Level & Authorization FIPS Publication 199 requires that agencies categorize the risk of their unclassified information systems and their data into three levels of potential impact on organizations/agency or individuals should there be a breach of security (i.e., a loss of confidentiality, integrity, or availability): The potential impact is LOW if − The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The potential impact is MODERATE if − The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The potential impact is HIGH if − The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. FIPS Publication 200 requires that agencies employ, at minimum, an appropriately tailored set of security controls (i.e. security plan) from the corresponding security control baseline in NIST 800-53, based on the highest risk impact level of all information contained in the system. The Security Authorization Process requires preparation of a security plan, an assessment of security controls, and plan to address any outstanding issues. “A Federal Cloud Computing Roadmap”
Slide 4
The Federal CIO’s Dilemma 1.
Enormous pressure to deploy timely, cost-effective IT systems
2.
Administration agenda includes expectations of the benefits of new IT technologies including virtualization, collaboration, utility & cloud computing
3.
Responsibility for compliance with numerous IT policy mandates including both federal and agency-specific.
4.
Varying financial and organizational support for common infrastructure (e.g. authentication, change control systems) and fear of vendor lock-in with any sizable deployment
5.
The FISMA-specific compliance requirement to explicitly define the security controls for authorization of any new IT system
Cloud Computing can address #1 & #2 today. With some common industry effort, Cloud Computing can help with #3, #4, and #5.
“A Federal Cloud Computing Roadmap”
Slide 5
Federal Cloud Computing & Compliance For many agency applications, stringent compliance requirements in areas such as privacy, financial controls, and health information will preclude use of “public clouds”, regardless of the actual security controls of the provider. The cloud computing industry needs to recognize that there’s a difference between security [providing adequate protection from risks] and compliance [performing in specific documented adherence to policy], and that will result in agencies having to establish their own private cloud infrastructures. The technical standards that allow private clouds to interface to public clouds for workload surge, segmentation of processing, continuity of operations, etc. is therefore an important topic for discussion in the cloud community.
“A Federal Cloud Computing Roadmap”
Slide 6
Federal Cloud Computing & Lock-In Federal procurement goes through significant contractual lengths to insure that the government can obtain full productive use of anything it procures, and in the past that has meant interesting terminology in areas such as software licensing, technology rights, etc. The cloud computing industry needs technical standards for interoperability not only to meet agency requirements for mobility of applications and data between providers, but also to avoid the alternative of having to provide technology & software rights (for theoretical relief of vendor lock-in) which will otherwise be sought. This makes technical standards for migration of systems between providers [servers, data volumes, network devices, and entire application environments] also an important topic for discussion in the cloud community. “A Federal Cloud Computing Roadmap”
Slide 7
Federal Cloud Computing & FISMA The Federal CIO Council has established a cloud computing working group which is looking into this issue, and will make the recommendations for the best path forward for agencies which wish to utilize cloud service providers. Explicit documentation of FISMA security controls and their implementation is required for all Federal IT security authorization decisions presently, and it seems improbable that requirement would change for federal applications which could have serious or catastrophic effects to the organization if disclosed, compromised or made unavailable. However, there are existing, proven mechanisms for documenting security controls in commercial providers [e.g. WebTrust/SysTrust, SAS 70, and PCI DSS] that these might be deemed appropriate compensating controls for Low Impact IT systems. Cloud providers should consider exploration of these programs in preparation.
“A Federal Cloud Computing Roadmap”
Slide 8
Thank You! • Questions? • Contact Information: John Curran CTO & COO ServerVault Corp +1 703 652 5980
[email protected]
“A Federal Cloud Computing Roadmap”
Slide 9