Posted December 12th, 2011 by
rybolov
Contrary to what you might hear this week in the trade press, FedRAMP is not fully unveiled although there was some much-awaited progress. There was a memo that came out from the administration (PDF caveat). Basically what it does is lay down the authority and responsibility for the Program Management Office and set some timelines. This is good, and we needed it a year and a half ago.
However, people need to stop talking about how FedRAMP has solved all their problems because the entire program isn’t here yet. Until you have a process document and a catalog of controls to evaluate, you don’t know how the program is going to help or hinder you, so all the press about it is speculation.
Similar Posts:
Posted in DISA, FISMA, NIST, Outsourcing, Risk Management | No Comments »
Tags: 800-37 • 800-53 • 800-53A • accreditation • C&A • catalogofcontrols • categorization • certification • cloud • cloudcomputing • comments • compliance • dhs • fedramp • fisma • government • infosec • infosharing • itsatrap • management • moneymoneymoney • NIST • omb • scalability • security
Posted April 26th, 2011 by
rybolov
Interesting blog post on Microsoft’s TechNet, but the real gem is the case filing and summary from the DoJ (usual .pdf caveat applies). Basically the Reader’s Digest Condensed Version is that the Department of Interior awarded a cloud services contract to Microsoft for email. The award was protested by Google for a wide variety of reasons, you can go read the full thing for all the whinging.
But this is the interesting thing to me even though it’s mostly tangential to the award protest:
- Google has an ATO under SP 800-37 from GSA for its Google Apps Premiere.
- Google represents Google Apps for Government as having an ATO which, even though 99% of the security controls could be the same, is inaccurate as presented.
- DOI rejected Google’s cloud because it had state and local (sidenote: does this include tribes?) tenants which might not have the same level of “security astuteness” as DOI. Basically what they’re saying here is that if one of the tenants on Google’s cloud doesn’t know how to secure their data, it affects all the tenants.
So this is where I start thinking. I thunk until my thinker was sore, and these are the conclusions I came to:
- There is no such thing as “FISMA Certification”, there is a risk acceptance process for each cloud tenant. Cloud providers make assertions of what common controls that they have built across all
- Most people don’t understand what FISMA really means. This is no shocker.
- For the purposes of this award protest, the security bits do not matter because
- This could all be solved in the wonk way by Google getting an ATO on their entire infrastructure and then no matter what product offerings they add on top of it, they just have to roll it into the “Master ATO”.
- Even if the cloud infrastructure has an ATO, you still have to authorize the implementation on top of it given the types of data and the implementation details of your particular slice of that cloud.
And then there’s the “back story” consisting of the Cobell case and how Interior was disconnected from the Internet several times and for several years. The Rybolov interpretation is that if Google’s government cloud potentially has tribes as a tenant, it increases the risk (both data security and just plain politically) to Interior beyond what they are willing to accept.
Obligatory Cloud photo by jonicdao.
Similar Posts:
Posted in FISMA, NIST, Outsourcing | 2 Comments »
Tags: 800-37 • 800-53 • accreditation • certification • cloud • cloudcomputing • compliance • fisma • government • infosec • management • NIST • risk • security
Posted February 15th, 2011 by
rybolov
“Cloud computing is about gracefully losing control while maintaining accountability even if the operational responsibility falls upon one or more third parties.”
–CSA Security Guidance for Critical Areas of Focus in Cloud Computing V2.1
Now enter FedRAMP. FedRAMP is a way to share Assessment and Authorization information for a cloud provider with its Government tenants. In case you’re not “in the know”, you can go check out the draft process and supporting templates at FedRAMP.gov. So far a good idea, and I really do support what’s going on with FedRAMP, except for somewhere along the lines we went astray because we tried to kluge doctrine that most people understand over the top of cloud computing which most people also don’t really understand.
I’ve already done my part to submit comments officially, I just want to put some ideas out there to keep the conversation going. As I see it, these are/should be the goals for FedRAMP:
- Delineation of responsibilities between cloud provider and cloud tenant. Also knowing where there are gaps.
- Transparency in operations. Understanding how the cloud provider does their security parts.
- Transparency in risk. Know what you’re buying.
- Build maturity in cloud providers’ security program.
- Help cloud providers build a “Governmentized” security program.
So now for the juicy part, how I would do a “clean room” implementation of FedRAMP on Planet Rybolov, “All the Authorizing Officials are informed, the Auditors are helpful, and every ISSO is above average”? This is my “short list” of how to get the job done:
- Authorization: Sorry, not going to happen on Planet Rybolov. At least, authorization by FedRAMP, mostly because it’s a cheat for the tenant agencies–they should be making their own risk decisions based on risk, cost, and benefit. Acceptance of risk is a tenant-specific thing based on the data types and missions being moved into the cloud, baseline security provided by the cloud provider, the security features of the products/services purchased, and the tenant’s specific configuration on all of the above. However, FedRAMP can support that by helping the tenant agency by being a repository of information.
- 800-53 controls: A cloud service provider manages a set of common controls across all of their customers. Really what the tenant needs to know is what is not provided by the cloud service provider. A simple RACI matrix works here beautifully, as does the phrase “This control is not applicable because XXXXX is not present in the cloud infrastructure”. This entire approach of “build one set of controls definitions for all clouds” does not really work because not all clouds and cloud service providers are the same, even if they’re the same deployment model.
- Tenant Responsibilities: Even though it’s in the controls matrix, there needs to be an Acceptable Use Policy for the cloud environment. A message to providers: this is needed to keep you out of trouble because it limits the potential impacts to yourself and the other cloud tenants. Good examples would be “Do not put classified data on my unclassified cloud”.
- Use Automation: CloudAudit is the “how” for FedRAMP. It provides a structure to query a cloud (or the FedRAMP PMO) to find out compliance and security management information. Using a tool, you could query for a specific control or get documents, policy statements, or even SCAP assessment content.
- Changing Responsibilities: Things change. As a cloud provider matures, releases new products, or moves up and down the SPI stack ({Software|Platform|Infrastructure}as a Service), the balance of responsibilities change. There needs to be a vehicle to disseminate these changes. Normally in the IA world we do this with a Plan of Actions and Milestones but from the viewpoint of the cloud provider, this is more along the lines of a release schedule and/or roadmap. Not that I’m personally signing up for this, but a quarterly/semi-annually tenant agency security meeting would be a good way to get this information out.
Then there is the special interest comment: I’ve heard some rumblings (and read some articles, shame on you security industry press for republishing SANS press releases) about how FedRAMP would be better accomplished by using the 20 Critical Security Controls. Honestly, this is far from the truth: a set of controls scoped to the modern enterprise (General Support System supporting end users) or project (Major Application) does not scale to an infrastructure-and-server cloud. While it might make sense to use 20 CSC in other places (agency-wide controls), please do your part to squash this idea of using it for cloud computing whenever and wherever you see it.
Ramp photo by ell brown.
Similar Posts:
Posted in FISMA, Risk Management, What Works | 2 Comments »
Tags: accreditation • C&A • catalogofcontrols • certification • cloud • cloudcomputing • comments • compliance • fisma • infosec • infosharing • management • risk • scalability • security
Posted November 22nd, 2010 by
rybolov
Considering that it’s a secondary source and therefore subject to being corrected later in an official announcement, but this is pretty big. Requiring the Departments and Agencies to consider cloud solutions both scares me (security, governance, and a multitude of other things about rushing into mandated solutions) and excites me (now cloud solutions are formally accepted as viable).
However, before you run around either proclaiming that “this is the death of serverhuggers” or “the end is nigh, all is lost” or even “I for one welcome our fluffy white overlords”, please consider the following:
- A “secure, reliable, cost-effective cloud option” is a very loaded statement very open to interpretation
- They already have to consider open source solutions
- They already have to consider in-sourcing
- They already have to consider outsourcing
- “Cloud” more often than not includes private clouds or community clouds
- Isn’t this just another way to say “quit reinventing the wheel”?
- Some Government cloud initiatives are actually IT modernization initiatives riding the bandwagon-du-jour
- Switching from Boeing, Northrup, and SAIC beltway bandit overlords to Google, Amazon, and SalesForce cloud overlords still mean that you have overlords
Similar Posts:
Posted in Outsourcing, Rants | 2 Comments »
Tags: cashcows • cloud • cloudcomputing • fedramp • google • government • itsatrap • management • moneymoneymoney • scalability
Posted November 3rd, 2010 by
rybolov
Go check it out. The project management folks have been jokingly grilled over numerous times for being ~2-3 months late.
However, comments are being accepted until December 2nd. Do yourselves a favor and submit some comments.
Similar Posts:
Posted in FISMA, NIST | 2 Comments »
Tags: 800-37 • 800-53 • 800-53A • C&A • catalogofcontrols • certification • cloud • cloudcomputing • compliance • fisma • government • infosec • infosharing • management • NIST • scalability • security