FedRAMP Federates Further
FedRAMP (Federal Risk and Authorization Management Program), the government’s cloud security assessment plan, announced late last week that Amazon Web Services (AWS) is the first agency-approved cloud service provider. The accreditation covers all AWS data centers in the United States. Amazon becomes the third vendor to meet the security requirements detailed by FedRAMP. FedRAMP is the result of the US Government’s work to address security concerns related to the growing practice of cloud computing and establishes a standardized approach to security assessment, authorizations and continuous monitoring for cloud services and products. By creating industry-wide security standards and focusing more on risk management, as opposed to strict compliance with reporting metrics, officials expect to improve data security as well as simplify the processes agencies use to purchase cloud services. FedRAMP is looking toward full operational capability later this year. As both the cloud and the government’s use of cloud services grow, officials found that there were many inconsistencies to requirements and approaches as each agency began to adopt the cloud. Launched in 2012, FedRAMP’s goal is to bring consistency to the process but also give cloud vendors a standard way of providing services to the government. And with the government’s cloud-first policy, which requires agencies to consider moving applications to the cloud as a first option for new IT projects, this should streamline the process of deploying to the cloud. This is an ‘approve once, and use many’ approach, reducing the cost and time required to conduct redundant, individual agency security assessment. AWS's certification is for 3 years. FedRAMP provides an overall checklist for handling risks associated with Web services that would have a limited, or serious impact on government operations if disrupted. Cloud providers must implement these security controls to be authorized to provide cloud services to federal agencies. The government will forbid federal agencies from using a cloud service provider unless the vendor can prove that a FedRAMP-accredited third-party organization has verified and validated the security controls. Once approved, the cloud vendor would not need to be ‘re-evaluated’ by every government entity that might be interested in their solution. There may be instances where additional controls are added by agencies to address specific needs. The BIG-IP Virtual Edition for AWS includes options for traffic management, global server load balancing, application firewall, web application acceleration, and other advanced application delivery functions. ps Related: Cloud Security With FedRAMP FedRAMP Ramps Up FedRAMP achieves another cloud security milestone Amazon wins key cloud security clearance from government Cloud Security With FedRAMP CLOUD SECURITY ACCREDITATION PROGRAM TAKES FLIGHT FedRAMP comes fraught with challenges F5 iApp template for NIST Special Publication 800-53 Now Playing on Amazon AWS - BIG-IP Connecting Clouds as Easy as 1-2-3 F5 Gives Enterprises Superior Application Control with BIG-IP Solutions for Amazon Web Services Technorati Tags: f5,fedramp,government,cloud,service providers,risk,standards,silva,compliance,cloud security,aws,amazon Connect with Peter: Connect with F5:CloudFucius Shares: Cloud Research and Stats
Sharing is caring, according to some and with the shortened week, CloudFucius decided to share some resources he’s come across during his Cloud exploration in this abbreviated post. A few are aged just to give a perspective of what was predicted and written about over time. Some Interesting Cloud Computing Statistics (2008) Mobile Cloud Computing Subscribers to Total Nearly One Billion by 2014 (2009) Server, Desktop Virtualization To Skyrocket By 2013: Report (2009) Gartner: Brace yourself for cloud computing (2009) A Berkeley View of Cloud Computing (2009) Cloud computing belongs on your three-year roadmap (2009) Twenty-One Experts Define Cloud Computing (2009) 5 cool cloud computing research projects (2009) Research Clouds (2010) Cloud Computing Growth Forecast (2010) Cloud Computing and Security - Statistics Center (2010) Cloud Computing Experts Reveal Top 5 Applications for 2010 (2010) List of Cloud Platforms, Providers, and Enablers 2010 (2010) The Cloud Computing Opportunity by the Numbers (2010) Governance grows more integral to managing cloud computing security risks, says survey (2010) The Cloud Market EC2 Statistics (2010) Experts believe cloud computing will enhance disaster management (2010) Cloud Computing Podcast (2010) Security experts ponder the cost of cloud computing (2010) Cloud Computing Research from Business Exchange (2010) Just how green is cloud computing? (2010) Senior Analyst Guides Investors Through Cloud Computing Sector And Gives His Top Stock Winners (2010) Towards Understanding Cloud Performance Tradeoffs Using Statistical Workload Analysis and Replay (2010) …along with F5’s own Lori MacVittie who writes about this stuff daily. And one from Confucius: Study the past if you would define the future. ps The CloudFucius Series: Intro, 1, 2, 3, 4, 5, 6, 7, 8FedRAMP Ramps Up
Tomorrow June 6th, the Federal Risk and Authorization Management Program, the government’s cloud security assessment plan known as FedRAMP will begin accepting security certification applications from companies that provide software services and data storage through the cloud. On Monday, GSA issued a solicitation for cloud providers, both commercial and government, to apply for FedRAMP certification. FedRAMP is the result of government’s work address security concerns related to the growing practice of cloud computing and establishes a standardized approach to security assessment, authorizations and continuous monitoring for cloud services and products. By creating industry-wide security standards and focusing more on risk management, as opposed to strict compliance with reporting metrics, officials expect to improve data security as well as simplify the processes agencies use to purchase cloud services, according to Katie Lewin, director of the federal cloud computing program at the General Services Administration. As both the cloud and the government’s use of cloud services grew, officials found that there were many inconsistencies to requirements and approaches as each agency began to adopt the cloud. FedRAMP’s goal is to bring consistency to the process but also give cloud vendors a standard way of providing services to the government. And with the government’s cloud-first policy, which requires agencies to consider moving applications to the cloud as a first option for new IT projects, this should streamline the process of deploying to the cloud. This is an ‘approve once, and use many’ approach, reducing the cost and time required to conduct redundant, individual agency security assessment. Recently, the GSA released a list of nine accredited third-party assessment organizations—or 3PAOs—that will do the initial assessments and test the controls of providers per FedRAMP requirements. The 3PAOs will have an ongoing part in ensuring providers meet requirements. FedRAMP provides an overall checklist for handling risks associated with Web services that would have a limited, or serious impact on government operations if disrupted. Cloud providers must implement these security controls to be authorized to provide cloud services to federal agencies. The government will forbid federal agencies from using a cloud service provider unless the vendor can prove that a FedRAMP-accredited third-party organization has verified and validated the security controls. Once approved, the cloud vendor would not need to be ‘re-evaluated’ by every government entity that might be interested in their solution. There may be instances where additional controls are added by agencies to address specific needs. Independent, third-party auditors are tasked with testing each product/solution for compliance which is intended to save agencies from doing their own risk management assessment. Details of the auditing process are expected early next month but includes a System Security Plan that clarifies how the requirements of each security control will be met within a cloud computing environment. Within the plan, each control must detail the solutions being deployed such as devices, documents and processes; the responsibilities of providers and government customer to implement the plan; the timing of implementation; and how solution satisfies controls. A Security Assessment Plan details how each control implementation will be assessed and tested to ensure it meets the requirements and the Security Assessment Report explains the issues, findings, and recommendations from the security control assessments detailed in the security assessment plan. Ultimately, each provider must establish means of preventing unauthorized users from hacking the cloud service. The regulations allow the contractor to determine which elements of the cloud must be backed up and how frequently. Three backups are required, one available online. All government information stored on a provider's servers must be encrypted. When the data is in transit, providers must use a "hardened or alarmed carrier protective distribution system," which detects intrusions, if not using encryption. Since cloud services may span many geographic areas with various people in the mix, providers must develop measures to guard their operations against supply chain threats. Also, vendors must disclose all the services they outsource and obtain the board's approval to contract out services in the future. After receiving the initial applications, FedRAMP program officials will develop a queue order in which to review authorization packages. Officials will prioritize secure Infrastructure as a Service (IaaS) solutions, contract vehicles for commodity services, and shared services that align with the administration’s Cloud First policy. F5 has an iApp template for NIST Special Publication 800-53 which aims to make compliance with NIST Special Publication 800-53 easier for administrators of BIG-IPs. It does this by presenting a simplified list of configuration elements together in one place that are related to the security controls defined by the standard. This makes it easier for an administrator to configure a BIG-IP in a manner that complies with the organization's policies and procedures as defined by the standard. This iApp does not take any actions to make applications being serviced through a BIG-IP compliant with NIST Special Publication 800-53 but focuses on the configuration of the management capabilities of BIG-IP and not on the traffic passing through it. ps Resources: Cloud Security With FedRAMP CLOUD SECURITY ACCREDITATION PROGRAM TAKES FLIGHT FedRAMP comes fraught with challenges FedRAMP about to hit the streets FedRAMP takes applications for service providers Contractors dealt blanket cloud security specs FedRAMP includes 168 security controls New FedRAMP standards first step to secure cloud computing GSA to tighten oversight of conflict-of-interest rules for FedRAMP What does finalized FedRAMP plan mean for industry? New FedRAMP standards first step to secure cloud computing GSA reopens cloud email RFQ NIST, GSA setting up cloud validation process FedRAMP Security Controls Unveiled FedRAMP security requirements benchmark IT reform FedRAMP baseline controls released Federal officials launch FedRAMPSimplify VMware View Deployments
Virtual Desktop Infrastructure (VDI) or the ability to deliver desktops as a managed service is an attractive and cost effective solution to mange a corporate desktop environment. The success of virtual desktop deployments hinges on the user experience, availability and performance, security and IT's ability to reduce desktop operating expenses. VDI deployments virtualizes user desktops by delivering them to distinctive end point devices over the network from a central location. Since the user's primary work tool is now located in a data center rather than their own local machine, VDI can put a strain on network resources while the user experience can be less than desired. This is due to the large amounts of data required to deliver a graphical user interface (GUI) based virtual desktop. For users who want to access their desktops and applications from anywhere in the world, network latency can be especially noticeable when the virtual desktop is delivered over a WAN. Organizations might have to provision more bandwidth to account for the additional network traffic which in turn, reduces any cost savings realized with VDI. In addition, VMware has introduced the PCoIP (PC over IP) communications display protocol which makes more efficient use of the network by encapsulating video display packets in UDP instead of TCP. Many remote access devices are incapable of correctly handling this distinctive protocol and this can deteriorate the user experience. Keeping mobile users connected to their own unique, individual environments can also pose a challenge. When a user is moving from one network to another, their session could be dropped, requiring them to re-connect, re-authenticate, and navigate to where they were prior to the interruption. Session-persistence can maintain the stateful desktop information helping users reconnect quickly without the need to re-authenticate. Secure access and access control are always concerns when deploying any system and virtual desktops are no different. Users are still accessing sensitive corporate information so enforcing strong authentication, security policies, and ensuring that the client is compliant all still apply to VDI deployments. Lastly, IT must make sure that the virtual systems themselves are available and can scale when needed to realize all the benefits from both a virtual server and virtual desktop deployment. The inclusion of BIG-IP APM's fine grained access control to BIG-IP LTM VE offers a very powerful enhancement to a VMware View deployment. BIG-IP APM for LTM VE is an exceptional way to optimize, secure, and deliver a VMware View virtual desktop infrastructure. This is a 100% virtual remote access solution for VMware View 4.5 VDI solutions. In addition, the BIG-IP APM for LTM VE system will run as a virtual machine in a VMware hypervisor environment so you can easily add it to your existing infrastructure. As the number of users on virtual desktops grows, customers can easily transition from the BIG-IP virtual edition to a BIG-IP physical appliance. The BIG-IP provides important load balancing, health monitoring and SSL Offload for VMware View deployments for greater system availability and scalability. Network and protocol optimizations help organizations mange bandwidth efficiently and in some cases, reduces the bandwidth requirements while maintaining and improving the user experience. BIG-IP APM for LTM VE also opens the possibility of making virtual server load balancing decisions based on user’s identity, ensuring the user is connected to the optimal virtual instance based their needs. F5 also overcomes the PCoIP challenge with our Datagram Transport Layer Security (DTLS) feature. This transport protocol is uniquely capable of providing all the desired security for transporting PCoIP communications but without the degradation in performance. In addition, F5 supports View’s automatic fallback to TCP if a high performance UDP tunnel cannot be established. Users no longer have to RDP to their virtual desktops but can now connect directly with PCoIP or organizations can plan a phased migration to PCoIP. The BIG-IP APM for LTM VE comes with powerful security controls to keep the entire environment secure. Pre-login host checks will inspect the requesting client and determine if it meets certain access criteria like OS patch level, Anti-virus/Firewall state or if a certificate is present. BIG-IP APM for LTM VE offers a wide range of authentication mechanisms, including two-factor, to protect corporate resources from unauthorized access. BIG-IP APM enables authentication pass-through for convenient single sign on and once a session is established, all traffic, including PCoIP, is encrypted to protect the data and session-persistence helps users reconnect quickly without having to re-authenticate. BIG-IP APM for LTM VE simplifies deployment of authentication and session management for VMware View enterprise virtual desktop management. ps Resources F5 Accelerates VMware View Deployments with BIG-IP Access Policy Manager on a Virtual Platform BIG-IP Local Traffic Manager Virtual Edition BIG-IP Access Policy Manager Application Delivery and Load Balancing for VMware View Desktop Infrastructure Deploying F5 Application Ready Solutions with VMware View 4.5 Optimizing VMware View VDI Deployments Global Distributed Service in the Cloud with F5 and VMware WILS: The Importance of DTLS to Successful VDI F5 Friday: The Dynamic VDI Security Game F5 Friday: Secure, Scalable and Fast VMware View Deployment Technorati Tags: F5, BIG-IP, VMWare, Optimization, Pete Silva, F5, vmview,virtualization,mobile applications,access control,security,context-aware,strategic point of controlBlog Roll 2011
It’s that time of year when we gift and re-gift. And the perfect opportunity to re-post, re-purpose and re-use my 2011 blog entries. If you missed any of the approximately 50 blogs, 11 audio whitepapers or 47 videos, here they are wrapped in one simple entry. I read somewhere that lists in blogs are good. Have a Safe and Happy New Year. F5 Security Vignette Series 2012 IT Staffing Crisis? The Top 10, Top Predictions for 2012 Pearl Harbor, Punchbowl and my Grandparents Cloud Copyright, Capital and The Courts A Blog of Thanks Dynamic Attack Protection and Access Control with BIG-IP v11 F5 BIG-IP Platform Security F5 International Technology Center Video Tour When Personal Security is Compromised London IPEXPO 2011 - The Wrap Up London IPEXPO 2011 F5 EMEA Our Identity Crisis Oracle OpenWorld 2011: The Video Outtakes Oracle OpenWorld 2011: The Wrap Up Oracle OpenWorld 2011: Interview with F5’s Ron Carovano Oracle OpenWorld 2011: Interview with F5's Keith Gillum Oracle OpenWorld 2011: Interview with F5’s Calvin Rowland Oracle OpenWorld 2011: BIG-IP ASM & Oracle Database Firewall Oracle OpenWorld 2011: Interview with F5's Andy Oehler Oracle OpenWorld 2011: F5 ARX & Oracle ZFS Storage Oracle OpenWorld 2011: BIG-IP WANOp & Oracle GoldenGate Oracle OpenWorld 2011 - Aloha:Find F5 Booth 1527 IPS or WAF Dilemma VMworld 2011: F5 BIG-IP v11 iApps for Citrix F5 Case Study: WhiteHat Security Cloud Computing Making Waves Hackers Hit Vacation Spots From the Greenroom VMworld 2011: The Video Outtakes VMworld 2011: VMworld Wrap Up VMworld 2011: VMworld Hands-On Lab VMworld 2011: Interview with Ron Carovano VMworld 2011: Multi-Site Application Deployment with vSphere & vCloud Director VMworld 2011: VDI Single Namespace VMworld 2011: Interview with VMware’s Sanjay Aiyagari VMworld 2011: Sign Up for F5's DevCentral VMworld 2011: Find F5 Networks Audio White Paper - High-Performance DNS Services in BIG-IP Version 11 SANS 20 Critical Security Controls The STAR of Cloud Security Audio White Paper - Application Security in the Cloud with BIG-IP ASM DNSSEC: Is Your Infrastructure Ready? Security Never Takes a Vacation Dynamic Application Control and Attack Protection The Best of…Me Protection from Latest Network and Application Attacks IT Security: Mid-Year Gut Check Audio White Paper - Controlling Migration to IPv6: A Gateway to Tomorrow The Land of a Thousand Twist-Ties Cure Your Big App Attack Drive Identity Into Your Network with F5 Access Solutions Custom Code for Targeted Attacks Audio White Paper - The F5 Dynamic Services Model Who In The World Are You? And The Hits Keep Coming Ixia Xcellon-Ultra XT-80 validates F5 Network's VIPRION 2400 SSL Performance Audio White Paper - Application and Data Security with F5 BIG-IP ASM and Oracle Database Firewall Interop 2011 - TMCNet Interview It’s Show Time Interop 2011 - The Video Outtakes Interop 2011 - Wrapping It Up Interop 2011 - F5 in the Interop NOC Follow Up Interop 2011 - IXIA and VIPRION 2400 Performance Test Interop 2011 - VIPRION 2400 and vCMP EMC World 2011 - ARX Hybrid-Cloud Demo Interop 2011 - F5 in the Interop NOC Interop 2011 - Find F5 Networks Booth 2027 Lost Your Balance? Drop The Load and Deliver! Unplug Everything! Do You Splunk 2.0 Technology Can Only Do So Much 3 Billion Malware Attacks and Counting In 5 Minutes or Less - Enterprise Manager v2.2 The Big Attacks are Back…Not That They Ever Stopped Has The Sky Cleared on Cloud Security? Audio White Paper - Streamlining Oracle Web Application Access Control Defense in Depth in Context Our Digital Life Deciphered Where Do You Wear Your Malware? RSA 2011 Wrap and Blooper Reel RSA2011 F5 Partner Spotlight–NitroSecurity RSA2011 F5 Partner Spotlight - Q1 Labs RSA2011 - Interview with Jeremiah Grossman RSA2011 - BIG-IP Edge Client on iPad RSA2011 F5 Partner Spotlight - PhoneFactor RSA2011 F5 Partner Spotlight - OPSWAT RSA2011 - Welcome to San Francisco On The Way to RSA A Digital Poltergeist On Your Television Identity Theft: Good News-Bad News Edition Radio Killed the Privacy Star Audio White Paper: Achieving Enterprise Agility in the Cloud In 5 Minutes or Less Video Series Audio White Paper: Optimizing Application Delivery in Support of Data Center Consolidation Simplify VMware View Deployments In 5 Minutes or Less Video - BIG-IP APM & Citrix XenApp Audio White Paper: F5 BIG-IP WAN Optimization Module in Data Replication Environments The New Wallet: Is it Dumb to Carry a Smartphone? iDo Declare: iPhone with BIG-IP Audio Tech Brief - Secure iPhone Access to Corporate Web Applications PCI Turns 2.0 In 5 Minutes or Less Video - F5's iHealth System Audio White Paper - Application Delivery Hardware A Critical Component And a couple special holiday themed entries from years past. e-card Malware X marks the Games ps Technorati Tags: blog, social media, 2011, f5, statistics, big-ip, web traffic, digital media, mobile device, analytics, videoCloud Security With FedRAMP
Want to provide Cloud services to the federal government? Then you’ll have to adhere to almost 170 security controls under the recently announced Federal Risk and Authorization Management Program. The program, set to go live in June, is designed to analyze/audit cloud computing providers for federal government agencies, expedite security clearances for cloud providers and foster the adoption of cloud computing by the Federal government. FedRAMP is meant to provide a baseline for low to moderate risk systems and is based on the NIST cyber-security Special Publication 800-53 Revision 3. FedRAMP provides an overall checklist for handling risks associated with Web services that would have a limited, or serious impact on government operations if disrupted. Cloud providers must implement these security controls to be authorized to provide cloud services to federal agencies. The government will forbid federal agencies from using a cloud service provider unless the vendor can prove that a FedRAMP-accredited third-party organization has verified and validated the security controls. Once approved, the cloud vendor would not need to be ‘re-evaluated’ by every government entity that might be interested in their solution. There may be instances where additional controls are added by agencies to address specific needs. Independent, third-party auditors are tasked with testing each product/solution for compliance which is intended to save agencies from doing their own risk management assessment. Details of the auditing process are expected early next month but includes a System Security Plan that clarifies how the requirements of each security control will be met within a cloud computing environment. Within the plan, each control must detail the solutions being deployed such as devices, documents and processes; the responsibilities of providers and government customer to implement the plan; the timing of implementation; and how solution satisfies controls. A Security Assessment Plan details how each control implementation will be assessed and tested to ensure it meets the requirements and the Security Assessment Report explains the issues, findings, and recommendations from the security control assessments detailed in the security assessment plan. Ultimately, each provider must establish means of preventing unauthorized users from hacking the cloud service. The regulations allow the contractor to determine which elements of the cloud must be backed up and how frequently. Three backups are required, one available online. All government information stored on a provider's servers must be encrypted. When the data is in transit, providers must use a "hardened or alarmed carrier protective distribution system," which detects intrusions, if not using encryption. Since cloud services may span many geographic areas with various people in the mix, providers must develop measures to guard their operations against supply chain threats. Also, vendors must disclose all the services they outsource and obtain the board's approval to contract out services in the future. More details of the FedRAMP program will be available from the General Services Administration by February 8th, but they have already started accepting applications for third party assessment vendors. ps Resources: Contractors dealt blanket cloud security specs FedRAMP includes 168 security controls New FedRAMP standards first step to secure cloud computing GSA to tighten oversight of conflict-of-interest rules for FedRAMP What does finalized FedRAMP plan mean for industry? New FedRAMP standards first step to secure cloud computing GSA reopens cloud email RFQ NIST, GSA setting up cloud validation process FedRAMP Security Controls Unveiled FedRAMP security requirements benchmark IT reform FedRAMP baseline controls released Federal officials launch FedRAMP Audio: Steven VanRoekel announces FedRAMP NIST: Cloud providers should adopt portability standards Cloud security breach inevitable as businesses underestimate security due diligence Technorati Tags: F5, federal government, integration, cloud computing, Pete Silva, security, business, fedramp, technology, nist, cloud, compliance, regulations, web, internetCloudFucius Says: AAA Important to the Cloud
While companies certainly see a business benefit to a pay-as-you-go model for computing resources, security concerns seem always to appear at the top of surveys regarding cloud computing. These concerns include authentication, authorization, accounting (AAA) services; encryption; storage; security breaches; regulatory compliance; location of data and users; and other risks associated with isolating sensitive corporate data. Add to this array of concerns the potential loss of control over your data, and the cloud model starts to get a little scary. No matter where your applications live in the cloud or how they are being served, one theme is consistent: You are hosting and delivering your critical data at a third-party location, not within your four walls, and keeping that data safe is a top priority. Most early adopters began to test hosting in the cloud using non-critical data. Performance, scalability, and shared resources were the primary focus of initial cloud offerings. While this is still a major attraction, cloud computing has matured and established itself as yet another option for IT. More data—including sensitive data—is making its way to the cloud. The problem is that you really don’t know where in the cloud the data is at any given moment. IT departments are already anxious about the confidentiality and integrity of sensitive data; hosting this data in the cloud highlights not only concerns about protecting critical data in a third-party location but also role-based access control to that data for normal business functions. Organizations are beginning to realize that the cloud does not lend itself to static security controls. Like all other elements within cloud architecture, security must be integrated into a centralized, dynamic control plane. In the cloud, security solutions must have the capability to intercept all data traffic, interpret its context, and then make appropriate decisions about that traffic, including instructing other cloud elements how to handle it. The cloud requires the ability to apply global policies and tools that can migrate with, and control access to, the applications and data as they move from data center to cloud—and as they travel to other points in the cloud. One of the biggest areas of concern for both cloud vendors and customers alike is strong authentication, authorization, and encryption of data to and from the cloud. Users and administrators alike need to be authenticated—with strong or two-factor authentication—to ensure that only authorized personnel are able to access data. And, the data itself needs to be segmented to ensure there is no leakage to other users or systems. Most experts agree that AAA services along with secure, encrypted tunnels to manage your cloud infrastructure should be at the top of the basic cloud services offered by vendors. Since data can be housed at a distant location where you have less physical control, logical control becomes paramount, and enforcing strict access to raw data and protecting data in transit (such as uploading new data) becomes critical to the business. Lost, leaked, or tampered data can have devastating consequences. Secure services based on SSL VPN offer endpoint security, giving IT administrators the ability to see who is accessing the organization and what the endpoint device’s posture is to validate against the corporate access policy. Strong AAA services, L4 and L7 user Access Control Lists, and integrated application security help protect corporate assets and maintain regulatory compliance. Cloud computing, while quickly evolving, can offer IT departments a powerful alternative for delivering applications. Cloud computing promises scalable, on-demand resources; flexible, self-serve deployment; lower TCO; faster time to market; and a multitude of service options that can host your entire infrastructure, be a part of your infrastructure, or simply serve a single application. And one from Confucius himself: I hear and I forget. I see and I remember. I do and I understand. psThe STAR of Cloud Security
The Cloud Security Alliance (CSA), a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, recently announced that they are launching (Q4 of 2011) a publicly accessible registry that will document the security controls provided by various cloud computing offerings. The idea is to encourage transparency of security practices within cloud providers and help users evaluate and determine the security of their current cloud provider or a provider they are considering. The service will be free. CSA STAR (Security, Trust and Assurance Registry) is open to all cloud providers whether they offer SaaS, PaaS or IaaS and allows them to submit self assessment reports that document compliance in relation to the CSA published best practices. The CSA says that the searchable registry will allow potential cloud customers to review the security practices of providers, accelerating their due diligence and leading to higher-quality procurement experiences. There are two different types of reports that the cloud provider can submit to to indicate their compliance with CSA best practices. The Consensus Assessments Initiative Questionnaire (CAIQ), a 140 question document which provides industry-accepted ways to document what security controls exist in IaaS, PaaS, and SaaS offerings and the Cloud Control Matrix (CCM) which provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in areas like ISACA COBIT, PCI, and NIST. Providers who chose to take part and submit the documents are on the ‘honor system’ since this is a self assessment and users will need to trust that the information is accurate. CSA is encouraging providers to participate and says, in doing so, they will address some of the most urgent and important security questions buyers are asking, and can dramatically speed up the purchasing process for their services. In addition to self-assessments, CSA will provide a list of providers who have integrated CAIQ and CCM and other components from CSA’s Governance, Risk Management and Compliance (GRC) stack into their compliance management tools. This should help with those who are still a bit hesitant about Cloud services. The percentage of those claiming ‘security issues’ as a deterrent for cloud deployments has steadily dropped over the last year. Last year around this time on any given survey, anywhere from 42% to 73% of those respondents said cloud technology does not provide adequate security safeguards and that that security concerns have prevented their adoption of cloud computing. In a recent cloud computing study from TheInfoPro, only 13% cited security worries as a cloud roadblock, after up-front costs at 15%. Big difference than a year ago. In this most recent survey, they found that ‘fear of change’ to be the biggest hurdle for cloud adoption. Ahhhh, change. One of the things most difficult for humans. Change is constant yet the basics are still the same - education, preparation, and anticipation of what cloud is about and what it can offer is a necessity for success. ps References: CSA focuses best-practice lens on cloud security Assessing the security of cloud providers CSA Registry Strives for Security Transparency of Providers Cloud Security Alliance Introduces Provider Trust and Assurance Registry Transparency Key To Cloud Security Cloud Security Alliance launches registry: not a moment too soon Fear of Change Impedes Cloud Adoption for Many Companies F5 Cloud Computing SolutionsCloudFucius Tunes into Radio KCloud
Set the dial and rip it off – all the hits from the 70s, 80s, 90s and beyond – you’re listening to the K-Cloud. We got The Puffy & Fluffy Show to get you going in the morning, Cumulous takes you through midday with lunchtime legion, Mist and Haze get you home with 5 o’clock funnies and drive-time traffic while Vapor billows overnight for all you insomniacs. K-Cloud; Radio Everywhere. I came across this article which discusses Radio’s analogue to digital transition and it’s slow but eventual move to cloud computing. How ‘Embracing cloud computing requires a complete rethinking of the design, operation and planning of a station’s data center.’ Industries like utilities, technology, insurance, government and others are already using the cloud while the broadcast community is just starting it’s exploration, according to Tom Vernon, a long-time contributor to Radio World. Like many of you, I grew up listening to the radio (music, I’m not that old) and still have a bunch of hole-punched record albums for being the 94th caller. I listened to WHJY (94-HJY) in Providence and still remember the day in 1981 when it switched from JOY, a soft, classical station to Album-Orientated Rock. Yes, I loved the hair-metal, arena rock, new wave, pop and most what they now call classic rock. It’s weird remembering ‘Emotional Rescue’ and ‘Love Rollercoaster’ playing on the radio as Top 40 hits and now they are considered ‘classics.’ Um, what am I then?!? That article prompted me to explore the industries that have not embraced the cloud, and why. Risk adverse industries immediately come to mind, like financial and health care. There have been somewhat contradictory stories and surveys recently indicating both that, they are hesitant to adopt the cloud and ready to embrace the cloud. A survey by LogLogic says that 60% of the financial services sector felt that cloud computing was not a priority or they were risk-averse to cloud computing. This is generally an industry that historically has been an early adopter of new technologies. The survey indicates that they will be spending IT dollars on ‘essential’ needs and that security questions and data governance concerns is what’s holding them back from cloud adoption. About a week later, results from a survey done by The Securities Industry and Financial Markets Association (SIFMA) and IBM reports that there is now a strong interest in cloud computing after a couple years of reluctance. The delay was due to the cost of implementing new technologies and the lack of talent needed to mange those systems. Security is not the barrier that it once was since their cloud strategies include security ramifications. They better understand the security risks and calculate that into their deployment models. This InformationWeek.com story says that the financial services industry is indeed interested in cloud computing, as long as it’s a Private Cloud. The one’s behind the corporate firewall, not Public floaters. And that security was not the real issue, regulations and compliance with international border laws were the real holdback. In the healthcare sector, according to yet another survey, Accenture says that 73% said they are planning cloud movements while nearly one-third already have deployed cloud environments. This story also says that ‘healthcare firms are beginning to realize that cloud providers actually may offer more robust security than is available in-house.’ Is there a contradiction? Maybe. More, I think it shows natural human behavior and progression when facing fears. If you don’t understand something and there is a significant risk involved we’ll generally say, ‘no thanks’ to preserve our safety and security. As the dilemma is better understood and some of the fears are either addressed or accounted for, the threat level is reduced and progress can be made. This time around, while there are still concerns, we are more likely to give it a try since we know what to expect. A risk assessment exercise gives us the tools to manage the fears. Maybe the threat is high but the potential of it occurring is low or the risk is medium but we now know how to handle it. It’s almost like jumping out of a plane. If you’ve never done it, that first 3000ft tethered leap can be freighting – jumping at that height, hoping a huge piece of fabric will hold and glide you to a safe landing on the ground. But once you’ve been through training, practiced it a few times, understand how to deploy your backup ‘chute and realize the odds are in your favor, then it’s not so daunting. This may be what’s happening with risk averse industries and cloud computing. Initially, the concerns, lack of understanding, lack of visibility, lack of maturity, lack of control, lack of security mechanisms and their overall fear kept these entities away, even with the lure of flexibility and potential cost savings. Now that there is a better understanding of what types of security solutions a cloud provider can and cannot offer along with the knowledge of how to address specific security concerns, it’s not so scary any more. Incidentally, I had initially used KCLD and WCLD for my cloud stations until I realized that they were already taken by real radio stations out of Minnesota and Mississippi. And one from Confucius: Everything has its beauty but not everyone sees it. ps The CloudFucius Series: Intro, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12CloudFucius Says: Blog Series, Good Idea
Last year I wrote a blog series called, ‘26 Short Topics About Security’ covering an alphabet soup of stories. It seemed to be well received and this year I’ve decided to do another – this time focused on Cloud Computing with ‘CloudFucius’ as my guide. Confucius, of course, was a Chinese philosopher who focused on personal growth, morals, good judgment, ethics and many other life enlightening behaviors. He lived around 500BC and is credited with, ‘Do not impose on others what you yourself do not desire,’ and many other gems like, ‘Choose a job you love, and you will never have to work a day in your life.’ First, I want to stake a claim here that CloudFucius (TM) is mine and I have started the copyright process. :-) I googled and did a copyright search for 'Cloudfucius' and absolutely nothing gets returned, which actually surprised me. 'Cloud-fucius' returns a bunch of 'fucius' stuff so I figured it’s good to take. If you do have any rights, speak up now. While I am well versed with the security stories, I can admit I'm no cloud super-expert; knowledgeable but certainly not to the level of MacVittie, Ness and the rest. While weaving in what I do know, I was thinking of investigating a bunch of cloud topics that I’m not an expert on, learn along the way and report on it. Education for all and playing off the fact that Confucius=wisdom. Hopefully CloudFucius will teach us something along the way. He’ll start next week with some easy doctrines like, CloudFucius Says: AAA Important to Cloud and in later weeks move into other areas like, CloudFucius Says: Secure Cloud is Possible. I’m looking forward to what we uncover and CloudFucius is excited to spread some cloud knowledge to the masses and someday getting a Hasbro toy and game named after him. 下 周 见 - 下 for Next; 周 for week; 见 for see/meet. ps
