클라우드 상에서의 보안에 대한 우려, 근거가 없는 것일까?
Please find the English language post from which this was adapted here. 조직들이 클라우드를 도입할 경우 비용 절감, 비즈니스 민첩성, 그리고 다수의 컴퓨팅 디바이스를 사용하는 직원들의 생산성 향상 등을 비롯해 얻게 되는 장점이 많다는 점은 부인할 수 없다. IDC는 2014년 전세계 클라우드 시장 규모가 761억 달러에 이르렀고 2015년에는 23.3%의 성장률을 기록하며 1180억 달러에 이를 것으로 전망하고 있다. 또한, IT부서의 65% 이상이 2016년까지 하이브리드 클라우드를 채택할 것으로 내다봤다. 또 다른 시장조사기관인 테크놀로지 비즈니스 리서치(TBR)도 클라우드 시장이 더욱 성장할 것이라고 밝혔다. TBR에 따르면, 2015년 2015년 전 세계 프라이빗 클라우드 시장은 35%, 퍼블릭 클라우드 시장은 25%, 하이브리드 클라우드 시장은 50% 이상 성장할 전망이다. (source: IT World 기사) 상당히 많은 ‘긍정적인’ 장점과 시장전망에도 불구하고, 기업들이 클라우드 환경으로 나아가는 것을 가로막고 있는 단 하나의 치명적인 ‘부정적인’ 요소는 바로 전 세계 기업들이 최우선 과제로 꼽는 ‘보안’ 문제 이다. 대다수 사람들은 클라우드가 기존의 데이터센터보다 덜 안전하다고 생각하거나, 정보유출과 같은 특정 보안문제를 해결해주는 환상적인 솔루션은 없다고 생각한다. 하지만 그것은 사실이 아니다. 엔드유저들을 불안하게 만드는 원인은 바로 관리 능력의 상실이다. 클라우드 컴퓨팅에 대해 우려가 있지만 실제로는 클라우드 컴퓨팅이 전통적인 데이터센터보다 보안에 대해서 더 많은 단계로 구성되어 있다. 클라우드 서비스 업체들은 그들의 명성과 비즈니스가 달려있는 상황인 만큼 가능한 최고의 보안을 제공하고자 한다. 그들은 종종 특정 기술에 투자하고 전문인력들을 고용해서 보안위협에 대응할 수 있는 최고의 능력을 확보한다. 또한, 예측 불가능한 공격이 발생했을 때 조직들이 피해를 덜 입도록 도와주기 위한 클라우드 보안 규정 및 데이터 보호 법령의 수도 증가하고 있다. 하지만 여전히 CIO들이 자체 데이터센터에 있던 애플리케이션들을 클라우드로 옮기기로 결정하는 경우, 자신의 데이터 전체에 대한 보호기능의 일부를 타인에게 이양하게 된다. 그렇기 때문에 믿음직하고 훌륭한 클라우드 서비스 제공업체를 선정해야 하는 것 외에 CIO들은 자신이 할 수 있는 부분에서 보안을 최대로 강화해야 하는데, 애플리케이션 레이어 내의 보안이 바로 그것이다. 이 분야에 강점을 가지고 있는, F5의 솔루션은 당사자들간에 인증 및 승인 데이터를 교환하도록 조직들이 SAML(Security Assertion Markup Language)을 이용해 애플리케이션 레이어에서의 보안 및 액세스 정책을 통합하는 것을 지원한다. 이를 통해 조직들은 일관성 있게 정책을 집행하고 모든 애플리케이션과 환경에 걸쳐 사용자들이 필수적인 서비스들을 항상 사용할 수 있도록 확실히하여 클라우드 기반 애플리케이션 배치를 더욱 간편하고 본질적으로 더욱 안전하게 만든다. 결국 수많은 장점을 가진 클라우드로의 이전을 고려할 때 우리의 옛 속담처럼 구더기 무서워서 장을 못 담그는 것은 현명한 결정이 아니며, 보안에 대한 우려라는 구더기가 생기기 않도록 적절하고 확실한 대책을 강구하는 것이 정답이라고 말할 수 있다.Apakah Tidak Ada Sistem Keamanan yang Mampu Menjamin Keamanan Cloud?
Please find the English language post from which this was adapted here. Cloud adalah platform komputasi masa depan bagi perusahaan, karena diyakini dapat mendorong tingkat dan laju perubahan dalam perusahaan. Menghemat biaya operasional dan modal, meningkatkan kelincahan dalam melakukan proses bisnis, serta meningkatkan produktivitas merupakan faktor-faktor utama yang membuat pertumbuhan komputasi cloud di dunia maupun di Indonesia semakin pesat. Tingginya tingkat adopsi komputasi cloud tercermin dalam sebuah riset terbaru dari IDC . Riset ini mengungkap bahwa ada lebih dari 65% perusahaan IT dunia berkomitmen untuk mengadopsi teknologi cloud sebelum tahun 2016. Di Indonesia sendiri, menurut lembaga riset International Data Corporation (IDC), pasar komputasi cloud di dalam negeri tahun 2014 diprediksi mencapai US$ 168 juta dan akan meningkat hingga US$ 377,8 juta di 2017. Sayangnya, pesatnya pertumbuhan komputasi cloud ini masih dihantui oleh kekhawatiran tentang keamanan dan cara-cara perlindungan platform tersebut. Menurut hasil survei ‘Global Tech Adoption Index’ tahun 2014, menyebutkan keamanan sebagai faktor utama yang menghalangi perusahaan mengimplementasikan komputasi cloud. Banyak paradigma di perusahaan yang menyatakan bahwa keamanan data center berbasis cloud tidaklah sebaik data center on-premise, atau bahkan tidak ada solusi ampuh yang diciptakan untuk mampu mengatasi masalah keamanan yang spesifik, seperti kebocoran data. Hal ini tidaklah benar. Paradigma ini muncul karena, calon pengguna merasa bahwa mereka akan kehilangan kendali penuh atas data Center tersebut. Meskipun terdapat keraguan mengenai komputasi cloud, namun faktanya data center berbasis cloud bisa memiliki lapisan keamanan yang lebih baik dibandingkan dengan data center on-premise. Apa yang mendorong keamanan cloud menjadi lebih tangguh? Karena penyedia layanan cloud semakin termotivasi untuk meningkatkan keamanan mereka. Keamanan merupakan faktor utama yang berpengaruh terhadap reputasi serta kelanjutan bisnis mereka. Bayangkan jika perusahaan penyedia layanan tersebut tidak berhasil menjaga keamanan, pelanggan tidak mungkin mau membeli layanan dari perusahaan itu atau bahkan mempercayakan data mereka disimpan ke dalam sistem yang tidak aman tersebut. Untuk menjaga kelangsungan bisnis, penyedia layanan cloud berinvestasi ke dalam teknologi-teknologi keamanan serta mempekerjakan profesional dalam bidang keamanan untuk mengoptimalkan dan memastikan keamanan sistem mereka. Gartner meramalkan bahwa pasar cloud security akan meningkat dari US$2,1 miliar menjadi US$3,1 miliar di tahun 2015 ini, hampir meningkat 33%. Namun perlu diingat bahwa ketika CIO mengambil keputusan untuk memindahkan aplikasi perusahaan dari data center on-premise ke cloud, perusahaan sebenarnya melepaskan beberapa kontrol atas perlindungan data mereka. Karena keamanan tidak lagi sepenuhnya dikendalikan oleh perusahaan, terlepas dari kepercayaan terhadap penyedia layanan cloud, CIO perlu memastikan keamanan data perusahaan semampunya. Salah satu cara yang paling mungkin dilakukan adalah menerapkan sistem perlindungan di dalam lapisan aplikasi. Sistem perlindungan dalam lapisan aplikasi merupakan salah satu keunggulan dari F5 Networks. Solusi-solusi dari F5 mampu membantu mengonsolidasikan security dan access policies ke lapisan aplikasi dengan menggunakan Security Assertion Markup Language (SAML). Dengan mengonsolidasikan SAML ke dalam lapisan aplikasi, perusahaan akan mampu melakukan exchange authentication dan authorization data antar berbagai pihak. Setelah konsolidasi tersebut, perusahaan akan memiliki kemampuan untuk menegakkan kebijakan dan memastikan bahwa end-user dapat mengakses layanan tersebut kapanpun dan di manapun secara aman. Dengan menggunakan solusi F5, penerapan platform berbasis cloud di perusahaan menjadi semakin sederhana dan tentunya lebih aman.CloudFucius Wonders: Can Cloud, Confidentiality and The Constitution Coexist?
This question has been puzzling a few folks of late, not just CloudFucius. The Judicial/legal side of the internet seems to have gotten some attention lately even though courts have been trying to make sense and catch up with technology for some time, probably since the Electronic Communications Privacy Act of 1986. There are many issues involved here but a couple stand out for CloudFucius. First, there is the ‘Privacy vs. Convenience’ dilemma. Many love and often need the GPS Navigators whether it be a permanent unit in the vehicle or right from our handheld device to get where we need to go. These services are most beneficial when searching for a destination but it is also a ‘tracking bug’ in that, it records every movement we make. This has certainly been beneficial in many industries like trucking, delivery, automotive, retail and many others, even with some legal issues. It has helped locate people during emergencies and disasters. It has also helped in geo-tagging photographs. But, we do give up a lot of privacy, secrecy and confidentiality when using many of the technologies designed to make our lives ‘easier.’ Americans have a rather tortured relationship with privacy. They often say one thing ("Privacy is important to me") but do another ("Sure, thanks for the coupon, here's my Social Security Number") noted Lee Rainie, head of the Pew Internet and American Life Project. From: The Constitutional issues of cloud computing You might not want anyone knowing where you are going but by simply using a navigation system to get to your undisclosed location, someone can track you down. Often, you don’t even need to be in navigation mode to be tracked – just having GPS enabled can leave breadcrumbs. Don’t forget, even the most miniscule trips to the gas station can still contain valuable data….to someone. How do you know if your milk runs to the 7-Eleven aren’t being gathered and analyzed? At the same, where is that data stored, who has access and how is it being used? I use GPS when I need it and I’m not suggesting dumping it, just wondering. Found a story where Mobile Coupons are being offered to your phone. Depending on your GPS location, they can send you a coupon for a nearby merchant along with this one about Location-Based strategies. Second, is the Fourth Amendment in the digital age. In the United States, the 4th Amendment protects against unreasonable searches and seizures. Law enforcement needs to convince a judge that a serious crime has/is occurring to obtain a warrant prior to taking evidence from a physical location, like your home. It focuses on physical possessions and space. For instance, if you are committing crimes, you can place your devious plans in a safe hidden in your bedroom and law enforcement needs to present a search warrant before searching your home for such documents. But what happens if you decide to store your ‘Get rich quick scheme’ planning document in the cloud? Are you still protected? Can you expect certain procedures to be followed before that document is accessed? The Computer Crime & Intellectual Property Section of the US Dept of Justice site states: To determine whether an individual has a reasonable expectation of privacy in information stored in a computer, it helps to treat the computer like a closed container such as a briefcase or file cabinet. The Fourth Amendment generally prohibits law enforcement from accessing and viewing information stored in a computer if it would be prohibited from opening a closed container and examining its contents in the same situation….Although courts have generally agreed that electronic storage devices can be analogized to closed containers, they have reached differing conclusions about whether a computer or other storage device should be classified as a single closed container or whether each individual file stored within a computer or storage device should be treated as a separate closed container. But, you might lose that Fourth Amendment right when you give control to a third party, such as a cloud provider. Imagine you wrote a play about terrorism and used a cloud service to store your document. Maybe there were some ‘surveillance’ keywords or triggers used as character lines. Maybe there is scene at a transportation hub (train, airport, etc) and characters themselves say things that could be taken as domestic threats – out of context of course. You should have some expectation that your literary work is kept just as safe/secure while in the cloud as it is on your powered down hard drive or stack of papers on your desk. And we haven’t even touched on compliance, records retention, computer forensics, data recovery and many other litigating issues. The cases continue to play out and this blog entry only covers a couple of the challenges associated with Cloud Computing and the Law, but CloudFucius will keep an eye on it for ya. Many of the articles found while researching this topic: The Constitutional issues of cloud computing In digital world, we trade privacy for convenience Cloud Computing and the Constitution INTERNET LAW - Search and Seizure of Home Computers in Virginia Time to play catch-up on Internet laws: The gap between technology and America's laws hit home last week in a court decision on network neutrality FCC considers reclassification of Internet in push to regulate it Personal texting on a work phone? Beware your boss High Court Justices Consider Privacy Issues in Text Messaging Case Yahoo wins email battle with US Government How Twitter’s grant to the Library of Congress could be copyright-okay Judge Orders Google To Deactivate User's Gmail Account FBI Warrant Sought Google Apps Content in Spam Case State court rules company shouldn't have read ex-staffer's private e-mails District Took 56,000 Pictures From Laptops Can the Cloud survive regulation? Group challenging enhanced surveillance law faces uphill climb Watchdogs join 'Net heavyweights in call for privacy law reform Digital Due Process Judge's judgment called into question Dept of Justice Electronic Evidence and Search & Seizure Legal Resources Electronic Evidence Case Digest Electronic Evidence Finally, you might be wondering why CloudFucius went from A to C in his series. Well, this time we decided to jump around but still cover 26 interesting topics. And one from Confucius himself: I am not one who was born in the possession of knowledge; I am one who is fond of antiquity, and earnest in seeking it there. ps The CloudFucius Series: Intro, 1Security concerns over cloud: Are they unfounded?
The advantages for organisations adopting the cloud are undeniably many: cost savings, business agility and better productivity amongst employees who use a multitude of computing devices. According to IDC’s 5th annual survey of end-users, regional CIOs in Asia Pacific increased their spending on public cloud services and technologies in 2013 by 50 percent to US$7.5B. They are also more specific about which types of cloud models they will use and the workload that will run on the cloud. IDC notes in their recent Vendor Spotlight paper, this move adds level of complexity especially the management of applications – where should the myriad of apps reside, do they have skill sets to ensure adequate level of security and growing network. Despite the significant number of ‘pros’, all it takes is one deadly and encompassing ‘con’ to deter enterprises from moving to the cloud; and it is one that many organisations globally and in Asia place top priority on: Security! Most will think that the cloud is less secure than the traditional data center, or that there aren’t fantastic solutions designed to address specific security concerns such as data leaks. It’s not true. It is the loss of control that hinders the end-user’s peace of mind. Despite the hesitation about cloud computing however, it in fact, consists of more layers of security than traditional data centers. Cloud service providers are motivated to offer the best security as their own business as their reputation is at stake. They often invest in specific technology and employ dedicated professionals, to ensure the highest ability to mitigate security breaches. There are also increasing amounts of cloud security and compliance data protection laws to help assuage organisations should unforeseeable attacks happen. Still, when CIOs choose to move applications from their own data centres out to the cloud, they are relinquishing part of their control over their entire data protection.This is why, apart from having faith in having chosen a good cloud service provider, CIOs need to enhance their security where they can — within the application layer. This is where F5 excels, helping organisations to consolidate security and access policies at the application layer using Security Assertion Markup Language (SAML) to exchange authentication and authorization data between parties. Afterwhich, they can consistently enforce policies and ensure vital services are available to users — across applications and environments – making cloud-based deployments simpler and inherently more secure.FedRAMP Federates Further
FedRAMP (Federal Risk and Authorization Management Program), the government’s cloud security assessment plan, announced late last week that Amazon Web Services (AWS) is the first agency-approved cloud service provider. The accreditation covers all AWS data centers in the United States. Amazon becomes the third vendor to meet the security requirements detailed by FedRAMP. FedRAMP is the result of the US Government’s work to address security concerns related to the growing practice of cloud computing and establishes a standardized approach to security assessment, authorizations and continuous monitoring for cloud services and products. By creating industry-wide security standards and focusing more on risk management, as opposed to strict compliance with reporting metrics, officials expect to improve data security as well as simplify the processes agencies use to purchase cloud services. FedRAMP is looking toward full operational capability later this year. As both the cloud and the government’s use of cloud services grow, officials found that there were many inconsistencies to requirements and approaches as each agency began to adopt the cloud. Launched in 2012, FedRAMP’s goal is to bring consistency to the process but also give cloud vendors a standard way of providing services to the government. And with the government’s cloud-first policy, which requires agencies to consider moving applications to the cloud as a first option for new IT projects, this should streamline the process of deploying to the cloud. This is an ‘approve once, and use many’ approach, reducing the cost and time required to conduct redundant, individual agency security assessment. AWS's certification is for 3 years. FedRAMP provides an overall checklist for handling risks associated with Web services that would have a limited, or serious impact on government operations if disrupted. Cloud providers must implement these security controls to be authorized to provide cloud services to federal agencies. The government will forbid federal agencies from using a cloud service provider unless the vendor can prove that a FedRAMP-accredited third-party organization has verified and validated the security controls. Once approved, the cloud vendor would not need to be ‘re-evaluated’ by every government entity that might be interested in their solution. There may be instances where additional controls are added by agencies to address specific needs. The BIG-IP Virtual Edition for AWS includes options for traffic management, global server load balancing, application firewall, web application acceleration, and other advanced application delivery functions. ps Related: Cloud Security With FedRAMP FedRAMP Ramps Up FedRAMP achieves another cloud security milestone Amazon wins key cloud security clearance from government Cloud Security With FedRAMP CLOUD SECURITY ACCREDITATION PROGRAM TAKES FLIGHT FedRAMP comes fraught with challenges F5 iApp template for NIST Special Publication 800-53 Now Playing on Amazon AWS - BIG-IP Connecting Clouds as Easy as 1-2-3 F5 Gives Enterprises Superior Application Control with BIG-IP Solutions for Amazon Web Services Technorati Tags: f5,fedramp,government,cloud,service providers,risk,standards,silva,compliance,cloud security,aws,amazon Connect with Peter: Connect with F5:Hybrid–The New Normal
From Cars to Clouds, The Hybrids are Here Most of us are hybrids. I’m Hawaiian and Portuguese with a bit of English and old time Shogun. The mix is me. I bet you probably have some mix from your parents which makes you a hybrid. The U.S. has been called the melting pot due to all the different ethnicities that live here. I’ve got hybrid seeds for planting – my grass is a hybrid that contains 90% of the fescue and 10% bluegrass so bare spots grow back and also got some hybrid corn growing. With the drought this year, some farmers are using more drought resistant hybrid crops. There are hybrid cats, hybrid bicycles and of course, hybrid cars which has a 3% market share according to hybridcars.com. My favorite has always been SNL’s Shimmer Floor Wax – A Floor Wax and a Dessert Topping! Hybrid is the new normal. Hybrid has even made it’s way into our IT terminology with hybrid cloud and hybrid infrastructures. There are Public Clouds, those cloud services that are available to the general public over the internet; Private (Internal or Corporate) Clouds, which provides cloud hosted services to an authorized group of people in a secure environment; Hybrid Clouds, which is a combo of at least one public cloud and one private cloud; and, what I think will become the norm, a Hybrid Infrastructure or Hybrid IT, where there is a full mix of in-house corporate resources, dedicated servers, virtual servers, cloud services and possibly leased raised floor – resources are located anywhere data can live, but not necessarily all-cloud. This past June, North Bridge Venture Partners announced the results of its second annual Future of Cloud Computing Survey which noted that companies are growing their trust in cloud solutions, with 50% of respondents confident that cloud solutions are viable for mission critical business applications. At the same time, scalability remains the top reason for adopting the cloud, with 57% of companies identifying it as the most important driver for cloud adoption. Business agility ranked second, with 54% of respondents focused on agility. They also noted that cloud users are changing their view with regard to public vs. hybrid cloud platforms. Today, 40% of respondents’ are deploying public cloud strategies, with 36 percent emphasizing a hybrid approach and within five years, hybrid clouds will be the emphasis of 52% of respondents’ cloud strategies. Most respondents (53%) believe that cloud computing maintains a lower TCO and creates a less complex IT. Earlier this year, CIO.com ran a story called, Forget Public Cloud or Private Cloud, It's All About Hyper-Hybrid, where they discussed that as more organizations adopt cloud services, both public and private, for mission critical business operations, connecting, integrating and orchestrating the data back to the core of the business is critical but a challenge. It’s no longer about cloud but it’s about clouds. Multiple cloud services that must link back to the core and to each other. Even when organizations that are cloud heavy, IT shops need to keep up the on-premise side as well, since it's not likely to go anywhere soon. They offer 5 attributes that, if relevant to a business problem, the cloud is a potential fit: Predictable pricing, Ubiquitous network access, Resource pooling & location independence, Self-service and Elasticity of supply. If you are heading in the Hybrid direction, then take a look at BCW’s article from April this year called, Hybrid Cloud Adoption Issues Are A Case In Point For The Need For Industry Regulation Of Cloud Computing. They discuss that the single most pressing issue with hybrid cloud is that it is never really yours which obviously leads to security concerns. Even when a ‘private cloud’ is hosted by a third party, 100% control is still impossible since an organizations is still relying on ‘others’ for certain logistics. Plus, interoperability is not guaranteed. So a true hybrid is actually hard to achieve with security and interoperability issues still a concern. The fix? Vladimir Getov suggests a regulatory framework that would allow cloud subscribers to undergo a risk assessment prior to data migration, helping to make service providers accountable and provide transparency and assurance. He also mentions the IEEE's Cloud Computing Initiative with the goal of creating some cloud standards. He states that a global consensus on regulation and standards will increase trust and lower the risk to organizations when precious data is in someone else’s hands. The true benefits of the cloud will then be realized. ps References: Forget Public Cloud or Private Cloud, It's All About Hyper-Hybrid Hybrid Cloud Adoption Issues Are A Case In Point For The Need For Industry Regulation Of Cloud Computing 2012 Future of Cloud Computing Survey Exposes Hottest Trends in Cloud Adoption Cloud Computing Both More Agile and Less Expensive How to Protect Your Intellectual Property in the Cloud The IEEE's Cloud Computing Initiative IEEE Cloud Computing Web Portal Charting a course for the cloud: The role of the IEEE The Venerable Vulnerable Cloud Cloud vs Cloud FedRAMP Ramps Up The Three Reasons Hybrid Clouds Will Dominate F5 Cloud Computing SolutionsThe Venerable Vulnerable Cloud
Ever since cloud computing burst onto the technology scene a few short years ago, Security has always been a top concern. It was cited as the biggest hurdle in many surveys over the years and in 2010, I covered a lot of those in my CloudFucius blog series. A recent InformationWeek 2012 Cloud Security and Risk Survey says that 27% of respondents have no plans to use public cloud services while 48% of those respondents say their primary reason for not doing so is related to security - fears of leaks of customer and proprietary data. Certainly, a lot has been done to bolster cloud security, reduce the perceived risks associated with cloud deployments and even with security concerns, organizations are moving to the cloud for business reasons. A new survey from Everest Group and Cloud Connect, finds cloud adoption is widespread. The majority of the 346 executive respondents, 57%, say they are already using Software as a Service (SaaS) applications, with another 38% adopting Platform as a Service (PaaS) solutions. The most common applications already in the cloud or in the process of being migrated to the cloud include application development/test environments (54%), disaster recovery and storage (45%), email/collaboration (41%), and business intelligence/analytics (35%). Also, the survey found that cloud buyers say the two top benefits they anticipate the most is a more flexible infrastructure capacity and reduced time for provisioning and 61% say they are already meeting their goals for achieving more flexibility in their infrastructures. There’s an interesting article by Dino Londis on InformationWeek.com called How Consumerization is Lowering Security Standards where he talks about how Mob Rule or the a democratization of technology where employees can pick the best products and services from the market is potentially downgrading security in favor of convenience. We all may forgo privacy and security in the name of convenience – just look at loyalty rewards cards. You’d never give up so much personal info to a stranger yet when a store offers 5% discount and targeted coupons, we just might spill our info. He also includes a list of some of the larger cloud breaches so far in 2012. Also this week, the Cloud Security Alliance (CSA) announced more details of its Open Certification Framework, and its partnership with BSI (British Standards Institution). The BSI partnership ensures the Open Certification Framework is in line with international standards. The CSA Open Certification Framework is an industry push that offers cloud providers a trusted global certification scheme. This flexible three-stage scheme will be created in line with the CSA's security guidance and control objectives. The Open Certification Framework is composed of three levels, each one providing an incremental level of trust and transparency to the operations of cloud service providers and a higher level of assurance to the cloud consumer. Additional details can be found at: http://cloudsecurityalliance.org/research/ocf/ The levels are: CSA STAR Self Assessment: The first level of certification allows cloud providers to submit reports to the CSA STAR Registry to indicate their compliance with CSA best practices. This is available now. CSA STAR Certification: At the second level, cloud providers require a third-party independent assessment. The certification leverages the requirements of the ISO/IEC 27001:2005 management systems standard together with the CSA Cloud Controls Matrix (CCM). These assessments will be conducted by approved certification bodies only. This will be available sometime in the first half of 2013. The STAR Certification will be enhanced in the future by a continuous monitoring-based certification. This level is still in development. Clearly the cloud has come a long way since we were all trying to define it a couple years ago yet, also clearly, there is still much to be accomplished. It is imperative that organizations take the time to understand their provider’s security controls and make sure that they protect your data as good or better as you do. Also, stop by Booth 1101 at VMworld next week to learn how F5 can help with Cloud deployments. psFedRAMP Ramps Up
Tomorrow June 6th, the Federal Risk and Authorization Management Program, the government’s cloud security assessment plan known as FedRAMP will begin accepting security certification applications from companies that provide software services and data storage through the cloud. On Monday, GSA issued a solicitation for cloud providers, both commercial and government, to apply for FedRAMP certification. FedRAMP is the result of government’s work address security concerns related to the growing practice of cloud computing and establishes a standardized approach to security assessment, authorizations and continuous monitoring for cloud services and products. By creating industry-wide security standards and focusing more on risk management, as opposed to strict compliance with reporting metrics, officials expect to improve data security as well as simplify the processes agencies use to purchase cloud services, according to Katie Lewin, director of the federal cloud computing program at the General Services Administration. As both the cloud and the government’s use of cloud services grew, officials found that there were many inconsistencies to requirements and approaches as each agency began to adopt the cloud. FedRAMP’s goal is to bring consistency to the process but also give cloud vendors a standard way of providing services to the government. And with the government’s cloud-first policy, which requires agencies to consider moving applications to the cloud as a first option for new IT projects, this should streamline the process of deploying to the cloud. This is an ‘approve once, and use many’ approach, reducing the cost and time required to conduct redundant, individual agency security assessment. Recently, the GSA released a list of nine accredited third-party assessment organizations—or 3PAOs—that will do the initial assessments and test the controls of providers per FedRAMP requirements. The 3PAOs will have an ongoing part in ensuring providers meet requirements. FedRAMP provides an overall checklist for handling risks associated with Web services that would have a limited, or serious impact on government operations if disrupted. Cloud providers must implement these security controls to be authorized to provide cloud services to federal agencies. The government will forbid federal agencies from using a cloud service provider unless the vendor can prove that a FedRAMP-accredited third-party organization has verified and validated the security controls. Once approved, the cloud vendor would not need to be ‘re-evaluated’ by every government entity that might be interested in their solution. There may be instances where additional controls are added by agencies to address specific needs. Independent, third-party auditors are tasked with testing each product/solution for compliance which is intended to save agencies from doing their own risk management assessment. Details of the auditing process are expected early next month but includes a System Security Plan that clarifies how the requirements of each security control will be met within a cloud computing environment. Within the plan, each control must detail the solutions being deployed such as devices, documents and processes; the responsibilities of providers and government customer to implement the plan; the timing of implementation; and how solution satisfies controls. A Security Assessment Plan details how each control implementation will be assessed and tested to ensure it meets the requirements and the Security Assessment Report explains the issues, findings, and recommendations from the security control assessments detailed in the security assessment plan. Ultimately, each provider must establish means of preventing unauthorized users from hacking the cloud service. The regulations allow the contractor to determine which elements of the cloud must be backed up and how frequently. Three backups are required, one available online. All government information stored on a provider's servers must be encrypted. When the data is in transit, providers must use a "hardened or alarmed carrier protective distribution system," which detects intrusions, if not using encryption. Since cloud services may span many geographic areas with various people in the mix, providers must develop measures to guard their operations against supply chain threats. Also, vendors must disclose all the services they outsource and obtain the board's approval to contract out services in the future. After receiving the initial applications, FedRAMP program officials will develop a queue order in which to review authorization packages. Officials will prioritize secure Infrastructure as a Service (IaaS) solutions, contract vehicles for commodity services, and shared services that align with the administration’s Cloud First policy. F5 has an iApp template for NIST Special Publication 800-53 which aims to make compliance with NIST Special Publication 800-53 easier for administrators of BIG-IPs. It does this by presenting a simplified list of configuration elements together in one place that are related to the security controls defined by the standard. This makes it easier for an administrator to configure a BIG-IP in a manner that complies with the organization's policies and procedures as defined by the standard. This iApp does not take any actions to make applications being serviced through a BIG-IP compliant with NIST Special Publication 800-53 but focuses on the configuration of the management capabilities of BIG-IP and not on the traffic passing through it. ps Resources: Cloud Security With FedRAMP CLOUD SECURITY ACCREDITATION PROGRAM TAKES FLIGHT FedRAMP comes fraught with challenges FedRAMP about to hit the streets FedRAMP takes applications for service providers Contractors dealt blanket cloud security specs FedRAMP includes 168 security controls New FedRAMP standards first step to secure cloud computing GSA to tighten oversight of conflict-of-interest rules for FedRAMP What does finalized FedRAMP plan mean for industry? New FedRAMP standards first step to secure cloud computing GSA reopens cloud email RFQ NIST, GSA setting up cloud validation process FedRAMP Security Controls Unveiled FedRAMP security requirements benchmark IT reform FedRAMP baseline controls released Federal officials launch FedRAMPIPExpo London Presentations
A few months back I attended and spoke at the IPExpo 2011 at Earl’s Court Two in London. I gave 3 presentations which were recorded and two of them are available online from the IPExpo website. I haven’t figured out a way to download or embed the videos but did want to send the video links. The slides for each are also available. Sign-up (free) may be required to view the content but it’s pretty good, if I do say so myself. A Cloud To Call Your Own – I was late for this one due to some time confusion but I run in get mic’d and pull it all together. I run thru various areas of focus/concern/challenges of deploying applications in the cloud – many of them no different than a typical application in a typical data center. The Encryption Dance gets it’s first international performance and the UK crowd wasn’t quite sure what to do. It is the home of Monty Python, isn’t it? Catching up to the Cloud: Roadmap to the Dynamic Services Model – This was fun since it was later in the afternoon and there were only a few folks in the audience. I talk about the need to enable enterprises to add, remove, grow and shrink services on-demand, regardless of location. ps Related: F5 EMEA London IPEXPO 2011 London IPEXPO 2011 - The Wrap Up F5 EMEA Video F5 Youtube Channel F5 UK Web Site Technorati Tags: F5, ipexpo, integration, Pete Silva, security, business, emea, technology, trade show, big-ip, video, educationCloud Security With FedRAMP
Want to provide Cloud services to the federal government? Then you’ll have to adhere to almost 170 security controls under the recently announced Federal Risk and Authorization Management Program. The program, set to go live in June, is designed to analyze/audit cloud computing providers for federal government agencies, expedite security clearances for cloud providers and foster the adoption of cloud computing by the Federal government. FedRAMP is meant to provide a baseline for low to moderate risk systems and is based on the NIST cyber-security Special Publication 800-53 Revision 3. FedRAMP provides an overall checklist for handling risks associated with Web services that would have a limited, or serious impact on government operations if disrupted. Cloud providers must implement these security controls to be authorized to provide cloud services to federal agencies. The government will forbid federal agencies from using a cloud service provider unless the vendor can prove that a FedRAMP-accredited third-party organization has verified and validated the security controls. Once approved, the cloud vendor would not need to be ‘re-evaluated’ by every government entity that might be interested in their solution. There may be instances where additional controls are added by agencies to address specific needs. Independent, third-party auditors are tasked with testing each product/solution for compliance which is intended to save agencies from doing their own risk management assessment. Details of the auditing process are expected early next month but includes a System Security Plan that clarifies how the requirements of each security control will be met within a cloud computing environment. Within the plan, each control must detail the solutions being deployed such as devices, documents and processes; the responsibilities of providers and government customer to implement the plan; the timing of implementation; and how solution satisfies controls. A Security Assessment Plan details how each control implementation will be assessed and tested to ensure it meets the requirements and the Security Assessment Report explains the issues, findings, and recommendations from the security control assessments detailed in the security assessment plan. Ultimately, each provider must establish means of preventing unauthorized users from hacking the cloud service. The regulations allow the contractor to determine which elements of the cloud must be backed up and how frequently. Three backups are required, one available online. All government information stored on a provider's servers must be encrypted. When the data is in transit, providers must use a "hardened or alarmed carrier protective distribution system," which detects intrusions, if not using encryption. Since cloud services may span many geographic areas with various people in the mix, providers must develop measures to guard their operations against supply chain threats. Also, vendors must disclose all the services they outsource and obtain the board's approval to contract out services in the future. More details of the FedRAMP program will be available from the General Services Administration by February 8th, but they have already started accepting applications for third party assessment vendors. ps Resources: Contractors dealt blanket cloud security specs FedRAMP includes 168 security controls New FedRAMP standards first step to secure cloud computing GSA to tighten oversight of conflict-of-interest rules for FedRAMP What does finalized FedRAMP plan mean for industry? New FedRAMP standards first step to secure cloud computing GSA reopens cloud email RFQ NIST, GSA setting up cloud validation process FedRAMP Security Controls Unveiled FedRAMP security requirements benchmark IT reform FedRAMP baseline controls released Federal officials launch FedRAMP Audio: Steven VanRoekel announces FedRAMP NIST: Cloud providers should adopt portability standards Cloud security breach inevitable as businesses underestimate security due diligence Technorati Tags: F5, federal government, integration, cloud computing, Pete Silva, security, business, fedramp, technology, nist, cloud, compliance, regulations, web, internet
