DeepSec 2013 Talk: From Misconceptions To Failure – Security And Privacy In The US Cloud Computing FedRAMP Program
The „Cloud“ doesn’t stop when it comes to government data. Once government authorities play with outsourcing a lot more regulations need to be reviewed. Mikhail Utin talks about new results and a continuation of his last presentation at DeepSec conference:
Our second presentation at DeepSec on so named “Cloud Computing” (CC) and associated services (CCS) considers practical implementation of the “concept” by US government in its FedRAMP program, which is expected to convert all the government IT services into “cloud” based ones.
Our first (DeepSec 2012) presentation considered whether such “concept” is useful to protect privacy and implement such regulation as EU General Data Protection Regulation (GDPR) proposal.
In fact, we have shown that CC is a misleading terminology, providing a confusing name to describe well-known IT infrastructure, which is little more than a hosting service. CC does not help in creating appropriate privacy protection models, and thus is useless in implementation of high level regulations like GDPR.
To rule out any further question concerning utilization of CC/CC Services, we conducted the research on how this “concept” helps to secure information in IT infrastructures. In particular, we were interested to see how it provides security in such a large-scale implementation as the US government FedRAMP program.
National Institute of Standards (NIST) 800-series documents are the foundation of any US government information security effort. During the last few years, NIST has updated various documents to lay down the foundation of the information security and privacy protection for the “new generation” of federal information systems, which is based on the CC/CCS “concept”.
In its essence, this “new concept” has been used by the US government the last 10 years quite intensively – namely outsourcing services and infrastructure to commercial organizations. A new “cloud wrap” of the same outsourcing process should provide the way to get support from the US legislation. However, since the beginning of this process, the greatest concern has been information security. Thus, updated NIST and FedRAMP documents should describe how security in the “cloud” is implemented. The purpose of this presentation is to analyze the outcome of mutual NIST and FedRAMP efforts and to use this analysis to determine the security and the privacy protection in the “cloud” servicing federal information systems.
We have the following documents identifying what should be “cloud security” and associated risks:
- NIST SP-800-53 R4 – Security and Privacy Controls for Federal Information Systems and Organizations, April 2013
- NIST SP-800-37 R1 – Guide for Applying the Risk Management Framework tp Federal Information Systems, February 2010
- NIST SP-800-144 – Guidelines on Security and Privacy in Public Cloud Computing, December, 2011 (current version)
- NIST SP-800-145 – The NIST Definition of Cloud Computing, September, 2011 (current version)
- NIST SP-800-146 – Cloud Computing Synopsis and Recommendations, May, 2012 (current version)
- FedRAMP documents, including FedRAMP Baseline Security Controls
All these documents create a path to identify how information security and privacy protection are implemented. Three CC related documents should explain what exactly the “CC “concept” and what the information security in the “cloud” is all about. Risk Management Framework explains risks and how they are addressed. We have already discussed that interconnection of legal entities carrying very specific risks, which we named “border risks”. Such risks were not considered in previous versions of NIST Risk Management Guide. NIST Security and Privacy Control standards identify security and data protection controls. Finally, FedRAMP documents should identify exactly which information security and data privacy protection controls should be used – considering the CC security concept, risks, recommended controls, and how the management of the program sees security and privacy implementation.
While our previous research has shown that the CC “concept” is useless and harmful in case of implementing complex information security and privacy protection regulation, we yet have to see in detail what NIST recommends and requires, and what FedRAMP is going to implement.
We believe that our research will answer numerous concerns and questions about CC security and privacy protection, and provides an important practical lesson for US Citizens as well as for citizens of other countries because of the US implementation of the FedRAMP program. They may still planning the utilization of “Cloud Computing Services” – Maybe nows the time to reconsider it?
If you are part of a government authority considering a „Cloud“-based infrastructure or if you work for a company being tasked with the implementation, you are strongly advised to attend Mikhail’s talk.
RT @deepsec: #DeepSec 2013 Talk: From Misconceptions To Failure – … US #Cloud Computing #FedRAMP project: http://t.co/PZsqo9hjtJ #fb
“…we yet have to see in detail what NIST recommends and requires and what FedRAMP is going to implement…”
NIST publications provide recommendations for commercial organizations and government agencies/departments to follow. It is up to each information system provider to document how they utilize the recommendation in their documentation of the system and in how the system is developed. Each cloud provider will have their own unique descriptions on meeting the recommendations as it is up to the cloud provider to tell the Sponsoring agency or FedRAMP JAB how their system meets the recommendations.
FedRAMP wants to see, through documentation (e.g. SSP approval) and the security testing (e.g. security package development) how the cloud provider intends to address the FedRAMP requirements for the purpose of hosting government data.
We have many resources on FedRAMP in our Learning Center, including a webinar on lessons learned from our experience in working with commercial cloud providers in the FedRAMP process and acheiving a P-ATO.