1. Information Security Governance
Government Considerations for the Cloud Computing Environment
by
Jamie Miller
miller_jamie@bah.com
Larry Candler
candler_larry@bah.com
Hannah Wald
wald_hannah@bah.com
2.
3. Table of Contents
Introduction........................................................................................................................ 1
Public Clouds ..................................................................................................................... 2
Private Clouds . .................................................................................................................. 2
Community Clouds ............................................................................................................. 3
Hybrid Clouds .................................................................................................................... 4
Information Security Management and Governance Framework .............................................. 4
Architecting and Establishing the Information Security Program (PLAN).................................... 5
Representative CCE–Related Artifacts of the Plan Phase........................................................ 9
Implementing and Operating the Information Security Program (DO)........................................ 9
Monitoring and Measuring the Information Security Program (CHECK)................................... 10
Managing and Improving the Information Security Program (ACT). ......................................... 11
.
Representing CCE–Related Artifacts of the Check and Act Phases........................................ 12
Summary and Conclusions. ............................................................................................... 13
.
Glossary of Acronyms........................................................................................................ 13
Glossary of Terms............................................................................................................. 14
About Booz Allen............................................................................................................... 16
Principal Offices................................................................................................................ 17
4. Information Security Governance
Government Considerations for the Cloud Computing Environment
Introduction
“Cloud computing is a model for enabling convenient, Outcomes of Effective Information
on-demand network access to a shared pool of configurable Security Governance in a CCE
computing resources (e.g., networks, servers, storage,
• Strategic Alignment—Information security
applications, and services) that can be rapidly provisioned
practices aligned with the agency’s
and released with minimal management effort or service
enterprise strategy and agreed-upon risk
provider interaction.” 1
profile
Moving information assets to a cloud computing
• Value Delivery—A standard set of
environment (CCE) offers the cloud user the potential
information to effectively manage and
for reduced costs, on-demand self-service, ubiquitous
monitor cloud provider security controls
network access, location-independent resource
pooling, rapid elasticity, and measured service. CCEs • Risk Management—An understanding of
are offered in a variety of deployment and service accepted risk exposure
models, as this paper describes, each with its own
• Performance Measurement—A
characteristics for cost/benefit, efficiency, flexibility,
measurement process with feedback on
risk, and cloud consumer control. Although the
progress made
potential cost savings and flexibility advantages of
operating in the cloud are compelling, cloud users
need to understand the security risks, compliance
complications, and potential legal issues inherent in
the CCE. Federal agencies desiring to take advantage relevant to that framework to help inform agency
of cloud computing benefits will need to invest in leaders, information security professionals, and
proactive and strategic management of the new information security governance participants on how
environment. To do so, they must implement or to take advantage of the benefits of the CCE without
modify information security management systems and exposing their mission to excessive information
governance programs to mitigate security risks and security risk or potential legal and regulatory
comply with their legal, regulatory, and contractual compliance failures.
security requirements.
Information security governance is the mechanism
As with the adoption of other new technologies and through which organizations can ensure effective
service offerings, transition to the CCE will likely be management of information security. Booz Allen
evolutionary, not revolutionary. Many organizations, Hamilton developed the information security
particularly federal agencies, will migrate some management and governance framework presented
capabilities to the cloud while maintaining existing in this paper. We have also customized it for—and
computing environments for other capabilities, thus implemented it in—several government and commercial
operating in a hybrid mode for the foreseeable future.2 client environments. The focus of this paper is the
The goal of this paper is to present an information adaptation of our information security governance
security governance framework and key considerations model for federal government entities planning to
1Please see http://csrc.nist.gov/groups/SNS/cloud-computing/index.html.
2Cloud Computing User Transition Framework (C3F), Booz Allen Hamilton, 2009.
1
5. become users of cloud computing services. Potential cloud consumers from effectively measuring or
cloud service providers to the Government will require demonstrating compliance with any kind of security
a somewhat different adaptation of the information requirements. In the future, providers of public services
security management and governance framework, but will probably adapt their offerings and increase the
this will be the topic of a separate white paper. flexibility of SLAs and contracts to better accommodate
the unique legal, regulatory, and contractual
Before we present our proposed information security
information security compliance requirements of
governance framework, it is first necessary to review
the federal government environment. Some positive
the challenges and risks associated with each of the
signs of movement in this direction are beginning
four existing cloud computing deployment models. To
to appear in the market, as evidenced by Amazon’s
that effect, we offer a high-level description of each
recent introduction of optional “virtual private cloud”
deployment model, including graphical depictions.
services that combine the outsourcing advantages of
public clouds with increased customer visibility, control,
Public Clouds and service tailoring. Organizations should limit public
The most common type of CCE is the public cloud. In
cloud deployment to public information and systems
this construct, the cloud infrastructure is owned and
with acceptable risk profiles and no legal or regulatory
operated by an organization that provides services to
security requirements until service providers adapt to
multiple enterprises and individuals on a utility basis
meet the user community’s security, compliance, and
(consumers are often referred to as “tenants”) (see
liability needs.4
Exhibit 1). Public clouds present the highest security
risk to federal agency cloud consumers because of the
lack of direct control over information security control
Private Clouds
In sharp contrast to the public cloud is the private
implementation and monitoring, global multi-tenancy
CCE. In the private cloud, the cloud infrastructure is
with other users, virtualization and data location
owned/leased and operated by a single organization
management, limited service-level agreement (SLA)
solely for the user community of that organization (see
flexibility, contractual liability limitations, and the
Exhibit 2). An example in the Federal Government is an
lack of common legal and regulatory environments
agency-wide cloud that offers services to all entities
between cloud providers and cloud consumers.3 Lack
within that agency. Cost efficiencies and economies
of visibility compounds these issues and prevents
of scale are likely to be more limited in private clouds
Exhibit 1 | Public Cloud Illustration
Many, Many Organizations
e.g.
Google
Internet Microsoft
Amazon
Core Network Public Clouds
Source: Booz Allen Hamilton
3This specific issue is addressed in depth by the Booz Allen Cloud Computing White 4Cloud Computing Security Report, Security Considerations for Public Cloud Service
Paper, June 2, 2008, and Booz Allen’s Cloud Computing Basics: Cloud Computing 101 Acquisition, Booz Allen Hamilton, August 2009.
(White Paper).
2
6. Exhibit 2 | Private Cloud Illustration
Organization’s Private Network
Internet
Core Network Private Cloud
Source: Booz Allen Hamilton
than public clouds, but information security risk and independent service provider with experience in
governance issues are minimized largely because of the community and knowledge of the specific user
the shared mission goals and legal/regulatory security community’s characteristics. Two examples in the
requirements between the cloud service provider and Federal Government are the Defense Information
the cloud consumers. Systems Agency (DISA) Rapid Access Computing
Environment (RACE) and the National Aeronautics and
Community Clouds Space Administration’s (NASA) Nebula (both are still in
In a community CCE, multiple tenant organizations with the early stages of development). Community clouds
many common characteristics (e.g., mission goals, represent a lower information security risk profile
legal and regulatory security requirements, compliance than a public cloud environment and fewer legal and
considerations) share the cloud infrastructure, thus regulatory compliance issues, but they carry certain
forming a “community” (see Exhibit 3). The cloud risks associated with multi-tenancy.
owner may be a member of the community or an
Exhibit 3 | Community Cloud Illustration
Internet
Organization #1 Private Network Organization #2 Private Network
Community Cloud
Source: Booz Allen Hamilton
3
7. Hybrid Clouds Information Security Management and
Hybrid CCEs represent a combination of two or Governance Framework
more cloud deployment models (e.g., two public Booz Allen developed the information security
clouds, one public and one community cloud) that management and governance framework and has
remain unique entities but are bound together by customized and deployed it in a variety of client
standardized or proprietary technology that enables environments. This framework is a system of
data and application portability throughout the hybrid management and functional processes implemented
environment (see Exhibit 4). As a result, hybrid clouds in a standard quality management (or Plan, Do, Check,
present a combination of the information security risks Act) cycle of continuous improvement. The framework
and governance challenges inherent in the deployment is based on evolving international standards5 and
models they combine. A combination of private and planned evolution of the National Institute of Standards
community clouds represents the lowest risk; a and Technology (NIST) Risk Management Framework.6
combination of multiple public cloud environments Seven management processes—strategy and planning,
presents the greatest information security risks and policy portfolio management, risk management,
challenges to legal and regulatory compliance. awareness and training, communication and outreach,
compliance and performance management, and
Each CCE presents a different profile of benefits and
management oversight—comprise this framework and
risks that organizations should carefully consider
support the functional processes of the Do phase (see
before cloud adoption. Organizations should use a
Exhibit 5).
suitable framework that helps them address risks
and ensures their requirements are met. Although Although the purpose of each of the seven framework
the information security management and governance processes will not change when applied to a CCE,
model we describe in the next section can be adapted many of the process considerations and required
to any of the cloud computing deployment models, we actions will need to be modified to effectively plan,
focus our discussion primarily on information security manage, and govern information security in a CCE.
governance within the community cloud environment In all cases, it will be necessary to clarify specific
because we believe the community CCE is the most roles, responsibilities, and accountability for each
likely near-term adoption and migration strategy for major process step. Some steps may be points for
federal government agencies.
Exhibit 4 | Hybrid Cloud Illustration
Organization’s Private Network “Spill Over”
Internet Capacity as
Needed
Core Network Private Cloud
Public or Community Cloud
Source: Booz Allen Hamilton
5ISO/IEC 27001 Information Technology – Security Techniques – Information Security
Management Systems – Requirements.
6NIST SP 800-39 Managing Risk from Information Systems.
4
8. Exhibit 5 | Information Security Governance Framework
Architect and Establish (Plan) Implement and Operate (Do) Monitor and Review (Check, Act)
Management Processes Functional Processes Management Processes
Strategy and Human Communications
Asset
Planning Management Resources and Outreach
Security
Physical and Comms and
Environmental Operations
Security Management
Compliance and
Policy Portfolio Performance
Management Identity and Information Management
Access Systems
Management Acquisition
Incident Business
Risk Management Continuity Awareness and
Management Management
Training
Management
Oversight
Source: Booz Allen Hamilton
negotiation with prospective cloud service providers for These processes comprise the Plan phase of the
inclusion in SLAs and contracts. continual improvement process.
Our assumption in the following discussion is that
Strategy and Planning Process
management and governance processes are primarily
Strategy and planning are essential to an effective
the responsibility of a centralized information security
information security management and governance
function (such as the office of the Chief Information
program. The primary purposes of the strategy and
Security Officer [CISO]) for an agency or large
planning process are to—
government entity, with considerable participation by
information technology management (such as the • Establish information security program direction
office of the Chief Information Officer [CIO]). This and guide activities
centralized security and technology group would
• Ensure alignment of the information security
perform the cloud provider acquisition function
program with mission goals and objectives
and manage the service provider relationship over
the duration of the agreement. This group would • Define the information security program vision,
also provide the information, policy, and guidelines goals, requirements, and scope
necessary for users to follow when implementing cloud
computing-based services.
Architect and Establish (Plan) Implement and Operate (Do) Monitor and Review (Check, Act)
Management Processes Functional Processes Management Processes
Architecting and Establishing the Strategy and
Planning Asset Human Communications
and Outreach
Information Security Program (PLAN)
Management Resources
Security
Physical and Comms and
Environmental Operations
Designing and planning for an effective information Policy Portfolio
Security Management
Compliance and
Performance
Management Identity and Information Management
security governance structure occurs through three Access
Management
Systems
Acquisition
major management processes: strategy and planning, Incident Business
Risk Management Continuity Awareness and
Management Management
Training
policy portfolio management, and risk management.
Management
Oversight
5
9. • Ensure consistency with the enterprise information Policy Portfolio Management Process
security architecture
Architect and Establish (Plan) Implement and Operate (Do) Monitor and Review (Check, Act)
• Proactively plan activities to achieve goals and Management Processes Functional Processes Management Processes
meet requirements Strategy and
Planning Asset
Management
Human
Resources
Security
Communications
and Outreach
Physical and Comms and
• Determine the operating model to enable Environmental Operations
Security Management
Compliance and
Policy Portfolio Performance
Management Identity and Information Management
enterprise program efficiency. Access
Management
Systems
Acquisition
Incident Business
Risk Continuity Awareness and
The process is performed in collaboration with the
Management
Management Management
Training
risk management and policy portfolio management Management
Oversight
processes to ensure plans effectively communicate
management intent, clearly define roles and The major purposes of the security policy portfolio
responsibilities, sufficiently identify and address management process are to—
information security risks, and provide management
• Define and communicate management
clear choices for resource allocation and optimization.
expectations of information security
The activities of the strategy and planning process
• Translate goals and requirements into actionable
will not change significantly to accommodate the
mandates
use of cloud computing services, but additional
knowledge and understanding of the information • Establish clearly defined roles and responsibilities
security risks and issues related to compliance and for information security
performance management in varying cloud computing
• Inform compliance measurement
deployment and service models will be required.
The major impact of the CCE on the strategy and • Facilitate efficient and consistent implementations
planning process will be the development of CCE- with supporting standards, guidelines, and
based cost/benefit analyses that include the cost procedures.
of effective governance to manage risk and ensure
These purposes will not materially change when
legal, regulatory, and contractual compliance. In
applied to a CCE. However, the policy portfolio will
conjunction with the risk management process, the
require additional policies, guidelines, standards, and
strategy and planning process will define information
procedures to effectively communicate and govern
security implementations that are allowable for each
information security in a CCE. An overall policy on
cloud computing service model (refer to the Risk
rules governing agency acquisition and use of cloud
Management Process section) based on the relative
computing services will be needed to communicate
risk rating of the information and systems migrating
agency leadership intentions for the safe use of
to the cloud (e.g., cloud services allowed by system
cloud computing, as well as the authorization process
categorization). In addition, the process will clarify
required to initiate such use. Agencies will also need
roles, responsibilities, and accountability for baseline
to document guidelines for the appropriate evaluation
information security capabilities in each environment
and acquisition of cloud computing service providers,
allowed. The planning process will also determine
along with environments that meet information and
the cloud service provider contractual requirements
system risk and compliance requirements. Also, the
and negotiations and will include the long-term
policy portfolio management process (in coordination
management of the provider relationship.
with the strategy and planning and risk management
processes [Plan phase] and with the approval and
authority of the management oversight process [Act
6
10. phase]) will need to provide guidance on the minimum Architect and Establish (Plan) Implement and Operate (Do) Monitor and Review (Check, Act)
information security and compliance management Management Processes Functional Processes Management Processes
requirements to be included in SLAs and contracts with Strategy and
Planning Asset
Management
Human
Resources
Security
Communications
and Outreach
prospective cloud service providers. Physical and
Environmental
Comms and
Operations
Management
Security
Compliance and
Policy Portfolio Performance
Management Identity and Information Management
A review of all agency security policies must occur to Access
Management
Systems
Acquisition
determine the changes required to ensure effective Risk
Management
Incident
Management
Business
Continuity
Management
Awareness and
Training
governance in a cloud environment. Each policy should
be tailored to reflect the unique cloud deployment
Management
Oversight
model and account for the information and information
systems authorized for cloud migration. Additional policy • Enable better optimization of security expenditures,
and supporting guidance, standards, and procedures resources, and activities
will be necessary to effectively manage the functional • Inform security priorities and planning
control processes when operating in a CCE (e.g.,
configuration and change management guidelines, • Provide the basis for measuring information
incident management, chain of evidence and e-discovery, security program efficiency and effectiveness.
mission continuity of cloud services, the monitoring Risk management methodologies will require
and reporting of cloud service compliance, system and modification to effectively consider, treat, or accept
data life-cycle assurance, and compliance testing and the risks inherent in migrating agency information
assurance of cloud-based services). Guidelines may also and systems to a CCE. For practical reasons, we limit
be developed to specify mandatory and recommended our discussion to the use of private, community, or
tools for use in the monitoring and evaluation of cloud a hybrid of both CCEs as the most likely evolution of
service compliance and performance (e.g., certification federal agency CCE transition. As noted earlier, until
and accreditation [C&A] tools, technical compliance tools the providers of public cloud services make significant
such as Layer7). Policy decisions regarding each of the changes to their current offerings and SLAs, the use
functional control processes must account for the level of of those services by the Federal Government will
control each organization is willing to transfer to the cloud need to be limited to public information and systems
provider while ensuring the goals and requirements of the with minimal risk and no legal or regulatory security
information security program are met. requirements.
Risk Management Process Limiting our discussion to the use of private,
The risk management process will require modification community, or combined hybrid cloud services will
and significant additional variable considerations to still require the consideration and inclusion of
securely migrate agency services to a CCE. The primary additional risk factors related to the relative degrees
purposes of the risk management process include— of agency control over the service models adopted.
The risk methodology will also need to determine risk
• Enable information asset-based protection and mitigations and the residual risks of each service
mitigation planning model for the hierarchy of risk profiles associated
• Enhance the organization’s ability to select and with agency information assets and systems. For
apply protection based on the specific risks and example, agencies will need to modify their current
threats affecting an asset risk calculations that focus on system categorization,
privacy, and regulation to appropriately assess changes
• Ensure consistent information security risk to the risks of these systems when migrating to a CCE
assessment methodologies are used throughout utilizing one or more of the three cloud service models.
the organization
7
11. Exhibit 6 summarizes the models and their relative and SaaS builds on both IaaS and PaaS, resulting
risk. These example risk ratings may be modified to fit in an increasing assumption of control by the cloud
with agency-specific risk assessment methodologies, provider and therefore greater security risk to the cloud
but in general they are consistent with the degree consumer).
of direct agency control represented by each service
New risk analysis methodologies should be closely
model. Each cloud service model can be assessed as
monitored during the compliance and performance
an information service asset with unique risk ratings
management process (Check phase) and modified
and resultant control selection for risk mitigation (e.g.,
as necessary to reduce overall information security
contract terms, SLA content, compliance, monitoring
risk over time. In all cases, the modified risk analysis
tools).
methodologies and resulting risk rankings must be
The relative risk ratings increase as the cloud reviewed during the management oversight process
consumer moves from IaaS to PaaS and finally to (Act phase) to ensure management participation,
SaaS. The service models build on one another, risk awareness, review, and acceptance of both risk
resulting in cumulative risk as the cloud provider treatment options and resultant residual risks.
assumes more direct control (i.e., PaaS builds on IaaS,
Exhibit 6 | Service Model Risk Characteristics
Service Model Risk Characteristics Relative Additional
Risk
The capability provided to the cloud consumer is to rent processing,
storage, networks, and other fundamental computing resources and
Infrastructure
to deploy and run arbitrary software, which can include operating
as a service
systems and applications. The consumer does not manage or control Medium
(IaaS)
the underlying cloud infrastructure but has control over operating
systems, storage, deployed applications, and possibly select networking
components (e.g., firewalls, load balancers).
The capability provided to the consumer is to deploy consumer-
created applications onto the cloud infrastructure using programming
Platform as a
languages and tools supported by the provider (e.g., Java, Python,
Service (PaaS)
.Net). The consumer does not manage or control the underlying cloud High
infrastructure, network, servers, operating systems, or storage, but
the consumer has control over the deployed applications and possibly
application hosting environment configurations.
The capability provided to the consumer is to use the provider’s
applications running on a cloud infrastructure and accessible from
various client devices through a thin client interface, such as a web
Software as a browser (e.g., web-based e-mail). The consumer does not manage or Very High
Service (SaaS) control the underlying cloud infrastructure, network, servers, operating
systems, storage, or individual application capabilities, with the possible
exception of limited user-specific application configuration settings.
Source: Booz Allen Hamilton
8
12. Representative CCE-Related Artifacts of the Implementing and Operating the Information
Plan Phase Security Program (DO)
The three management processes of the information Because this paper focuses on information security
security governance framework’s Plan phase will governance, we will not discuss in detail the functional
produce several documents to inform and guide users processes that constitute the Do phase of the
in the effective and appropriate use of cloud computing Plan, Do, Check, Act cycle. The implementation and
services. Some specific examples are included in operation of information security controls contained
each process description, but Exhibit 7 summarizes in each of the functional process areas will vary
artifacts that are typical outputs of the governance
Architect and Establish (Plan) Implement and Operate (Do) Monitor and Review (Check, Act)
model and that will likely have specific references to
Management Processes Functional Processes Management Processes
operating in a CCE. In some cases, the cloud provider Strategy and
Planning Asset Human Communications
and Outreach
Management Resources
may be partially or completely responsible for these
Security
Physical and Comms and
Environmental Operations
artifacts, depending on the final agreements between Policy Portfolio
Security Management
Compliance and
Performance
Management Identity and Information Management
the cloud consumer and the cloud provider. Access
Management
Systems
Acquisition
Incident Business
Risk Management Continuity Awareness and
Management Management
Training
Management
Oversight
Exhibit 7 | Plan Phase Artifacts
Management Example Artifact Contract/SLA Implications
Process
• Security Strategic Plan • Goal Performance
• Consolidated Security Requirements • Requirements Compliance
• Organization Model Modifications • Relationship Management
Strategy &
• Roles & Responsibilities Charts • Consumer/Provider
Planning
• CCE Implementation Plans • None
• Budget & Resource Requirements • None
• CCE Contract & SLA • Terms & Conditions
• CCE Security Policy • Terms & Conditions
• CCE Acquisition Policy • Terms & Conditions
• CCE Authorization Procedure • None
Policy Portfolio • CCE Standards/Guidelines • None
Management • CCE Monitoring/Compliance Tools • Terms & Conditions
• CCE Configuration Guidelines • Technical Compliance
• CCE-Specific Processes • Terms & Conditions
• Risk Management Procedure • None
• Risk Methodology Modifications • None
• Service Model Risks • None
Risk
• Risk Assessment Reports • None
Management
• CCE Controls & Risk Treatments • Terms/Responsibilities
• Systems/Assets Allowed in CCE • None
Source: Booz Allen Hamilton
9
13. significantly depending on CCE deployment and the • Clarify roles and responsibilities
service models employed. However, other Booz Allen
• Drive the ongoing competency of information
papers address the implementation and operation of
security staff.
information security functional processes and controls,
and this topic is not essential to discussions related Execution of these important management processes
to the effective management and governance of will not vary as a result of the introduction of a CCE.
information security in a cloud environment. However, the processes will need to include formal
awareness, training, communication, and outreach
Monitoring and Measuring the Information to inform all relevant agency users of the new
Security Program (CHECK) policies, guidelines, standards, procedures, risks,
Three management processes are included in the and compliance issues related to the migration of
Check phase of the information security management information services to a CCE.
and governance framework: awareness and training,
communication and outreach, and compliance and Compliance and Performance Management Process
performance management. Of these three, the
Architect and Establish (Plan) Implement and Operate (Do) Monitor and Review (Check, Act)
compliance and performance management process Management Processes Functional Processes Management Processes
represents the area with the most significant issues Strategy and
Planning Asset
Management
Human
Resources
Communications
and Outreach
Security
for consideration when migrating services to a CCE. Physical and
Environmental
Comms and
Operations
Security Management
Compliance and
Policy Portfolio Performance
Management Identity and Information Management
Access Systems
Awareness and Training and Communication and Management Acquisition
Incident Business
Outreach Processes Risk Management Continuity Awareness and
Management Management
Training
Architect and Establish (Plan) Implement and Operate (Do) Monitor and Review (Check, Act) Management
Oversight
Management Processes Functional Processes Management Processes
Strategy and
Planning Asset
Management
Human
Resources
Security
Communications
and Outreach Compliance and performance management is the key
Physical and
Environmental
Comms and
Operations
process in the Check phase of the framework. The
Security Management
primary purposes of the process include—
Compliance and
Policy Portfolio Performance
Management Identity and Information Management
Access Systems
Management Acquisition
Risk
Management
Incident
Management
Business
Continuity
Management Awareness and • Create regular measurement and reporting of
Training
progress and issues
Management
Oversight
• Inform and prioritize program improvements
The major purposes of these management processes
• Record progress toward achieving strategic goals
are complementary and similar. The purposes
and compliance with requirements
include—
• Drive continuous improvement of the information
• Consistently communicate the importance of
security program
information security throughout the organization
• Minimize potential for recurrence of systemic
• Educate staff on required actions related to
issues
changes in regulatory, legislative, and other
mandates • Optimize consistency and efficiency of security
implementations
• Broaden and deepen the security awareness of the
organization • Inform modifications to risk analyses and risk
mitigations
• Enhance compliance through better understanding
and knowledge
10
14. • Measure and report on compliance with legal, the cloud consumer); and clearly define accountability
regulatory, and contractual requirements; internal for legal liability related to an information security
policies; and technical guidelines and standards. breach in the cloud.
The purposes of the compliance and performance Measurement and monitoring reports should be
management process remain unchanged in a CCE, but presented in periodic management reviews of the
the execution of the process will require significant overall information security program to the information
modification to effectively monitor and measure security governance body, along with recommendations
compliance and performance in the cloud. Focusing for corrective and preventive actions.
again on agency use of private clouds, community
clouds, or hybrid combinations will lead to enhanced Managing and Improving the Information
information security compliance and performance in a Security Program (ACT)
public cloud environment. Participation by management representing all agency
stakeholder organizations is essential to the effective
Compliance includes legal, regulatory, and contractual
management and oversight of any information security
security compliance; compliance with internal policies,
management system. The process and the governance
guidelines, standards, and procedures; and technical
bodies that execute it form the governance program
compliance checking. All compliance and performance
and represent the Act phase of the continuous
checking is dependent on a comprehensive
improvement model.
measurement and management reporting system
covering each area of compliance, as well as the
Management Oversight Process
information security program’s effectiveness in meeting
An information security governance body conducts the
goals, objectives, and requirements. Compliance and
functions of the management oversight process. This
performance measurement and reporting will require
body consists of senior leadership and representatives
detailed specification in the SLAs and contracts with
from each functional area of the organization to—
the cloud service provider covering each service model
allowed in the agreements. • Ensure ongoing management involvement in
program direction and priorities
In the case of private or community cloud service
providers, there will be a greater level of trust, • Establish enterprise information security
understanding, and flexibility in the agreement governance
negotiations because of the shared mission goals and
• Ensure the information security program supports
common legal and regulatory compliance requirements
mission goals and objectives
between the cloud provider and the cloud consumer.
Based on the cloud service risk profiles; strategic • Reinforce the importance of information security
planning of the cloud service; and CCE-specific throughout the organization
policies, guidelines, standards, and procedures defined
• Oversee risk management to balance mission
in the Plan phase, federal agency cloud consumers
goals and information security costs
can determine their minimum information security
requirements and controls for each level of cloud • Track and optimize information security resource
service and drive the SLA and contract negotiations allocation
to a satisfactory agreement. SLAs and contracts must
• Authorize improvements to the information security
minimize security risks; enable effective monitoring
program on a continuing basis.
and measuring of all legal, regulatory, and contractual
security requirements (by either the service provider or
11
15. These management oversight objectives are valid sponsors and monitors the effectiveness of cloud-
regardless of the information security operating specific awareness, training and communication, and
environments deployed. However, the governance outreach programs to ensure broad awareness of
body will need to actively participate in the review, agency policy and guidelines by all responsible users.
authorization, and communication of all information Finally, management must be vigilant in its review of
security plans, policies and supporting documentation, compliance and monitoring of cloud services and must
risks, and compliance issues related to the use of drive continuous improvement in the overall information
cloud-based services. Therefore, the governance body security program, including all cloud-based services.
will need to include or consult with cloud computing
information technology and information security subject Representative CCE-Related Artifacts of the
matter experts. The group should also include or Check and Act Phases
consult with agency counsel to ensure a complete The four management processes of the Check and Act
understanding and inclusion of legal and liability issues phases of the information security management and
specific to a CCE and to verify sufficient coverage of governance framework will result in several documents
all issues in the negotiated SLAs and contracts for and reports to inform and guide users in the effective
cloud-based services. It is imperative that management and appropriate use of cloud computing services and
Exhibit 8 | Act Phase Artifacts
Management Example Artifact Contract/SLA Implications
Process
• User Security Awareness • Provider Participation?
– CCE Policy – Yes
Awareness
– CCE Authorization – No
& Training;
– CCE Guidelines/Standards – Sometimes
Communication
– CCE Procedures – Sometimes
& Outreach
• CCE Security Technical Training – No
• Awareness Tests & Records – No
• Compliance/Performance Measures • Terms & Conditions
• Legal, Regulatory Compliance • Roles, Responsibilities
• Policy Portfolio Compliance • Roles, Responsibilities
Compliance & • Privacy Compliance • Roles, Responsibilities
Performance • Technical Compliance • Roles, Responsibilities
Management • Log Monitoring Reports • Roles, Responsibilities
• Incident Management Reporting • Roles, Responsibilities
• Internal Compliance Audits • Terms, Responsibilities
• Performance Measurement Reports • Terms, Responsibilities
• Technical Controls Testing • Terms, Responsibilities
• SLA Reporting • Terms & Conditions
• Recommended Improvement Plans • Negotiation
Risk • CCE Management Review Reports • None
Management • Authorized Improvement Plans • Negotiation
Source: Booz Allen Hamilton
12
16. to report on the compliance and performance of cloud- An organization’s mission and risk profile must drive
based systems. Some specific examples are included the implementation of the management processes
in each process description, but Exhibit 8 summarizes described in this paper, as well as the artifacts they
artifacts that are typical outputs of the governance produce. It is also vital to treat the management
model and that are likely to have specific references to processes as integrated components of a larger
operating in a CCE. In some cases, the cloud provider information security governance framework rather
may be partially or completely responsible for these than as individual silos. Using this framework to guide
artifacts, depending on the final agreements between the transition to and ongoing operations in the CCE
the cloud consumer and the cloud provider. will ultimately enable an organization to maximize its
benefits in the cloud while sensibly and cost-effectively
Summary and Conclusions addressing the cloud’s inherent risks.
Cloud computing takes advantage of economies of
scale to offer compelling cost benefits to federal Glossary of Acronyms
agencies for information services performed in support C&A Certification and Accreditation
of their mission. Migration of agency information
C3F Booz Allen’s Cloud Computing User Transition
assets and systems to a CCE can also provide
Framework
impressive benefits related to deployment flexibility
and service on demand and can enable capabilities not CCE Cloud Computing Environment
feasible in many enterprise computing environments,
CIO Chief Information Officer
such as massive data analysis and intelligence
analysis.7 However, the nature of cloud deployment CISO Chief Information Security Officer
and service models presents new information security
DISA Defense Information Systems Agency, part of
risks and introduces complications to compliance with
the Department of Defense
legal, regulatory, and contractual security requirements
for cloud consumers. Some complications have serious IaaS Infrastructure as a Service
legal liability implications.
NIST National Institute of Standards and Technology.
Key to the successful adoption and transition of NIST guidelines on information security
information systems to a CCE is the implementation/ are officially standard practice for federal
modification of a strategic proactive information information technology and are codified in
security management and governance framework. At information security regulations
Booz Allen, we have developed a framework that we
PaaS Platform as a Service
have successfully implemented in several commercial
and federal government client environments. Our model RACE Rapid Access Computing Environment. This
consists of a set of management processes that refers to a working prototype cloud developed
interact in a Plan, Do, Check, Act cycle of continuous by DISA. As of this writing, it is being used for
improvement to effectively manage and govern open-source software development, and many
enterprise information security. The management additional functions are in the works
processes of the governance model require some
SaaS Software as a Service
modifications to the major steps in their execution to
effectively manage the risk and compliance issues SLA Service-Level Agreement. In this case, this
inherent in a CCE. refers to a contract between the cloud
computing provider and client(s)
Information security governance is a critical
component of a successful transition to the cloud. SP Special Publication
7Massive Data Analytics and the Cloud—A Revolution in Intelligence Analysis, Drew Cohen and
Joshua D. Sullivan, 2009.
13
17. Glossary of Terms
Cloud The “cloud” consists of computing resources (software, operating platform, memory, and
processors) that are abstracted from the user by some form of virtualization and (often)
physical separation between the user and the infrastructure on which the services are
supported. “Cloud computing” means the use of a cloud for IT functions.
Cloud The capability provided to the consumer is to provision processing, storage, networks, and
Infrastructure as other fundamental computing resources where the consumer is able to deploy and run
a Service (IaaS) arbitrary software, which can include operating systems and applications. The consumer
does not manage or control the underlying cloud infrastructure but has control over operating
systems; storage, deployed applications, and possibly limited control of select networking
components (e.g., host firewalls).
Cloud Platform The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-
as a Service created or acquired applications created using programming languages and tools supported
(PaaS) by the provider. The consumer does not manage or control the underlying cloud infrastructure
including network, servers, operating systems, or storage, but has control over the deployed
applications and possibly application hosting environment configurations.
Cloud Software The capability provided to the consumer is to use the provider’s applications running on a
as a Service cloud infrastructure. The applications are accessible from various client devices through a
(SaaS) thin client interface such as a web browser (e.g., web-based email). The consumer does not
manage or control the underlying cloud infrastructure including network, servers, operating
systems, storage, or even individual application capabilities, with the possible exception of
limited user-specific application configuration settings.
Community The cloud infrastructure is shared by several organizations and supports a specific community
Cloud that has shared concerns (e.g., mission, security requirements, policy, and compliance
considerations). It may be managed by the organizations or a third party and may exist on
premise or off premise.
Hybrid Cloud The cloud infrastructure is a composition of two or more clouds (private, community, or public)
that remain unique entities but are bound together by standardized or proprietary technology
that enables data and application portability (e.g., cloud bursting for load-balancing between
clouds).
Multi-tenancy Property of a cloud environment used by multiple customers (“tenants”). Contrast with the
“single-tenancy” private cloud, which is used by only one customer.
Private Cloud The cloud infrastructure is operated solely for an organization. It may be managed by the
organization or a third party and may exist on premise or off premise.
Public Cloud The cloud infrastructure is made available to the general public or a large industry group and
is owned by an organization selling cloud services.
Service Model Refers to the ownership of the cloud infrastructure. See the Introduction for descriptions of
different service models.
14
19. About Booz Allen
Booz Allen Hamilton has been at the forefront of technology, systems engineering, and program
strategy and technology consulting for 95 years. Every management, Booz Allen is committed to delivering
day, government agencies, institutions, corporations, results that endure.
and not-for-profit organizations rely on the firm’s
With more than 22,000 people and $4.5 billion in
expertise and objectivity, and on the combined
annual revenue, Booz Allen is continually recognized for
capabilities and dedication of our exceptional people
its quality work and corporate culture. In 2009, for the
to find solutions and seize opportunities. We combine
fifth consecutive year, Fortune magazine named Booz
a consultant’s unique problem-solving orientation with
Allen one of “The 100 Best Companies to Work For,”
deep technical knowledge and strong execution to help
and Working Mother magazine has ranked the firm
clients achieve success in their most critical missions.
among its “100 Best Companies for Working Mothers”
Providing a broad range of services in strategy,
annually since 1999.
operations, organization and change, information
Contact Information:
Jamie Miller Larry Candler Hannah Wald
Associate Associate Consultant
miller_jamie@bah.com candler_larry@bah.com wald_hannah@bah.com
703/377-1274 703/377-4534 703/377-6646
To learn more about the firm and to download digital versions of this article and other Booz Allen Hamilton
publications, visit www.boozallen.com.
16