Information Security Governance


Published on

Government considerations for the cloud computing environment

Published in: Business, Technology
1 Comment
  • Bonjour
    Mon nom est Mlle merci hassan j'ai vu votre profil aujourd'hui et je
    est devenu intéressé à vous, je tiens également à vous en savez plus
    et je veux que vous envoyez un e-mail à mon adresse email afin que je puisse vous donner ma photo
    votre nouvel ami.


    My name is Miss mercy hassan I saw your profile today and i
    became interested in you, I will also want to know you more
    and I want you to send an email to my mailbox so that I can give you my picture
    yours new friend.
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Information Security Governance

  1. 1. Information Security GovernanceGovernment Considerations for the Cloud Computing EnvironmentbyJamie Millermiller_jamie@bah.comLarry Candlercandler_larry@bah.comHannah
  2. 2. Table of ContentsIntroduction........................................................................................................................ 1Public Clouds ..................................................................................................................... 2Private Clouds . .................................................................................................................. 2Community Clouds ............................................................................................................. 3Hybrid Clouds .................................................................................................................... 4Information Security Management and Governance Framework .............................................. 4Architecting and Establishing the Information Security Program (PLAN).................................... 5Representative CCE–Related Artifacts of the Plan Phase........................................................ 9Implementing and Operating the Information Security Program (DO)........................................ 9Monitoring and Measuring the Information Security Program (CHECK)................................... 10Managing and Improving the Information Security Program (ACT). ......................................... 11 .Representing CCE–Related Artifacts of the Check and Act Phases........................................ 12Summary and Conclusions. ............................................................................................... 13 .Glossary of Acronyms........................................................................................................ 13Glossary of Terms............................................................................................................. 14About Booz Allen............................................................................................................... 16Principal Offices................................................................................................................ 17
  3. 3. Information Security Governance Government Considerations for the Cloud Computing Environment Introduction “Cloud computing is a model for enabling convenient, Outcomes of Effective Information on-demand network access to a shared pool of configurable Security Governance in a CCE computing resources (e.g., networks, servers, storage, • Strategic Alignment—Information security applications, and services) that can be rapidly provisioned practices aligned with the agency’s and released with minimal management effort or service enterprise strategy and agreed-upon risk provider interaction.” 1 profile Moving information assets to a cloud computing • Value Delivery—A standard set of environment (CCE) offers the cloud user the potential information to effectively manage and for reduced costs, on-demand self-service, ubiquitous monitor cloud provider security controls network access, location-independent resource pooling, rapid elasticity, and measured service. CCEs • Risk Management—An understanding of are offered in a variety of deployment and service accepted risk exposure models, as this paper describes, each with its own • Performance Measurement—A characteristics for cost/benefit, efficiency, flexibility, measurement process with feedback on risk, and cloud consumer control. Although the progress made potential cost savings and flexibility advantages of operating in the cloud are compelling, cloud users need to understand the security risks, compliance complications, and potential legal issues inherent in the CCE. Federal agencies desiring to take advantage relevant to that framework to help inform agency of cloud computing benefits will need to invest in leaders, information security professionals, and proactive and strategic management of the new information security governance participants on how environment. To do so, they must implement or to take advantage of the benefits of the CCE without modify information security management systems and exposing their mission to excessive information governance programs to mitigate security risks and security risk or potential legal and regulatory comply with their legal, regulatory, and contractual compliance failures. security requirements. Information security governance is the mechanism As with the adoption of other new technologies and through which organizations can ensure effective service offerings, transition to the CCE will likely be management of information security. Booz Allen evolutionary, not revolutionary. Many organizations, Hamilton developed the information security particularly federal agencies, will migrate some management and governance framework presented capabilities to the cloud while maintaining existing in this paper. We have also customized it for—and computing environments for other capabilities, thus implemented it in—several government and commercial operating in a hybrid mode for the foreseeable future.2 client environments. The focus of this paper is the The goal of this paper is to present an information adaptation of our information security governance security governance framework and key considerations model for federal government entities planning to 1Please see 2Cloud Computing User Transition Framework (C3F), Booz Allen Hamilton, 2009.1
  4. 4. become users of cloud computing services. Potential cloud consumers from effectively measuring orcloud service providers to the Government will require demonstrating compliance with any kind of securitya somewhat different adaptation of the information requirements. In the future, providers of public servicessecurity management and governance framework, but will probably adapt their offerings and increase thethis will be the topic of a separate white paper. flexibility of SLAs and contracts to better accommodate the unique legal, regulatory, and contractualBefore we present our proposed information security information security compliance requirements ofgovernance framework, it is first necessary to review the federal government environment. Some positivethe challenges and risks associated with each of the signs of movement in this direction are beginningfour existing cloud computing deployment models. To to appear in the market, as evidenced by Amazon’sthat effect, we offer a high-level description of each recent introduction of optional “virtual private cloud”deployment model, including graphical depictions. services that combine the outsourcing advantages of public clouds with increased customer visibility, control,Public Clouds and service tailoring. Organizations should limit publicThe most common type of CCE is the public cloud. In cloud deployment to public information and systemsthis construct, the cloud infrastructure is owned and with acceptable risk profiles and no legal or regulatoryoperated by an organization that provides services to security requirements until service providers adapt tomultiple enterprises and individuals on a utility basis meet the user community’s security, compliance, and(consumers are often referred to as “tenants”) (see liability needs.4Exhibit 1). Public clouds present the highest securityrisk to federal agency cloud consumers because of thelack of direct control over information security control Private Clouds In sharp contrast to the public cloud is the privateimplementation and monitoring, global multi-tenancy CCE. In the private cloud, the cloud infrastructure iswith other users, virtualization and data location owned/leased and operated by a single organizationmanagement, limited service-level agreement (SLA) solely for the user community of that organization (seeflexibility, contractual liability limitations, and the Exhibit 2). An example in the Federal Government is anlack of common legal and regulatory environments agency-wide cloud that offers services to all entitiesbetween cloud providers and cloud consumers.3 Lack within that agency. Cost efficiencies and economiesof visibility compounds these issues and prevents of scale are likely to be more limited in private cloudsExhibit 1 | Public Cloud Illustration Many, Many Organizations e.g. Google Internet Microsoft Amazon Core Network Public CloudsSource: Booz Allen Hamilton3This specific issue is addressed in depth by the Booz Allen Cloud Computing White 4Cloud Computing Security Report, Security Considerations for Public Cloud ServicePaper, June 2, 2008, and Booz Allen’s Cloud Computing Basics: Cloud Computing 101 Acquisition, Booz Allen Hamilton, August 2009.(White Paper). 2
  5. 5. Exhibit 2 | Private Cloud Illustration Organization’s Private Network Internet Core Network Private Cloud Source: Booz Allen Hamilton than public clouds, but information security risk and independent service provider with experience in governance issues are minimized largely because of the community and knowledge of the specific user the shared mission goals and legal/regulatory security community’s characteristics. Two examples in the requirements between the cloud service provider and Federal Government are the Defense Information the cloud consumers. Systems Agency (DISA) Rapid Access Computing Environment (RACE) and the National Aeronautics and Community Clouds Space Administration’s (NASA) Nebula (both are still in In a community CCE, multiple tenant organizations with the early stages of development). Community clouds many common characteristics (e.g., mission goals, represent a lower information security risk profile legal and regulatory security requirements, compliance than a public cloud environment and fewer legal and considerations) share the cloud infrastructure, thus regulatory compliance issues, but they carry certain forming a “community” (see Exhibit 3). The cloud risks associated with multi-tenancy. owner may be a member of the community or an Exhibit 3 | Community Cloud Illustration Internet Organization #1 Private Network Organization #2 Private Network Community Cloud Source: Booz Allen Hamilton3
  6. 6. Hybrid Clouds Information Security Management andHybrid CCEs represent a combination of two or Governance Frameworkmore cloud deployment models (e.g., two public Booz Allen developed the information securityclouds, one public and one community cloud) that management and governance framework and hasremain unique entities but are bound together by customized and deployed it in a variety of clientstandardized or proprietary technology that enables environments. This framework is a system ofdata and application portability throughout the hybrid management and functional processes implementedenvironment (see Exhibit 4). As a result, hybrid clouds in a standard quality management (or Plan, Do, Check,present a combination of the information security risks Act) cycle of continuous improvement. The frameworkand governance challenges inherent in the deployment is based on evolving international standards5 andmodels they combine. A combination of private and planned evolution of the National Institute of Standardscommunity clouds represents the lowest risk; a and Technology (NIST) Risk Management Framework.6combination of multiple public cloud environments Seven management processes—strategy and planning,presents the greatest information security risks and policy portfolio management, risk management,challenges to legal and regulatory compliance. awareness and training, communication and outreach, compliance and performance management, andEach CCE presents a different profile of benefits and management oversight—comprise this framework andrisks that organizations should carefully consider support the functional processes of the Do phase (seebefore cloud adoption. Organizations should use a Exhibit 5).suitable framework that helps them address risksand ensures their requirements are met. Although Although the purpose of each of the seven frameworkthe information security management and governance processes will not change when applied to a CCE,model we describe in the next section can be adapted many of the process considerations and requiredto any of the cloud computing deployment models, we actions will need to be modified to effectively plan,focus our discussion primarily on information security manage, and govern information security in a CCE.governance within the community cloud environment In all cases, it will be necessary to clarify specificbecause we believe the community CCE is the most roles, responsibilities, and accountability for eachlikely near-term adoption and migration strategy for major process step. Some steps may be points forfederal government agencies.Exhibit 4 | Hybrid Cloud Illustration Organization’s Private Network “Spill Over” Internet Capacity as Needed Core Network Private Cloud Public or Community CloudSource: Booz Allen Hamilton5ISO/IEC 27001 Information Technology – Security Techniques – Information SecurityManagement Systems – Requirements.6NIST SP 800-39 Managing Risk from Information Systems. 4
  7. 7. Exhibit 5 | Information Security Governance Framework Architect and Establish (Plan) Implement and Operate (Do) Monitor and Review (Check, Act) Management Processes Functional Processes Management Processes Strategy and Human Communications Asset Planning Management Resources and Outreach Security Physical and Comms and Environmental Operations Security Management Compliance and Policy Portfolio Performance Management Identity and Information Management Access Systems Management Acquisition Incident Business Risk Management Continuity Awareness and Management Management Training Management Oversight Source: Booz Allen Hamilton negotiation with prospective cloud service providers for These processes comprise the Plan phase of the inclusion in SLAs and contracts. continual improvement process. Our assumption in the following discussion is that Strategy and Planning Process management and governance processes are primarily Strategy and planning are essential to an effective the responsibility of a centralized information security information security management and governance function (such as the office of the Chief Information program. The primary purposes of the strategy and Security Officer [CISO]) for an agency or large planning process are to— government entity, with considerable participation by information technology management (such as the • Establish information security program direction office of the Chief Information Officer [CIO]). This and guide activities centralized security and technology group would • Ensure alignment of the information security perform the cloud provider acquisition function program with mission goals and objectives and manage the service provider relationship over the duration of the agreement. This group would • Define the information security program vision, also provide the information, policy, and guidelines goals, requirements, and scope necessary for users to follow when implementing cloud computing-based services. Architect and Establish (Plan) Implement and Operate (Do) Monitor and Review (Check, Act) Management Processes Functional Processes Management Processes Architecting and Establishing the Strategy and Planning Asset Human Communications and Outreach Information Security Program (PLAN) Management Resources Security Physical and Comms and Environmental Operations Designing and planning for an effective information Policy Portfolio Security Management Compliance and Performance Management Identity and Information Management security governance structure occurs through three Access Management Systems Acquisition major management processes: strategy and planning, Incident Business Risk Management Continuity Awareness and Management Management Training policy portfolio management, and risk management. Management Oversight5
  8. 8. • Ensure consistency with the enterprise information Policy Portfolio Management Process security architecture Architect and Establish (Plan) Implement and Operate (Do) Monitor and Review (Check, Act)• Proactively plan activities to achieve goals and Management Processes Functional Processes Management Processes meet requirements Strategy and Planning Asset Management Human Resources Security Communications and Outreach Physical and Comms and• Determine the operating model to enable Environmental Operations Security Management Compliance and Policy Portfolio Performance Management Identity and Information Management enterprise program efficiency. Access Management Systems Acquisition Incident Business Risk Continuity Awareness andThe process is performed in collaboration with the Management Management Management Trainingrisk management and policy portfolio management Management Oversightprocesses to ensure plans effectively communicatemanagement intent, clearly define roles and The major purposes of the security policy portfolioresponsibilities, sufficiently identify and address management process are to—information security risks, and provide management • Define and communicate managementclear choices for resource allocation and optimization. expectations of information securityThe activities of the strategy and planning process • Translate goals and requirements into actionablewill not change significantly to accommodate the mandatesuse of cloud computing services, but additionalknowledge and understanding of the information • Establish clearly defined roles and responsibilitiessecurity risks and issues related to compliance and for information securityperformance management in varying cloud computing • Inform compliance measurementdeployment and service models will be required.The major impact of the CCE on the strategy and • Facilitate efficient and consistent implementationsplanning process will be the development of CCE- with supporting standards, guidelines, andbased cost/benefit analyses that include the cost procedures.of effective governance to manage risk and ensure These purposes will not materially change whenlegal, regulatory, and contractual compliance. In applied to a CCE. However, the policy portfolio willconjunction with the risk management process, the require additional policies, guidelines, standards, andstrategy and planning process will define information procedures to effectively communicate and governsecurity implementations that are allowable for each information security in a CCE. An overall policy oncloud computing service model (refer to the Risk rules governing agency acquisition and use of cloudManagement Process section) based on the relative computing services will be needed to communicaterisk rating of the information and systems migrating agency leadership intentions for the safe use ofto the cloud (e.g., cloud services allowed by system cloud computing, as well as the authorization processcategorization). In addition, the process will clarify required to initiate such use. Agencies will also needroles, responsibilities, and accountability for baseline to document guidelines for the appropriate evaluationinformation security capabilities in each environment and acquisition of cloud computing service providers,allowed. The planning process will also determine along with environments that meet information andthe cloud service provider contractual requirements system risk and compliance requirements. Also, theand negotiations and will include the long-term policy portfolio management process (in coordinationmanagement of the provider relationship. with the strategy and planning and risk management processes [Plan phase] and with the approval and authority of the management oversight process [Act 6
  9. 9. phase]) will need to provide guidance on the minimum Architect and Establish (Plan) Implement and Operate (Do) Monitor and Review (Check, Act) information security and compliance management Management Processes Functional Processes Management Processes requirements to be included in SLAs and contracts with Strategy and Planning Asset Management Human Resources Security Communications and Outreach prospective cloud service providers. Physical and Environmental Comms and Operations Management Security Compliance and Policy Portfolio Performance Management Identity and Information Management A review of all agency security policies must occur to Access Management Systems Acquisition determine the changes required to ensure effective Risk Management Incident Management Business Continuity Management Awareness and Training governance in a cloud environment. Each policy should be tailored to reflect the unique cloud deployment Management Oversight model and account for the information and information systems authorized for cloud migration. Additional policy • Enable better optimization of security expenditures, and supporting guidance, standards, and procedures resources, and activities will be necessary to effectively manage the functional • Inform security priorities and planning control processes when operating in a CCE (e.g., configuration and change management guidelines, • Provide the basis for measuring information incident management, chain of evidence and e-discovery, security program efficiency and effectiveness. mission continuity of cloud services, the monitoring Risk management methodologies will require and reporting of cloud service compliance, system and modification to effectively consider, treat, or accept data life-cycle assurance, and compliance testing and the risks inherent in migrating agency information assurance of cloud-based services). Guidelines may also and systems to a CCE. For practical reasons, we limit be developed to specify mandatory and recommended our discussion to the use of private, community, or tools for use in the monitoring and evaluation of cloud a hybrid of both CCEs as the most likely evolution of service compliance and performance (e.g., certification federal agency CCE transition. As noted earlier, until and accreditation [C&A] tools, technical compliance tools the providers of public cloud services make significant such as Layer7). Policy decisions regarding each of the changes to their current offerings and SLAs, the use functional control processes must account for the level of of those services by the Federal Government will control each organization is willing to transfer to the cloud need to be limited to public information and systems provider while ensuring the goals and requirements of the with minimal risk and no legal or regulatory security information security program are met. requirements. Risk Management Process Limiting our discussion to the use of private, The risk management process will require modification community, or combined hybrid cloud services will and significant additional variable considerations to still require the consideration and inclusion of securely migrate agency services to a CCE. The primary additional risk factors related to the relative degrees purposes of the risk management process include— of agency control over the service models adopted. The risk methodology will also need to determine risk • Enable information asset-based protection and mitigations and the residual risks of each service mitigation planning model for the hierarchy of risk profiles associated • Enhance the organization’s ability to select and with agency information assets and systems. For apply protection based on the specific risks and example, agencies will need to modify their current threats affecting an asset risk calculations that focus on system categorization, privacy, and regulation to appropriately assess changes • Ensure consistent information security risk to the risks of these systems when migrating to a CCE assessment methodologies are used throughout utilizing one or more of the three cloud service models. the organization7
  10. 10. Exhibit 6 summarizes the models and their relative and SaaS builds on both IaaS and PaaS, resultingrisk. These example risk ratings may be modified to fit in an increasing assumption of control by the cloudwith agency-specific risk assessment methodologies, provider and therefore greater security risk to the cloudbut in general they are consistent with the degree consumer).of direct agency control represented by each service New risk analysis methodologies should be closelymodel. Each cloud service model can be assessed as monitored during the compliance and performancean information service asset with unique risk ratings management process (Check phase) and modifiedand resultant control selection for risk mitigation (e.g., as necessary to reduce overall information securitycontract terms, SLA content, compliance, monitoring risk over time. In all cases, the modified risk analysistools). methodologies and resulting risk rankings must beThe relative risk ratings increase as the cloud reviewed during the management oversight processconsumer moves from IaaS to PaaS and finally to (Act phase) to ensure management participation,SaaS. The service models build on one another, risk awareness, review, and acceptance of both riskresulting in cumulative risk as the cloud provider treatment options and resultant residual risks.assumes more direct control (i.e., PaaS builds on IaaS,Exhibit 6 | Service Model Risk Characteristics Service Model Risk Characteristics Relative Additional Risk The capability provided to the cloud consumer is to rent processing, storage, networks, and other fundamental computing resources and Infrastructure to deploy and run arbitrary software, which can include operating as a service systems and applications. The consumer does not manage or control Medium (IaaS) the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly select networking components (e.g., firewalls, load balancers). The capability provided to the consumer is to deploy consumer- created applications onto the cloud infrastructure using programming Platform as a languages and tools supported by the provider (e.g., Java, Python, Service (PaaS) .Net). The consumer does not manage or control the underlying cloud High infrastructure, network, servers, operating systems, or storage, but the consumer has control over the deployed applications and possibly application hosting environment configurations. The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure and accessible from various client devices through a thin client interface, such as a web Software as a browser (e.g., web-based e-mail). The consumer does not manage or Very High Service (SaaS) control the underlying cloud infrastructure, network, servers, operating systems, storage, or individual application capabilities, with the possible exception of limited user-specific application configuration settings.Source: Booz Allen Hamilton 8
  11. 11. Representative CCE-Related Artifacts of the Implementing and Operating the Information Plan Phase Security Program (DO) The three management processes of the information Because this paper focuses on information security security governance framework’s Plan phase will governance, we will not discuss in detail the functional produce several documents to inform and guide users processes that constitute the Do phase of the in the effective and appropriate use of cloud computing Plan, Do, Check, Act cycle. The implementation and services. Some specific examples are included in operation of information security controls contained each process description, but Exhibit 7 summarizes in each of the functional process areas will vary artifacts that are typical outputs of the governance Architect and Establish (Plan) Implement and Operate (Do) Monitor and Review (Check, Act) model and that will likely have specific references to Management Processes Functional Processes Management Processes operating in a CCE. In some cases, the cloud provider Strategy and Planning Asset Human Communications and Outreach Management Resources may be partially or completely responsible for these Security Physical and Comms and Environmental Operations artifacts, depending on the final agreements between Policy Portfolio Security Management Compliance and Performance Management Identity and Information Management the cloud consumer and the cloud provider. Access Management Systems Acquisition Incident Business Risk Management Continuity Awareness and Management Management Training Management Oversight Exhibit 7 | Plan Phase Artifacts Management Example Artifact Contract/SLA Implications Process • Security Strategic Plan • Goal Performance • Consolidated Security Requirements • Requirements Compliance • Organization Model Modifications • Relationship Management Strategy & • Roles & Responsibilities Charts • Consumer/Provider Planning • CCE Implementation Plans • None • Budget & Resource Requirements • None • CCE Contract & SLA • Terms & Conditions • CCE Security Policy • Terms & Conditions • CCE Acquisition Policy • Terms & Conditions • CCE Authorization Procedure • None Policy Portfolio • CCE Standards/Guidelines • None Management • CCE Monitoring/Compliance Tools • Terms & Conditions • CCE Configuration Guidelines • Technical Compliance • CCE-Specific Processes • Terms & Conditions • Risk Management Procedure • None • Risk Methodology Modifications • None • Service Model Risks • None Risk • Risk Assessment Reports • None Management • CCE Controls & Risk Treatments • Terms/Responsibilities • Systems/Assets Allowed in CCE • None Source: Booz Allen Hamilton9
  12. 12. significantly depending on CCE deployment and the • Clarify roles and responsibilitiesservice models employed. However, other Booz Allen • Drive the ongoing competency of informationpapers address the implementation and operation of security staff.information security functional processes and controls,and this topic is not essential to discussions related Execution of these important management processesto the effective management and governance of will not vary as a result of the introduction of a CCE.information security in a cloud environment. However, the processes will need to include formal awareness, training, communication, and outreachMonitoring and Measuring the Information to inform all relevant agency users of the newSecurity Program (CHECK) policies, guidelines, standards, procedures, risks,Three management processes are included in the and compliance issues related to the migration ofCheck phase of the information security management information services to a CCE.and governance framework: awareness and training,communication and outreach, and compliance and Compliance and Performance Management Processperformance management. Of these three, the Architect and Establish (Plan) Implement and Operate (Do) Monitor and Review (Check, Act)compliance and performance management process Management Processes Functional Processes Management Processesrepresents the area with the most significant issues Strategy and Planning Asset Management Human Resources Communications and Outreach Securityfor consideration when migrating services to a CCE. Physical and Environmental Comms and Operations Security Management Compliance and Policy Portfolio Performance Management Identity and Information Management Access SystemsAwareness and Training and Communication and Management Acquisition Incident BusinessOutreach Processes Risk Management Continuity Awareness and Management Management Training Architect and Establish (Plan) Implement and Operate (Do) Monitor and Review (Check, Act) Management Oversight Management Processes Functional Processes Management Processes Strategy and Planning Asset Management Human Resources Security Communications and Outreach Compliance and performance management is the key Physical and Environmental Comms and Operations process in the Check phase of the framework. The Security Management primary purposes of the process include— Compliance and Policy Portfolio Performance Management Identity and Information Management Access Systems Management Acquisition Risk Management Incident Management Business Continuity Management Awareness and • Create regular measurement and reporting of Training progress and issues Management Oversight • Inform and prioritize program improvementsThe major purposes of these management processes • Record progress toward achieving strategic goalsare complementary and similar. The purposes and compliance with requirementsinclude— • Drive continuous improvement of the information• Consistently communicate the importance of security program information security throughout the organization • Minimize potential for recurrence of systemic• Educate staff on required actions related to issues changes in regulatory, legislative, and other mandates • Optimize consistency and efficiency of security implementations• Broaden and deepen the security awareness of the organization • Inform modifications to risk analyses and risk mitigations• Enhance compliance through better understanding and knowledge 10
  13. 13. • Measure and report on compliance with legal, the cloud consumer); and clearly define accountability regulatory, and contractual requirements; internal for legal liability related to an information security policies; and technical guidelines and standards. breach in the cloud. The purposes of the compliance and performance Measurement and monitoring reports should be management process remain unchanged in a CCE, but presented in periodic management reviews of the the execution of the process will require significant overall information security program to the information modification to effectively monitor and measure security governance body, along with recommendations compliance and performance in the cloud. Focusing for corrective and preventive actions. again on agency use of private clouds, community clouds, or hybrid combinations will lead to enhanced Managing and Improving the Information information security compliance and performance in a Security Program (ACT) public cloud environment. Participation by management representing all agency stakeholder organizations is essential to the effective Compliance includes legal, regulatory, and contractual management and oversight of any information security security compliance; compliance with internal policies, management system. The process and the governance guidelines, standards, and procedures; and technical bodies that execute it form the governance program compliance checking. All compliance and performance and represent the Act phase of the continuous checking is dependent on a comprehensive improvement model. measurement and management reporting system covering each area of compliance, as well as the Management Oversight Process information security program’s effectiveness in meeting An information security governance body conducts the goals, objectives, and requirements. Compliance and functions of the management oversight process. This performance measurement and reporting will require body consists of senior leadership and representatives detailed specification in the SLAs and contracts with from each functional area of the organization to— the cloud service provider covering each service model allowed in the agreements. • Ensure ongoing management involvement in program direction and priorities In the case of private or community cloud service providers, there will be a greater level of trust, • Establish enterprise information security understanding, and flexibility in the agreement governance negotiations because of the shared mission goals and • Ensure the information security program supports common legal and regulatory compliance requirements mission goals and objectives between the cloud provider and the cloud consumer. Based on the cloud service risk profiles; strategic • Reinforce the importance of information security planning of the cloud service; and CCE-specific throughout the organization policies, guidelines, standards, and procedures defined • Oversee risk management to balance mission in the Plan phase, federal agency cloud consumers goals and information security costs can determine their minimum information security requirements and controls for each level of cloud • Track and optimize information security resource service and drive the SLA and contract negotiations allocation to a satisfactory agreement. SLAs and contracts must • Authorize improvements to the information security minimize security risks; enable effective monitoring program on a continuing basis. and measuring of all legal, regulatory, and contractual security requirements (by either the service provider or11
  14. 14. These management oversight objectives are valid sponsors and monitors the effectiveness of cloud-regardless of the information security operating specific awareness, training and communication, andenvironments deployed. However, the governance outreach programs to ensure broad awareness ofbody will need to actively participate in the review, agency policy and guidelines by all responsible users.authorization, and communication of all information Finally, management must be vigilant in its review ofsecurity plans, policies and supporting documentation, compliance and monitoring of cloud services and mustrisks, and compliance issues related to the use of drive continuous improvement in the overall informationcloud-based services. Therefore, the governance body security program, including all cloud-based services.will need to include or consult with cloud computinginformation technology and information security subject Representative CCE-Related Artifacts of thematter experts. The group should also include or Check and Act Phasesconsult with agency counsel to ensure a complete The four management processes of the Check and Actunderstanding and inclusion of legal and liability issues phases of the information security management andspecific to a CCE and to verify sufficient coverage of governance framework will result in several documentsall issues in the negotiated SLAs and contracts for and reports to inform and guide users in the effectivecloud-based services. It is imperative that management and appropriate use of cloud computing services andExhibit 8 | Act Phase Artifacts Management Example Artifact Contract/SLA Implications Process • User Security Awareness • Provider Participation? – CCE Policy – Yes Awareness – CCE Authorization – No & Training; – CCE Guidelines/Standards – Sometimes Communication – CCE Procedures – Sometimes & Outreach • CCE Security Technical Training – No • Awareness Tests & Records – No • Compliance/Performance Measures • Terms & Conditions • Legal, Regulatory Compliance • Roles, Responsibilities • Policy Portfolio Compliance • Roles, Responsibilities Compliance & • Privacy Compliance • Roles, Responsibilities Performance • Technical Compliance • Roles, Responsibilities Management • Log Monitoring Reports • Roles, Responsibilities • Incident Management Reporting • Roles, Responsibilities • Internal Compliance Audits • Terms, Responsibilities • Performance Measurement Reports • Terms, Responsibilities • Technical Controls Testing • Terms, Responsibilities • SLA Reporting • Terms & Conditions • Recommended Improvement Plans • Negotiation Risk • CCE Management Review Reports • None Management • Authorized Improvement Plans • NegotiationSource: Booz Allen Hamilton 12
  15. 15. to report on the compliance and performance of cloud- An organization’s mission and risk profile must drive based systems. Some specific examples are included the implementation of the management processes in each process description, but Exhibit 8 summarizes described in this paper, as well as the artifacts they artifacts that are typical outputs of the governance produce. It is also vital to treat the management model and that are likely to have specific references to processes as integrated components of a larger operating in a CCE. In some cases, the cloud provider information security governance framework rather may be partially or completely responsible for these than as individual silos. Using this framework to guide artifacts, depending on the final agreements between the transition to and ongoing operations in the CCE the cloud consumer and the cloud provider. will ultimately enable an organization to maximize its benefits in the cloud while sensibly and cost-effectively Summary and Conclusions addressing the cloud’s inherent risks. Cloud computing takes advantage of economies of scale to offer compelling cost benefits to federal Glossary of Acronyms agencies for information services performed in support C&A Certification and Accreditation of their mission. Migration of agency information C3F Booz Allen’s Cloud Computing User Transition assets and systems to a CCE can also provide Framework impressive benefits related to deployment flexibility and service on demand and can enable capabilities not CCE Cloud Computing Environment feasible in many enterprise computing environments, CIO Chief Information Officer such as massive data analysis and intelligence analysis.7 However, the nature of cloud deployment CISO Chief Information Security Officer and service models presents new information security DISA Defense Information Systems Agency, part of risks and introduces complications to compliance with the Department of Defense legal, regulatory, and contractual security requirements for cloud consumers. Some complications have serious IaaS Infrastructure as a Service legal liability implications. NIST National Institute of Standards and Technology. Key to the successful adoption and transition of NIST guidelines on information security information systems to a CCE is the implementation/ are officially standard practice for federal modification of a strategic proactive information information technology and are codified in security management and governance framework. At information security regulations Booz Allen, we have developed a framework that we PaaS Platform as a Service have successfully implemented in several commercial and federal government client environments. Our model RACE Rapid Access Computing Environment. This consists of a set of management processes that refers to a working prototype cloud developed interact in a Plan, Do, Check, Act cycle of continuous by DISA. As of this writing, it is being used for improvement to effectively manage and govern open-source software development, and many enterprise information security. The management additional functions are in the works processes of the governance model require some SaaS Software as a Service modifications to the major steps in their execution to effectively manage the risk and compliance issues SLA Service-Level Agreement. In this case, this inherent in a CCE. refers to a contract between the cloud computing provider and client(s) Information security governance is a critical component of a successful transition to the cloud. SP Special Publication 7Massive Data Analytics and the Cloud—A Revolution in Intelligence Analysis, Drew Cohen and Joshua D. Sullivan, 2009.13
  16. 16. Glossary of TermsCloud The “cloud” consists of computing resources (software, operating platform, memory, and processors) that are abstracted from the user by some form of virtualization and (often) physical separation between the user and the infrastructure on which the services are supported. “Cloud computing” means the use of a cloud for IT functions.Cloud The capability provided to the consumer is to provision processing, storage, networks, andInfrastructure as other fundamental computing resources where the consumer is able to deploy and runa Service (IaaS) arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems; storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls).Cloud Platform The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-as a Service created or acquired applications created using programming languages and tools supported(PaaS) by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations.Cloud Software The capability provided to the consumer is to use the provider’s applications running on aas a Service cloud infrastructure. The applications are accessible from various client devices through a(SaaS) thin client interface such as a web browser (e.g., web-based email). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.Community The cloud infrastructure is shared by several organizations and supports a specific communityCloud that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise.Hybrid Cloud The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds).Multi-tenancy Property of a cloud environment used by multiple customers (“tenants”). Contrast with the “single-tenancy” private cloud, which is used by only one customer.Private Cloud The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise.Public Cloud The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.Service Model Refers to the ownership of the cloud infrastructure. See the Introduction for descriptions of different service models. 14
  17. 17. 15
  18. 18. About Booz AllenBooz Allen Hamilton has been at the forefront of technology, systems engineering, and programstrategy and technology consulting for 95 years. Every management, Booz Allen is committed to deliveringday, government agencies, institutions, corporations, results that endure.and not-for-profit organizations rely on the firm’s With more than 22,000 people and $4.5 billion inexpertise and objectivity, and on the combined annual revenue, Booz Allen is continually recognized forcapabilities and dedication of our exceptional people its quality work and corporate culture. In 2009, for theto find solutions and seize opportunities. We combine fifth consecutive year, Fortune magazine named Booza consultant’s unique problem-solving orientation with Allen one of “The 100 Best Companies to Work For,”deep technical knowledge and strong execution to help and Working Mother magazine has ranked the firmclients achieve success in their most critical missions. among its “100 Best Companies for Working Mothers”Providing a broad range of services in strategy, annually since 1999.operations, organization and change, informationContact Information:Jamie Miller Larry Candler Hannah Wald Associate Associate Consultant 703/377-1274 703/377-4534 703/377-6646 To learn more about the firm and to download digital versions of this article and other Booz Allen Hamiltonpublications, visit 16
  19. 19. Principal OfficesALABAMA KANSAS OHIOHuntsville Leavenworth DaytonCALIFORNIA MARYLAND PENNSYLVANIALos Angeles Aberdeen PhiladelphiaSan Diego Annapolis JunctionSan Francisco Lexington Park SOUTH CAROLINACOLORADO Linthicum CharlestonColorado Springs Rockville TEXASDenver MICHIGAN HoustonFLORIDA Troy San AntonioPensacolaSarasota NEBRASKA VIRGINIATampa Omaha Arlington ChantillyGEORGIA NEW JERSEY Falls ChurchAtlanta Eatontown HerndonHAWAII McLeanHonolulu NEW YORK Norfolk Rome StaffordILLINOISO’Fallon WASHINGTON, DCThe most complete, recent list of offices and their and addresses and telephone numbers can be found by clicking the “Offices” link under “About Booz Allen.” ©2009 Booz Allen Hamilton Inc. 09.205.09