SlideShare a Scribd company logo

Information Security Governance

Booz Allen Hamilton
Booz Allen Hamilton

Government considerations for the cloud computing environment

BusinessTechnology
1 of 20
Download to read offline
Information Security Governance Government Considerations for the Cloud Computing Environment by Jamie Miller miller_jamie@bah.com Larry Candler candler_larry@bah.com Hannah Wald wald_hannah@bah.com
Table of Contents Introduction........................................................................................................................ 1 Public Clouds ..................................................................................................................... 2 Private Clouds . .................................................................................................................. 2 Community Clouds ............................................................................................................. 3 Hybrid Clouds .................................................................................................................... 4 Information Security Management and Governance Framework .............................................. 4 Architecting and Establishing the Information Security Program (PLAN).................................... 5 Representative CCE–Related Artifacts of the Plan Phase........................................................ 9 Implementing and Operating the Information Security Program (DO)........................................ 9 Monitoring and Measuring the Information Security Program (CHECK)................................... 10 Managing and Improving the Information Security Program (ACT). ......................................... 11 . Representing CCE–Related Artifacts of the Check and Act Phases........................................ 12 Summary and Conclusions. ............................................................................................... 13 . Glossary of Acronyms........................................................................................................ 13 Glossary of Terms............................................................................................................. 14 About Booz Allen............................................................................................................... 16 Principal Offices................................................................................................................ 17
Information Security Governance Government Considerations for the Cloud Computing Environment Introduction “Cloud computing is a model for enabling convenient, Outcomes of Effective Information on-demand network access to a shared pool of configurable Security Governance in a CCE computing resources (e.g., networks, servers, storage, • Strategic Alignment—Information security applications, and services) that can be rapidly provisioned practices aligned with the agency’s and released with minimal management effort or service enterprise strategy and agreed-upon risk provider interaction.” 1 profile Moving information assets to a cloud computing • Value Delivery—A standard set of environment (CCE) offers the cloud user the potential information to effectively manage and for reduced costs, on-demand self-service, ubiquitous monitor cloud provider security controls network access, location-independent resource pooling, rapid elasticity, and measured service. CCEs • Risk Management—An understanding of are offered in a variety of deployment and service accepted risk exposure models, as this paper describes, each with its own • Performance Measurement—A characteristics for cost/benefit, efficiency, flexibility, measurement process with feedback on risk, and cloud consumer control. Although the progress made potential cost savings and flexibility advantages of operating in the cloud are compelling, cloud users need to understand the security risks, compliance complications, and potential legal issues inherent in the CCE. Federal agencies desiring to take advantage relevant to that framework to help inform agency of cloud computing benefits will need to invest in leaders, information security professionals, and proactive and strategic management of the new information security governance participants on how environment. To do so, they must implement or to take advantage of the benefits of the CCE without modify information security management systems and exposing their mission to excessive information governance programs to mitigate security risks and security risk or potential legal and regulatory comply with their legal, regulatory, and contractual compliance failures. security requirements. Information security governance is the mechanism As with the adoption of other new technologies and through which organizations can ensure effective service offerings, transition to the CCE will likely be management of information security. Booz Allen evolutionary, not revolutionary. Many organizations, Hamilton developed the information security particularly federal agencies, will migrate some management and governance framework presented capabilities to the cloud while maintaining existing in this paper. We have also customized it for—and computing environments for other capabilities, thus implemented it in—several government and commercial operating in a hybrid mode for the foreseeable future.2 client environments. The focus of this paper is the The goal of this paper is to present an information adaptation of our information security governance security governance framework and key considerations model for federal government entities planning to 1Please see http://csrc.nist.gov/groups/SNS/cloud-computing/index.html. 2Cloud Computing User Transition Framework (C3F), Booz Allen Hamilton, 2009. 1
become users of cloud computing services. Potential cloud consumers from effectively measuring or cloud service providers to the Government will require demonstrating compliance with any kind of security a somewhat different adaptation of the information requirements. In the future, providers of public services security management and governance framework, but will probably adapt their offerings and increase the this will be the topic of a separate white paper. flexibility of SLAs and contracts to better accommodate the unique legal, regulatory, and contractual Before we present our proposed information security information security compliance requirements of governance framework, it is first necessary to review the federal government environment. Some positive the challenges and risks associated with each of the signs of movement in this direction are beginning four existing cloud computing deployment models. To to appear in the market, as evidenced by Amazon’s that effect, we offer a high-level description of each recent introduction of optional “virtual private cloud” deployment model, including graphical depictions. services that combine the outsourcing advantages of public clouds with increased customer visibility, control, Public Clouds and service tailoring. Organizations should limit public The most common type of CCE is the public cloud. In cloud deployment to public information and systems this construct, the cloud infrastructure is owned and with acceptable risk profiles and no legal or regulatory operated by an organization that provides services to security requirements until service providers adapt to multiple enterprises and individuals on a utility basis meet the user community’s security, compliance, and (consumers are often referred to as “tenants”) (see liability needs.4 Exhibit 1). Public clouds present the highest security risk to federal agency cloud consumers because of the lack of direct control over information security control Private Clouds In sharp contrast to the public cloud is the private implementation and monitoring, global multi-tenancy CCE. In the private cloud, the cloud infrastructure is with other users, virtualization and data location owned/leased and operated by a single organization management, limited service-level agreement (SLA) solely for the user community of that organization (see flexibility, contractual liability limitations, and the Exhibit 2). An example in the Federal Government is an lack of common legal and regulatory environments agency-wide cloud that offers services to all entities between cloud providers and cloud consumers.3 Lack within that agency. Cost efficiencies and economies of visibility compounds these issues and prevents of scale are likely to be more limited in private clouds Exhibit 1 | Public Cloud Illustration Many, Many Organizations e.g. Google Internet Microsoft Amazon Core Network Public Clouds Source: Booz Allen Hamilton 3This specific issue is addressed in depth by the Booz Allen Cloud Computing White 4Cloud Computing Security Report, Security Considerations for Public Cloud Service Paper, June 2, 2008, and Booz Allen’s Cloud Computing Basics: Cloud Computing 101 Acquisition, Booz Allen Hamilton, August 2009. (White Paper). 2
Exhibit 2 | Private Cloud Illustration Organization’s Private Network Internet Core Network Private Cloud Source: Booz Allen Hamilton than public clouds, but information security risk and independent service provider with experience in governance issues are minimized largely because of the community and knowledge of the specific user the shared mission goals and legal/regulatory security community’s characteristics. Two examples in the requirements between the cloud service provider and Federal Government are the Defense Information the cloud consumers. Systems Agency (DISA) Rapid Access Computing Environment (RACE) and the National Aeronautics and Community Clouds Space Administration’s (NASA) Nebula (both are still in In a community CCE, multiple tenant organizations with the early stages of development). Community clouds many common characteristics (e.g., mission goals, represent a lower information security risk profile legal and regulatory security requirements, compliance than a public cloud environment and fewer legal and considerations) share the cloud infrastructure, thus regulatory compliance issues, but they carry certain forming a “community” (see Exhibit 3). The cloud risks associated with multi-tenancy. owner may be a member of the community or an Exhibit 3 | Community Cloud Illustration Internet Organization #1 Private Network Organization #2 Private Network Community Cloud Source: Booz Allen Hamilton 3
Hybrid Clouds Information Security Management and Hybrid CCEs represent a combination of two or Governance Framework more cloud deployment models (e.g., two public Booz Allen developed the information security clouds, one public and one community cloud) that management and governance framework and has remain unique entities but are bound together by customized and deployed it in a variety of client standardized or proprietary technology that enables environments. This framework is a system of data and application portability throughout the hybrid management and functional processes implemented environment (see Exhibit 4). As a result, hybrid clouds in a standard quality management (or Plan, Do, Check, present a combination of the information security risks Act) cycle of continuous improvement. The framework and governance challenges inherent in the deployment is based on evolving international standards5 and models they combine. A combination of private and planned evolution of the National Institute of Standards community clouds represents the lowest risk; a and Technology (NIST) Risk Management Framework.6 combination of multiple public cloud environments Seven management processes—strategy and planning, presents the greatest information security risks and policy portfolio management, risk management, challenges to legal and regulatory compliance. awareness and training, communication and outreach, compliance and performance management, and Each CCE presents a different profile of benefits and management oversight—comprise this framework and risks that organizations should carefully consider support the functional processes of the Do phase (see before cloud adoption. Organizations should use a Exhibit 5). suitable framework that helps them address risks and ensures their requirements are met. Although Although the purpose of each of the seven framework the information security management and governance processes will not change when applied to a CCE, model we describe in the next section can be adapted many of the process considerations and required to any of the cloud computing deployment models, we actions will need to be modified to effectively plan, focus our discussion primarily on information security manage, and govern information security in a CCE. governance within the community cloud environment In all cases, it will be necessary to clarify specific because we believe the community CCE is the most roles, responsibilities, and accountability for each likely near-term adoption and migration strategy for major process step. Some steps may be points for federal government agencies. Exhibit 4 | Hybrid Cloud Illustration Organization’s Private Network “Spill Over” Internet Capacity as Needed Core Network Private Cloud Public or Community Cloud Source: Booz Allen Hamilton 5ISO/IEC 27001 Information Technology – Security Techniques – Information Security Management Systems – Requirements. 6NIST SP 800-39 Managing Risk from Information Systems. 4
Exhibit 5 | Information Security Governance Framework Architect and Establish (Plan) Implement and Operate (Do) Monitor and Review (Check, Act) Management Processes Functional Processes Management Processes Strategy and Human Communications Asset Planning Management Resources and Outreach Security Physical and Comms and Environmental Operations Security Management Compliance and Policy Portfolio Performance Management Identity and Information Management Access Systems Management Acquisition Incident Business Risk Management Continuity Awareness and Management Management Training Management Oversight Source: Booz Allen Hamilton negotiation with prospective cloud service providers for These processes comprise the Plan phase of the inclusion in SLAs and contracts. continual improvement process. Our assumption in the following discussion is that Strategy and Planning Process management and governance processes are primarily Strategy and planning are essential to an effective the responsibility of a centralized information security information security management and governance function (such as the office of the Chief Information program. The primary purposes of the strategy and Security Officer [CISO]) for an agency or large planning process are to— government entity, with considerable participation by information technology management (such as the • Establish information security program direction office of the Chief Information Officer [CIO]). This and guide activities centralized security and technology group would • Ensure alignment of the information security perform the cloud provider acquisition function program with mission goals and objectives and manage the service provider relationship over the duration of the agreement. This group would • Define the information security program vision, also provide the information, policy, and guidelines goals, requirements, and scope necessary for users to follow when implementing cloud computing-based services. Architect and Establish (Plan) Implement and Operate (Do) Monitor and Review (Check, Act) Management Processes Functional Processes Management Processes Architecting and Establishing the Strategy and Planning Asset Human Communications and Outreach Information Security Program (PLAN) Management Resources Security Physical and Comms and Environmental Operations Designing and planning for an effective information Policy Portfolio Security Management Compliance and Performance Management Identity and Information Management security governance structure occurs through three Access Management Systems Acquisition major management processes: strategy and planning, Incident Business Risk Management Continuity Awareness and Management Management Training policy portfolio management, and risk management. Management Oversight 5
• Ensure consistency with the enterprise information Policy Portfolio Management Process security architecture Architect and Establish (Plan) Implement and Operate (Do) Monitor and Review (Check, Act) • Proactively plan activities to achieve goals and Management Processes Functional Processes Management Processes meet requirements Strategy and Planning Asset Management Human Resources Security Communications and Outreach Physical and Comms and • Determine the operating model to enable Environmental Operations Security Management Compliance and Policy Portfolio Performance Management Identity and Information Management enterprise program efficiency. Access Management Systems Acquisition Incident Business Risk Continuity Awareness and The process is performed in collaboration with the Management Management Management Training risk management and policy portfolio management Management Oversight processes to ensure plans effectively communicate management intent, clearly define roles and The major purposes of the security policy portfolio responsibilities, sufficiently identify and address management process are to— information security risks, and provide management • Define and communicate management clear choices for resource allocation and optimization. expectations of information security The activities of the strategy and planning process • Translate goals and requirements into actionable will not change significantly to accommodate the mandates use of cloud computing services, but additional knowledge and understanding of the information • Establish clearly defined roles and responsibilities security risks and issues related to compliance and for information security performance management in varying cloud computing • Inform compliance measurement deployment and service models will be required. The major impact of the CCE on the strategy and • Facilitate efficient and consistent implementations planning process will be the development of CCE- with supporting standards, guidelines, and based cost/benefit analyses that include the cost procedures. of effective governance to manage risk and ensure These purposes will not materially change when legal, regulatory, and contractual compliance. In applied to a CCE. However, the policy portfolio will conjunction with the risk management process, the require additional policies, guidelines, standards, and strategy and planning process will define information procedures to effectively communicate and govern security implementations that are allowable for each information security in a CCE. An overall policy on cloud computing service model (refer to the Risk rules governing agency acquisition and use of cloud Management Process section) based on the relative computing services will be needed to communicate risk rating of the information and systems migrating agency leadership intentions for the safe use of to the cloud (e.g., cloud services allowed by system cloud computing, as well as the authorization process categorization). In addition, the process will clarify required to initiate such use. Agencies will also need roles, responsibilities, and accountability for baseline to document guidelines for the appropriate evaluation information security capabilities in each environment and acquisition of cloud computing service providers, allowed. The planning process will also determine along with environments that meet information and the cloud service provider contractual requirements system risk and compliance requirements. Also, the and negotiations and will include the long-term policy portfolio management process (in coordination management of the provider relationship. with the strategy and planning and risk management processes [Plan phase] and with the approval and authority of the management oversight process [Act 6
phase]) will need to provide guidance on the minimum Architect and Establish (Plan) Implement and Operate (Do) Monitor and Review (Check, Act) information security and compliance management Management Processes Functional Processes Management Processes requirements to be included in SLAs and contracts with Strategy and Planning Asset Management Human Resources Security Communications and Outreach prospective cloud service providers. Physical and Environmental Comms and Operations Management Security Compliance and Policy Portfolio Performance Management Identity and Information Management A review of all agency security policies must occur to Access Management Systems Acquisition determine the changes required to ensure effective Risk Management Incident Management Business Continuity Management Awareness and Training governance in a cloud environment. Each policy should be tailored to reflect the unique cloud deployment Management Oversight model and account for the information and information systems authorized for cloud migration. Additional policy • Enable better optimization of security expenditures, and supporting guidance, standards, and procedures resources, and activities will be necessary to effectively manage the functional • Inform security priorities and planning control processes when operating in a CCE (e.g., configuration and change management guidelines, • Provide the basis for measuring information incident management, chain of evidence and e-discovery, security program efficiency and effectiveness. mission continuity of cloud services, the monitoring Risk management methodologies will require and reporting of cloud service compliance, system and modification to effectively consider, treat, or accept data life-cycle assurance, and compliance testing and the risks inherent in migrating agency information assurance of cloud-based services). Guidelines may also and systems to a CCE. For practical reasons, we limit be developed to specify mandatory and recommended our discussion to the use of private, community, or tools for use in the monitoring and evaluation of cloud a hybrid of both CCEs as the most likely evolution of service compliance and performance (e.g., certification federal agency CCE transition. As noted earlier, until and accreditation [C&A] tools, technical compliance tools the providers of public cloud services make significant such as Layer7). Policy decisions regarding each of the changes to their current offerings and SLAs, the use functional control processes must account for the level of of those services by the Federal Government will control each organization is willing to transfer to the cloud need to be limited to public information and systems provider while ensuring the goals and requirements of the with minimal risk and no legal or regulatory security information security program are met. requirements. Risk Management Process Limiting our discussion to the use of private, The risk management process will require modification community, or combined hybrid cloud services will and significant additional variable considerations to still require the consideration and inclusion of securely migrate agency services to a CCE. The primary additional risk factors related to the relative degrees purposes of the risk management process include— of agency control over the service models adopted. The risk methodology will also need to determine risk • Enable information asset-based protection and mitigations and the residual risks of each service mitigation planning model for the hierarchy of risk profiles associated • Enhance the organization’s ability to select and with agency information assets and systems. For apply protection based on the specific risks and example, agencies will need to modify their current threats affecting an asset risk calculations that focus on system categorization, privacy, and regulation to appropriately assess changes • Ensure consistent information security risk to the risks of these systems when migrating to a CCE assessment methodologies are used throughout utilizing one or more of the three cloud service models. the organization 7
Exhibit 6 summarizes the models and their relative and SaaS builds on both IaaS and PaaS, resulting risk. These example risk ratings may be modified to fit in an increasing assumption of control by the cloud with agency-specific risk assessment methodologies, provider and therefore greater security risk to the cloud but in general they are consistent with the degree consumer). of direct agency control represented by each service New risk analysis methodologies should be closely model. Each cloud service model can be assessed as monitored during the compliance and performance an information service asset with unique risk ratings management process (Check phase) and modified and resultant control selection for risk mitigation (e.g., as necessary to reduce overall information security contract terms, SLA content, compliance, monitoring risk over time. In all cases, the modified risk analysis tools). methodologies and resulting risk rankings must be The relative risk ratings increase as the cloud reviewed during the management oversight process consumer moves from IaaS to PaaS and finally to (Act phase) to ensure management participation, SaaS. The service models build on one another, risk awareness, review, and acceptance of both risk resulting in cumulative risk as the cloud provider treatment options and resultant residual risks. assumes more direct control (i.e., PaaS builds on IaaS, Exhibit 6 | Service Model Risk Characteristics Service Model Risk Characteristics Relative Additional Risk The capability provided to the cloud consumer is to rent processing, storage, networks, and other fundamental computing resources and Infrastructure to deploy and run arbitrary software, which can include operating as a service systems and applications. The consumer does not manage or control Medium (IaaS) the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly select networking components (e.g., firewalls, load balancers). The capability provided to the consumer is to deploy consumer- created applications onto the cloud infrastructure using programming Platform as a languages and tools supported by the provider (e.g., Java, Python, Service (PaaS) .Net). The consumer does not manage or control the underlying cloud High infrastructure, network, servers, operating systems, or storage, but the consumer has control over the deployed applications and possibly application hosting environment configurations. The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure and accessible from various client devices through a thin client interface, such as a web Software as a browser (e.g., web-based e-mail). The consumer does not manage or Very High Service (SaaS) control the underlying cloud infrastructure, network, servers, operating systems, storage, or individual application capabilities, with the possible exception of limited user-specific application configuration settings. Source: Booz Allen Hamilton 8
Representative CCE-Related Artifacts of the Implementing and Operating the Information Plan Phase Security Program (DO) The three management processes of the information Because this paper focuses on information security security governance framework’s Plan phase will governance, we will not discuss in detail the functional produce several documents to inform and guide users processes that constitute the Do phase of the in the effective and appropriate use of cloud computing Plan, Do, Check, Act cycle. The implementation and services. Some specific examples are included in operation of information security controls contained each process description, but Exhibit 7 summarizes in each of the functional process areas will vary artifacts that are typical outputs of the governance Architect and Establish (Plan) Implement and Operate (Do) Monitor and Review (Check, Act) model and that will likely have specific references to Management Processes Functional Processes Management Processes operating in a CCE. In some cases, the cloud provider Strategy and Planning Asset Human Communications and Outreach Management Resources may be partially or completely responsible for these Security Physical and Comms and Environmental Operations artifacts, depending on the final agreements between Policy Portfolio Security Management Compliance and Performance Management Identity and Information Management the cloud consumer and the cloud provider. Access Management Systems Acquisition Incident Business Risk Management Continuity Awareness and Management Management Training Management Oversight Exhibit 7 | Plan Phase Artifacts Management Example Artifact Contract/SLA Implications Process • Security Strategic Plan • Goal Performance • Consolidated Security Requirements • Requirements Compliance • Organization Model Modifications • Relationship Management Strategy & • Roles & Responsibilities Charts • Consumer/Provider Planning • CCE Implementation Plans • None • Budget & Resource Requirements • None • CCE Contract & SLA • Terms & Conditions • CCE Security Policy • Terms & Conditions • CCE Acquisition Policy • Terms & Conditions • CCE Authorization Procedure • None Policy Portfolio • CCE Standards/Guidelines • None Management • CCE Monitoring/Compliance Tools • Terms & Conditions • CCE Configuration Guidelines • Technical Compliance • CCE-Specific Processes • Terms & Conditions • Risk Management Procedure • None • Risk Methodology Modifications • None • Service Model Risks • None Risk • Risk Assessment Reports • None Management • CCE Controls & Risk Treatments • Terms/Responsibilities • Systems/Assets Allowed in CCE • None Source: Booz Allen Hamilton 9
significantly depending on CCE deployment and the • Clarify roles and responsibilities service models employed. However, other Booz Allen • Drive the ongoing competency of information papers address the implementation and operation of security staff. information security functional processes and controls, and this topic is not essential to discussions related Execution of these important management processes to the effective management and governance of will not vary as a result of the introduction of a CCE. information security in a cloud environment. However, the processes will need to include formal awareness, training, communication, and outreach Monitoring and Measuring the Information to inform all relevant agency users of the new Security Program (CHECK) policies, guidelines, standards, procedures, risks, Three management processes are included in the and compliance issues related to the migration of Check phase of the information security management information services to a CCE. and governance framework: awareness and training, communication and outreach, and compliance and Compliance and Performance Management Process performance management. Of these three, the Architect and Establish (Plan) Implement and Operate (Do) Monitor and Review (Check, Act) compliance and performance management process Management Processes Functional Processes Management Processes represents the area with the most significant issues Strategy and Planning Asset Management Human Resources Communications and Outreach Security for consideration when migrating services to a CCE. Physical and Environmental Comms and Operations Security Management Compliance and Policy Portfolio Performance Management Identity and Information Management Access Systems Awareness and Training and Communication and Management Acquisition Incident Business Outreach Processes Risk Management Continuity Awareness and Management Management Training Architect and Establish (Plan) Implement and Operate (Do) Monitor and Review (Check, Act) Management Oversight Management Processes Functional Processes Management Processes Strategy and Planning Asset Management Human Resources Security Communications and Outreach Compliance and performance management is the key Physical and Environmental Comms and Operations process in the Check phase of the framework. The Security Management primary purposes of the process include— Compliance and Policy Portfolio Performance Management Identity and Information Management Access Systems Management Acquisition Risk Management Incident Management Business Continuity Management Awareness and • Create regular measurement and reporting of Training progress and issues Management Oversight • Inform and prioritize program improvements The major purposes of these management processes • Record progress toward achieving strategic goals are complementary and similar. The purposes and compliance with requirements include— • Drive continuous improvement of the information • Consistently communicate the importance of security program information security throughout the organization • Minimize potential for recurrence of systemic • Educate staff on required actions related to issues changes in regulatory, legislative, and other mandates • Optimize consistency and efficiency of security implementations • Broaden and deepen the security awareness of the organization • Inform modifications to risk analyses and risk mitigations • Enhance compliance through better understanding and knowledge 10
• Measure and report on compliance with legal, the cloud consumer); and clearly define accountability regulatory, and contractual requirements; internal for legal liability related to an information security policies; and technical guidelines and standards. breach in the cloud. The purposes of the compliance and performance Measurement and monitoring reports should be management process remain unchanged in a CCE, but presented in periodic management reviews of the the execution of the process will require significant overall information security program to the information modification to effectively monitor and measure security governance body, along with recommendations compliance and performance in the cloud. Focusing for corrective and preventive actions. again on agency use of private clouds, community clouds, or hybrid combinations will lead to enhanced Managing and Improving the Information information security compliance and performance in a Security Program (ACT) public cloud environment. Participation by management representing all agency stakeholder organizations is essential to the effective Compliance includes legal, regulatory, and contractual management and oversight of any information security security compliance; compliance with internal policies, management system. The process and the governance guidelines, standards, and procedures; and technical bodies that execute it form the governance program compliance checking. All compliance and performance and represent the Act phase of the continuous checking is dependent on a comprehensive improvement model. measurement and management reporting system covering each area of compliance, as well as the Management Oversight Process information security program’s effectiveness in meeting An information security governance body conducts the goals, objectives, and requirements. Compliance and functions of the management oversight process. This performance measurement and reporting will require body consists of senior leadership and representatives detailed specification in the SLAs and contracts with from each functional area of the organization to— the cloud service provider covering each service model allowed in the agreements. • Ensure ongoing management involvement in program direction and priorities In the case of private or community cloud service providers, there will be a greater level of trust, • Establish enterprise information security understanding, and flexibility in the agreement governance negotiations because of the shared mission goals and • Ensure the information security program supports common legal and regulatory compliance requirements mission goals and objectives between the cloud provider and the cloud consumer. Based on the cloud service risk profiles; strategic • Reinforce the importance of information security planning of the cloud service; and CCE-specific throughout the organization policies, guidelines, standards, and procedures defined • Oversee risk management to balance mission in the Plan phase, federal agency cloud consumers goals and information security costs can determine their minimum information security requirements and controls for each level of cloud • Track and optimize information security resource service and drive the SLA and contract negotiations allocation to a satisfactory agreement. SLAs and contracts must • Authorize improvements to the information security minimize security risks; enable effective monitoring program on a continuing basis. and measuring of all legal, regulatory, and contractual security requirements (by either the service provider or 11
These management oversight objectives are valid sponsors and monitors the effectiveness of cloud- regardless of the information security operating specific awareness, training and communication, and environments deployed. However, the governance outreach programs to ensure broad awareness of body will need to actively participate in the review, agency policy and guidelines by all responsible users. authorization, and communication of all information Finally, management must be vigilant in its review of security plans, policies and supporting documentation, compliance and monitoring of cloud services and must risks, and compliance issues related to the use of drive continuous improvement in the overall information cloud-based services. Therefore, the governance body security program, including all cloud-based services. will need to include or consult with cloud computing information technology and information security subject Representative CCE-Related Artifacts of the matter experts. The group should also include or Check and Act Phases consult with agency counsel to ensure a complete The four management processes of the Check and Act understanding and inclusion of legal and liability issues phases of the information security management and specific to a CCE and to verify sufficient coverage of governance framework will result in several documents all issues in the negotiated SLAs and contracts for and reports to inform and guide users in the effective cloud-based services. It is imperative that management and appropriate use of cloud computing services and Exhibit 8 | Act Phase Artifacts Management Example Artifact Contract/SLA Implications Process • User Security Awareness • Provider Participation? – CCE Policy – Yes Awareness – CCE Authorization – No & Training; – CCE Guidelines/Standards – Sometimes Communication – CCE Procedures – Sometimes & Outreach • CCE Security Technical Training – No • Awareness Tests & Records – No • Compliance/Performance Measures • Terms & Conditions • Legal, Regulatory Compliance • Roles, Responsibilities • Policy Portfolio Compliance • Roles, Responsibilities Compliance & • Privacy Compliance • Roles, Responsibilities Performance • Technical Compliance • Roles, Responsibilities Management • Log Monitoring Reports • Roles, Responsibilities • Incident Management Reporting • Roles, Responsibilities • Internal Compliance Audits • Terms, Responsibilities • Performance Measurement Reports • Terms, Responsibilities • Technical Controls Testing • Terms, Responsibilities • SLA Reporting • Terms & Conditions • Recommended Improvement Plans • Negotiation Risk • CCE Management Review Reports • None Management • Authorized Improvement Plans • Negotiation Source: Booz Allen Hamilton 12
to report on the compliance and performance of cloud- An organization’s mission and risk profile must drive based systems. Some specific examples are included the implementation of the management processes in each process description, but Exhibit 8 summarizes described in this paper, as well as the artifacts they artifacts that are typical outputs of the governance produce. It is also vital to treat the management model and that are likely to have specific references to processes as integrated components of a larger operating in a CCE. In some cases, the cloud provider information security governance framework rather may be partially or completely responsible for these than as individual silos. Using this framework to guide artifacts, depending on the final agreements between the transition to and ongoing operations in the CCE the cloud consumer and the cloud provider. will ultimately enable an organization to maximize its benefits in the cloud while sensibly and cost-effectively Summary and Conclusions addressing the cloud’s inherent risks. Cloud computing takes advantage of economies of scale to offer compelling cost benefits to federal Glossary of Acronyms agencies for information services performed in support C&A Certification and Accreditation of their mission. Migration of agency information C3F Booz Allen’s Cloud Computing User Transition assets and systems to a CCE can also provide Framework impressive benefits related to deployment flexibility and service on demand and can enable capabilities not CCE Cloud Computing Environment feasible in many enterprise computing environments, CIO Chief Information Officer such as massive data analysis and intelligence analysis.7 However, the nature of cloud deployment CISO Chief Information Security Officer and service models presents new information security DISA Defense Information Systems Agency, part of risks and introduces complications to compliance with the Department of Defense legal, regulatory, and contractual security requirements for cloud consumers. Some complications have serious IaaS Infrastructure as a Service legal liability implications. NIST National Institute of Standards and Technology. Key to the successful adoption and transition of NIST guidelines on information security information systems to a CCE is the implementation/ are officially standard practice for federal modification of a strategic proactive information information technology and are codified in security management and governance framework. At information security regulations Booz Allen, we have developed a framework that we PaaS Platform as a Service have successfully implemented in several commercial and federal government client environments. Our model RACE Rapid Access Computing Environment. This consists of a set of management processes that refers to a working prototype cloud developed interact in a Plan, Do, Check, Act cycle of continuous by DISA. As of this writing, it is being used for improvement to effectively manage and govern open-source software development, and many enterprise information security. The management additional functions are in the works processes of the governance model require some SaaS Software as a Service modifications to the major steps in their execution to effectively manage the risk and compliance issues SLA Service-Level Agreement. In this case, this inherent in a CCE. refers to a contract between the cloud computing provider and client(s) Information security governance is a critical component of a successful transition to the cloud. SP Special Publication 7Massive Data Analytics and the Cloud—A Revolution in Intelligence Analysis, Drew Cohen and Joshua D. Sullivan, 2009. 13
Glossary of Terms Cloud The “cloud” consists of computing resources (software, operating platform, memory, and processors) that are abstracted from the user by some form of virtualization and (often) physical separation between the user and the infrastructure on which the services are supported. “Cloud computing” means the use of a cloud for IT functions. Cloud The capability provided to the consumer is to provision processing, storage, networks, and Infrastructure as other fundamental computing resources where the consumer is able to deploy and run a Service (IaaS) arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems; storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls). Cloud Platform The capability provided to the consumer is to deploy onto the cloud infrastructure consumer- as a Service created or acquired applications created using programming languages and tools supported (PaaS) by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations. Cloud Software The capability provided to the consumer is to use the provider’s applications running on a as a Service cloud infrastructure. The applications are accessible from various client devices through a (SaaS) thin client interface such as a web browser (e.g., web-based email). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. Community The cloud infrastructure is shared by several organizations and supports a specific community Cloud that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise. Hybrid Cloud The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds). Multi-tenancy Property of a cloud environment used by multiple customers (“tenants”). Contrast with the “single-tenancy” private cloud, which is used by only one customer. Private Cloud The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise. Public Cloud The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services. Service Model Refers to the ownership of the cloud infrastructure. See the Introduction for descriptions of different service models. 14
15
About Booz Allen Booz Allen Hamilton has been at the forefront of technology, systems engineering, and program strategy and technology consulting for 95 years. Every management, Booz Allen is committed to delivering day, government agencies, institutions, corporations, results that endure. and not-for-profit organizations rely on the firm’s With more than 22,000 people and $4.5 billion in expertise and objectivity, and on the combined annual revenue, Booz Allen is continually recognized for capabilities and dedication of our exceptional people its quality work and corporate culture. In 2009, for the to find solutions and seize opportunities. We combine fifth consecutive year, Fortune magazine named Booz a consultant’s unique problem-solving orientation with Allen one of “The 100 Best Companies to Work For,” deep technical knowledge and strong execution to help and Working Mother magazine has ranked the firm clients achieve success in their most critical missions. among its “100 Best Companies for Working Mothers” Providing a broad range of services in strategy, annually since 1999. operations, organization and change, information Contact Information: Jamie Miller Larry Candler Hannah Wald Associate Associate Consultant miller_jamie@bah.com candler_larry@bah.com wald_hannah@bah.com 703/377-1274 703/377-4534 703/377-6646 To learn more about the firm and to download digital versions of this article and other Booz Allen Hamilton publications, visit www.boozallen.com. 16
Principal Offices ALABAMA KANSAS OHIO Huntsville Leavenworth Dayton CALIFORNIA MARYLAND PENNSYLVANIA Los Angeles Aberdeen Philadelphia San Diego Annapolis Junction San Francisco Lexington Park SOUTH CAROLINA COLORADO Linthicum Charleston Colorado Springs Rockville TEXAS Denver MICHIGAN Houston FLORIDA Troy San Antonio Pensacola Sarasota NEBRASKA VIRGINIA Tampa Omaha Arlington Chantilly GEORGIA NEW JERSEY Falls Church Atlanta Eatontown Herndon HAWAII McLean Honolulu NEW YORK Norfolk Rome Stafford ILLINOIS O’Fallon WASHINGTON, DC The most complete, recent list of offices and their and addresses and telephone numbers can be found on www.boozallen.com by clicking the “Offices” link under “About Booz Allen.” www.boozallen.com ©2009 Booz Allen Hamilton Inc. 09.205.09

Recommended

Security Authorization: An Approach for Community Cloud Computing Environments
Security Authorization: An Approach for Community Cloud Computing EnvironmentsSecurity Authorization: An Approach for Community Cloud Computing Environments
Security Authorization: An Approach for Community Cloud Computing EnvironmentsBooz Allen Hamilton
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)IJERD Editor
 
Bi cloud saa_s
Bi cloud saa_sBi cloud saa_s
Bi cloud saa_sYustinus Malawau
 
Trusted computing for infrastructure
Trusted computing for infrastructureTrusted computing for infrastructure
Trusted computing for infrastructureEricsson
 
Gis In The Cloud
Gis In The CloudGis In The Cloud
Gis In The Cloudfn028791
 
Texas Cloud Brokerage - A Success Story
Texas Cloud Brokerage - A Success StoryTexas Cloud Brokerage - A Success Story
Texas Cloud Brokerage - A Success StoryIlyas Iyoob, Ph.D.
 
Ccsw
CcswCcsw
CcswVinit Zunjarrao
 
The Datacenter Of The Future
The Datacenter Of The FutureThe Datacenter Of The Future
The Datacenter Of The FutureCTRLS
 

Recommended

Security Authorization: An Approach for Community Cloud Computing Environments
Security Authorization: An Approach for Community Cloud Computing EnvironmentsSecurity Authorization: An Approach for Community Cloud Computing Environments
Security Authorization: An Approach for Community Cloud Computing EnvironmentsBooz Allen Hamilton
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)IJERD Editor
 
Bi cloud saa_s
Bi cloud saa_sBi cloud saa_s
Bi cloud saa_sYustinus Malawau
 
Trusted computing for infrastructure
Trusted computing for infrastructureTrusted computing for infrastructure
Trusted computing for infrastructureEricsson
 
Gis In The Cloud
Gis In The CloudGis In The Cloud
Gis In The Cloudfn028791
 
Texas Cloud Brokerage - A Success Story
Texas Cloud Brokerage - A Success StoryTexas Cloud Brokerage - A Success Story
Texas Cloud Brokerage - A Success StoryIlyas Iyoob, Ph.D.
 
Ccsw
CcswCcsw
CcswVinit Zunjarrao
 
The Datacenter Of The Future
The Datacenter Of The FutureThe Datacenter Of The Future
The Datacenter Of The FutureCTRLS
 
A Survey on Cloud Computing Security – Challenges and Trust Issues
A Survey on Cloud Computing Security – Challenges and Trust IssuesA Survey on Cloud Computing Security – Challenges and Trust Issues
A Survey on Cloud Computing Security – Challenges and Trust IssuesIJCSIS Research Publications
 
Security in Cloud Computing For Service Delivery Models: Challenges and Solut...
Security in Cloud Computing For Service Delivery Models: Challenges and Solut...Security in Cloud Computing For Service Delivery Models: Challenges and Solut...
Security in Cloud Computing For Service Delivery Models: Challenges and Solut...IJERA Editor
 
Padmasree Warrior - Enterprise Architecture 2009
Padmasree Warrior - Enterprise Architecture 2009Padmasree Warrior - Enterprise Architecture 2009
Padmasree Warrior - Enterprise Architecture 2009George Gonzalez
 
Cloud Expo 2010 Cloud Computing in DoD
Cloud Expo 2010 Cloud Computing in DoDCloud Expo 2010 Cloud Computing in DoD
Cloud Expo 2010 Cloud Computing in DoDGovCloud Network
 
OpenNASA v2.0 Slideshare Large File
OpenNASA v2.0 Slideshare Large FileOpenNASA v2.0 Slideshare Large File
OpenNASA v2.0 Slideshare Large FileMegan Eskey
 
Cloud computing & IAAS The Dual Edged Sword of New Technology
Cloud computing & IAAS The Dual Edged Sword of New Technology Cloud computing & IAAS The Dual Edged Sword of New Technology
Cloud computing & IAAS The Dual Edged Sword of New Technology Mekhi Da ‘Quay Daniels
 
Cloud-Based Customer Experience Management Solutions For Government Agencies
Cloud-Based Customer Experience Management Solutions For Government AgenciesCloud-Based Customer Experience Management Solutions For Government Agencies
Cloud-Based Customer Experience Management Solutions For Government AgenciesRightNow Technologies
 
An study of security issues & challenges in cloud computing
An study of security issues & challenges in cloud computingAn study of security issues & challenges in cloud computing
An study of security issues & challenges in cloud computingijsrd.com
 
Cloud computing security through symmetric cipher model
Cloud computing security through symmetric cipher modelCloud computing security through symmetric cipher model
Cloud computing security through symmetric cipher modelijcsit
 
McKesson Managed Services
McKesson Managed ServicesMcKesson Managed Services
McKesson Managed ServicesMangeserve
 
Neupart Isaca April 2012
Neupart Isaca April 2012Neupart Isaca April 2012
Neupart Isaca April 2012Lars Neupart
 
Addressing Security Issues and Challenges in Mobile Cloud Computing
Addressing Security Issues and Challenges in Mobile Cloud ComputingAddressing Security Issues and Challenges in Mobile Cloud Computing
Addressing Security Issues and Challenges in Mobile Cloud ComputingEditor IJCATR
 
70 74
70 7470 74
70 74Editor IJARCET
 
Hybrid cloud based firewalling
Hybrid cloud based firewallingHybrid cloud based firewalling
Hybrid cloud based firewallingJustin Cletus
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud ComputingMahindra Satyam
 
Whitepaper Cloud Egovernance Imaginea
Whitepaper Cloud Egovernance ImagineaWhitepaper Cloud Egovernance Imaginea
Whitepaper Cloud Egovernance ImagineaImaginea
 
Belden Total Enterprise Network White Paper
Belden Total Enterprise Network White PaperBelden Total Enterprise Network White Paper
Belden Total Enterprise Network White Paperadventive1
 
Cloud Computing: Architecture, IT Security and Operational Perspectives
Cloud Computing: Architecture, IT Security and Operational PerspectivesCloud Computing: Architecture, IT Security and Operational Perspectives
Cloud Computing: Architecture, IT Security and Operational PerspectivesMegan Eskey
 
Ensuring Privacy & Transparency within Hybrid Clouds
Ensuring Privacy & Transparency within Hybrid Clouds Ensuring Privacy & Transparency within Hybrid Clouds
Ensuring Privacy & Transparency within Hybrid Clouds Marcin Kotlarski
 
Demystifying Cloud Contracts And SLAs- ConfidentNOW Webinar Series
Demystifying Cloud Contracts And SLAs- ConfidentNOW Webinar SeriesDemystifying Cloud Contracts And SLAs- ConfidentNOW Webinar Series
Demystifying Cloud Contracts And SLAs- ConfidentNOW Webinar SeriesBhavesh Bhagat, CGEIT, CISM (LION)
 
The Business of Change
The Business of ChangeThe Business of Change
The Business of ChangeBooz Allen Hamilton
 
The Cybersecurity Executive Order
The Cybersecurity Executive OrderThe Cybersecurity Executive Order
The Cybersecurity Executive OrderBooz Allen Hamilton
 

More Related Content

What's hot

A Survey on Cloud Computing Security – Challenges and Trust Issues
A Survey on Cloud Computing Security – Challenges and Trust IssuesA Survey on Cloud Computing Security – Challenges and Trust Issues
A Survey on Cloud Computing Security – Challenges and Trust IssuesIJCSIS Research Publications
 
Security in Cloud Computing For Service Delivery Models: Challenges and Solut...
Security in Cloud Computing For Service Delivery Models: Challenges and Solut...Security in Cloud Computing For Service Delivery Models: Challenges and Solut...
Security in Cloud Computing For Service Delivery Models: Challenges and Solut...IJERA Editor
 
Padmasree Warrior - Enterprise Architecture 2009
Padmasree Warrior - Enterprise Architecture 2009Padmasree Warrior - Enterprise Architecture 2009
Padmasree Warrior - Enterprise Architecture 2009George Gonzalez
 
Cloud Expo 2010 Cloud Computing in DoD
Cloud Expo 2010 Cloud Computing in DoDCloud Expo 2010 Cloud Computing in DoD
Cloud Expo 2010 Cloud Computing in DoDGovCloud Network
 
OpenNASA v2.0 Slideshare Large File
OpenNASA v2.0 Slideshare Large FileOpenNASA v2.0 Slideshare Large File
OpenNASA v2.0 Slideshare Large FileMegan Eskey
 
Cloud computing & IAAS The Dual Edged Sword of New Technology
Cloud computing & IAAS The Dual Edged Sword of New Technology Cloud computing & IAAS The Dual Edged Sword of New Technology
Cloud computing & IAAS The Dual Edged Sword of New Technology Mekhi Da ‘Quay Daniels
 
Cloud-Based Customer Experience Management Solutions For Government Agencies
Cloud-Based Customer Experience Management Solutions For Government AgenciesCloud-Based Customer Experience Management Solutions For Government Agencies
Cloud-Based Customer Experience Management Solutions For Government AgenciesRightNow Technologies
 
An study of security issues & challenges in cloud computing
An study of security issues & challenges in cloud computingAn study of security issues & challenges in cloud computing
An study of security issues & challenges in cloud computingijsrd.com
 
Cloud computing security through symmetric cipher model
Cloud computing security through symmetric cipher modelCloud computing security through symmetric cipher model
Cloud computing security through symmetric cipher modelijcsit
 
McKesson Managed Services
McKesson Managed ServicesMcKesson Managed Services
McKesson Managed ServicesMangeserve
 
Neupart Isaca April 2012
Neupart Isaca April 2012Neupart Isaca April 2012
Neupart Isaca April 2012Lars Neupart
 
Addressing Security Issues and Challenges in Mobile Cloud Computing
Addressing Security Issues and Challenges in Mobile Cloud ComputingAddressing Security Issues and Challenges in Mobile Cloud Computing
Addressing Security Issues and Challenges in Mobile Cloud ComputingEditor IJCATR
 
Hybrid cloud based firewalling
Hybrid cloud based firewallingHybrid cloud based firewalling
Hybrid cloud based firewallingJustin Cletus
 
Whitepaper Cloud Egovernance Imaginea
Whitepaper Cloud Egovernance ImagineaWhitepaper Cloud Egovernance Imaginea
Whitepaper Cloud Egovernance ImagineaImaginea
 
Belden Total Enterprise Network White Paper
Belden Total Enterprise Network White PaperBelden Total Enterprise Network White Paper
Belden Total Enterprise Network White Paperadventive1
 
Cloud Computing: Architecture, IT Security and Operational Perspectives
Cloud Computing: Architecture, IT Security and Operational PerspectivesCloud Computing: Architecture, IT Security and Operational Perspectives
Cloud Computing: Architecture, IT Security and Operational PerspectivesMegan Eskey
 
Ensuring Privacy & Transparency within Hybrid Clouds
Ensuring Privacy & Transparency within Hybrid Clouds Ensuring Privacy & Transparency within Hybrid Clouds
Ensuring Privacy & Transparency within Hybrid Clouds Marcin Kotlarski
 
Demystifying Cloud Contracts And SLAs- ConfidentNOW Webinar Series
Demystifying Cloud Contracts And SLAs- ConfidentNOW Webinar SeriesDemystifying Cloud Contracts And SLAs- ConfidentNOW Webinar Series
Demystifying Cloud Contracts And SLAs- ConfidentNOW Webinar SeriesBhavesh Bhagat, CGEIT, CISM (LION)
 

What's hot (20)

A Survey on Cloud Computing Security – Challenges and Trust Issues
A Survey on Cloud Computing Security – Challenges and Trust IssuesA Survey on Cloud Computing Security – Challenges and Trust Issues
A Survey on Cloud Computing Security – Challenges and Trust Issues
 
Security in Cloud Computing For Service Delivery Models: Challenges and Solut...
Security in Cloud Computing For Service Delivery Models: Challenges and Solut...Security in Cloud Computing For Service Delivery Models: Challenges and Solut...
Security in Cloud Computing For Service Delivery Models: Challenges and Solut...
 
Padmasree Warrior - Enterprise Architecture 2009
Padmasree Warrior - Enterprise Architecture 2009Padmasree Warrior - Enterprise Architecture 2009
Padmasree Warrior - Enterprise Architecture 2009
 
Cloud Expo 2010 Cloud Computing in DoD
Cloud Expo 2010 Cloud Computing in DoDCloud Expo 2010 Cloud Computing in DoD
Cloud Expo 2010 Cloud Computing in DoD
 
OpenNASA v2.0 Slideshare Large File
OpenNASA v2.0 Slideshare Large FileOpenNASA v2.0 Slideshare Large File
OpenNASA v2.0 Slideshare Large File
 
Cloud computing & IAAS The Dual Edged Sword of New Technology
Cloud computing & IAAS The Dual Edged Sword of New Technology Cloud computing & IAAS The Dual Edged Sword of New Technology
Cloud computing & IAAS The Dual Edged Sword of New Technology
 
Cloud-Based Customer Experience Management Solutions For Government Agencies
Cloud-Based Customer Experience Management Solutions For Government AgenciesCloud-Based Customer Experience Management Solutions For Government Agencies
Cloud-Based Customer Experience Management Solutions For Government Agencies
 
An study of security issues & challenges in cloud computing
An study of security issues & challenges in cloud computingAn study of security issues & challenges in cloud computing
An study of security issues & challenges in cloud computing
 
Cloud computing security through symmetric cipher model
Cloud computing security through symmetric cipher modelCloud computing security through symmetric cipher model
Cloud computing security through symmetric cipher model
 
McKesson Managed Services
McKesson Managed ServicesMcKesson Managed Services
McKesson Managed Services
 
Neupart Isaca April 2012
Neupart Isaca April 2012Neupart Isaca April 2012
Neupart Isaca April 2012
 
Addressing Security Issues and Challenges in Mobile Cloud Computing
Addressing Security Issues and Challenges in Mobile Cloud ComputingAddressing Security Issues and Challenges in Mobile Cloud Computing
Addressing Security Issues and Challenges in Mobile Cloud Computing
 
70 74
70 7470 74
70 74
 
Hybrid cloud based firewalling
Hybrid cloud based firewallingHybrid cloud based firewalling
Hybrid cloud based firewalling
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 
Whitepaper Cloud Egovernance Imaginea
Whitepaper Cloud Egovernance ImagineaWhitepaper Cloud Egovernance Imaginea
Whitepaper Cloud Egovernance Imaginea
 
Belden Total Enterprise Network White Paper
Belden Total Enterprise Network White PaperBelden Total Enterprise Network White Paper
Belden Total Enterprise Network White Paper
 
Cloud Computing: Architecture, IT Security and Operational Perspectives
Cloud Computing: Architecture, IT Security and Operational PerspectivesCloud Computing: Architecture, IT Security and Operational Perspectives
Cloud Computing: Architecture, IT Security and Operational Perspectives
 
Ensuring Privacy & Transparency within Hybrid Clouds
Ensuring Privacy & Transparency within Hybrid Clouds Ensuring Privacy & Transparency within Hybrid Clouds
Ensuring Privacy & Transparency within Hybrid Clouds
 
Demystifying Cloud Contracts And SLAs- ConfidentNOW Webinar Series
Demystifying Cloud Contracts And SLAs- ConfidentNOW Webinar SeriesDemystifying Cloud Contracts And SLAs- ConfidentNOW Webinar Series
Demystifying Cloud Contracts And SLAs- ConfidentNOW Webinar Series
 

Viewers also liked

The Cybersecurity Executive Order
The Cybersecurity Executive OrderThe Cybersecurity Executive Order
The Cybersecurity Executive OrderBooz Allen Hamilton
 
Enabling Big Data with Data-Level Security:The Cloud Analytics Reference Arch...
Enabling Big Data with Data-Level Security:The Cloud Analytics Reference Arch...Enabling Big Data with Data-Level Security:The Cloud Analytics Reference Arch...
Enabling Big Data with Data-Level Security:The Cloud Analytics Reference Arch...Booz Allen Hamilton
 
Delivering on the Promise of Big Data and the Cloud
Delivering on the Promise of Big Data and the CloudDelivering on the Promise of Big Data and the Cloud
Delivering on the Promise of Big Data and the CloudBooz Allen Hamilton
 
Mission Engineering Solution Infographic
Mission Engineering Solution InfographicMission Engineering Solution Infographic
Mission Engineering Solution InfographicBooz Allen Hamilton
 
Using Advanced Analytics for Data-Driven Decision Making
Using Advanced Analytics for Data-Driven Decision MakingUsing Advanced Analytics for Data-Driven Decision Making
Using Advanced Analytics for Data-Driven Decision MakingBooz Allen Hamilton
 
Improving Intelligence Analysis Through Cloud Analytics
Improving Intelligence Analysis Through Cloud AnalyticsImproving Intelligence Analysis Through Cloud Analytics
Improving Intelligence Analysis Through Cloud AnalyticsBooz Allen Hamilton
 
Predicting Mission Success through Improved Data Collection, Reuse and Analysis
Predicting Mission Success through Improved Data Collection, Reuse and AnalysisPredicting Mission Success through Improved Data Collection, Reuse and Analysis
Predicting Mission Success through Improved Data Collection, Reuse and AnalysisBooz Allen Hamilton
 
Rethinking Mega-Region Air Travel
Rethinking Mega-Region Air TravelRethinking Mega-Region Air Travel
Rethinking Mega-Region Air TravelBooz Allen Hamilton
 
Government 2.0: Cutting-Edge Solutions For Communication, Collaboration, Serv...
Government 2.0: Cutting-Edge Solutions For Communication, Collaboration, Serv...Government 2.0: Cutting-Edge Solutions For Communication, Collaboration, Serv...
Government 2.0: Cutting-Edge Solutions For Communication, Collaboration, Serv...Booz Allen Hamilton
 
Re-Imagined Infrastructure System: US 2040 Economy
Re-Imagined Infrastructure System: US 2040 EconomyRe-Imagined Infrastructure System: US 2040 Economy
Re-Imagined Infrastructure System: US 2040 EconomyBooz Allen Hamilton
 
Miles To Go Before They Are Green
Miles To Go Before They Are GreenMiles To Go Before They Are Green
Miles To Go Before They Are GreenBooz Allen Hamilton
 
Methodology for Platform Modernization
Methodology for Platform ModernizationMethodology for Platform Modernization
Methodology for Platform ModernizationBooz Allen Hamilton
 
Mitigating Our Nation’s Risks – Calling Upon the Whole Community
Mitigating Our Nation’s Risks – Calling Upon the Whole CommunityMitigating Our Nation’s Risks – Calling Upon the Whole Community
Mitigating Our Nation’s Risks – Calling Upon the Whole CommunityBooz Allen Hamilton
 

Viewers also liked (20)

The Business of Change
The Business of ChangeThe Business of Change
The Business of Change
 
The Cybersecurity Executive Order
The Cybersecurity Executive OrderThe Cybersecurity Executive Order
The Cybersecurity Executive Order
 
Sais.34.1
Sais.34.1Sais.34.1
Sais.34.1
 
Enabling Big Data with Data-Level Security:The Cloud Analytics Reference Arch...
Enabling Big Data with Data-Level Security:The Cloud Analytics Reference Arch...Enabling Big Data with Data-Level Security:The Cloud Analytics Reference Arch...
Enabling Big Data with Data-Level Security:The Cloud Analytics Reference Arch...
 
Delivering on the Promise of Big Data and the Cloud
Delivering on the Promise of Big Data and the CloudDelivering on the Promise of Big Data and the Cloud
Delivering on the Promise of Big Data and the Cloud
 
Mission Engineering Solution Infographic
Mission Engineering Solution InfographicMission Engineering Solution Infographic
Mission Engineering Solution Infographic
 
When Disaster Strikes
When Disaster StrikesWhen Disaster Strikes
When Disaster Strikes
 
Using Advanced Analytics for Data-Driven Decision Making
Using Advanced Analytics for Data-Driven Decision MakingUsing Advanced Analytics for Data-Driven Decision Making
Using Advanced Analytics for Data-Driven Decision Making
 
Improving Intelligence Analysis Through Cloud Analytics
Improving Intelligence Analysis Through Cloud AnalyticsImproving Intelligence Analysis Through Cloud Analytics
Improving Intelligence Analysis Through Cloud Analytics
 
Predicting Mission Success through Improved Data Collection, Reuse and Analysis
Predicting Mission Success through Improved Data Collection, Reuse and AnalysisPredicting Mission Success through Improved Data Collection, Reuse and Analysis
Predicting Mission Success through Improved Data Collection, Reuse and Analysis
 
Cloud Brokering Brochure
Cloud Brokering BrochureCloud Brokering Brochure
Cloud Brokering Brochure
 
Rethinking Mega-Region Air Travel
Rethinking Mega-Region Air TravelRethinking Mega-Region Air Travel
Rethinking Mega-Region Air Travel
 
Reform Infographic
Reform InfographicReform Infographic
Reform Infographic
 
Dynamic Defense
Dynamic DefenseDynamic Defense
Dynamic Defense
 
Government 2.0: Cutting-Edge Solutions For Communication, Collaboration, Serv...
Government 2.0: Cutting-Edge Solutions For Communication, Collaboration, Serv...Government 2.0: Cutting-Edge Solutions For Communication, Collaboration, Serv...
Government 2.0: Cutting-Edge Solutions For Communication, Collaboration, Serv...
 
Re-Imagined Infrastructure System: US 2040 Economy
Re-Imagined Infrastructure System: US 2040 EconomyRe-Imagined Infrastructure System: US 2040 Economy
Re-Imagined Infrastructure System: US 2040 Economy
 
Miles To Go Before They Are Green
Miles To Go Before They Are GreenMiles To Go Before They Are Green
Miles To Go Before They Are Green
 
Methodology for Platform Modernization
Methodology for Platform ModernizationMethodology for Platform Modernization
Methodology for Platform Modernization
 
Mitigating Our Nation’s Risks – Calling Upon the Whole Community
Mitigating Our Nation’s Risks – Calling Upon the Whole CommunityMitigating Our Nation’s Risks – Calling Upon the Whole Community
Mitigating Our Nation’s Risks – Calling Upon the Whole Community
 
Polaris Product Fact Sheet
Polaris Product Fact SheetPolaris Product Fact Sheet
Polaris Product Fact Sheet
 

Similar to Information Security Governance

Information Security Governance: Government Considerations for the Cloud Comp...
Information Security Governance: Government Considerations for the Cloud Comp...Information Security Governance: Government Considerations for the Cloud Comp...
Information Security Governance: Government Considerations for the Cloud Comp...Booz Allen Hamilton
 
Cloud Computing Security: Government Acquisition Considerations for the Cloud...
Cloud Computing Security: Government Acquisition Considerations for the Cloud...Cloud Computing Security: Government Acquisition Considerations for the Cloud...
Cloud Computing Security: Government Acquisition Considerations for the Cloud...Booz Allen Hamilton
 
Requirements and Challenges for Securing Cloud Applications and Services
Requirements and Challenges for Securing Cloud Applications and ServicesRequirements and Challenges for Securing Cloud Applications and Services
Requirements and Challenges for Securing Cloud Applications and ServicesIOSR Journals
 
Strategies for assessing cloud security
Strategies for assessing cloud securityStrategies for assessing cloud security
Strategies for assessing cloud securityArun Gopinath
 
Ast 0064255 strategies-for_assessing_cloud_security
Ast 0064255 strategies-for_assessing_cloud_securityAst 0064255 strategies-for_assessing_cloud_security
Ast 0064255 strategies-for_assessing_cloud_securityAccenture
 
Cloud Security: Perception VS Reality
Cloud Security: Perception VS RealityCloud Security: Perception VS Reality
Cloud Security: Perception VS RealityKVH Co. Ltd.
 
Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0David Spinks
 
Cloud Security Guidance: IBM Recommendations For The Implementation Of Cloud ...
Cloud Security Guidance: IBM Recommendations For The Implementation Of Cloud ...Cloud Security Guidance: IBM Recommendations For The Implementation Of Cloud ...
Cloud Security Guidance: IBM Recommendations For The Implementation Of Cloud ...IBM India Smarter Computing
 
A Comprehensive Review on Data Security and Threats for Data Management in Cl...
A Comprehensive Review on Data Security and Threats for Data Management in Cl...A Comprehensive Review on Data Security and Threats for Data Management in Cl...
A Comprehensive Review on Data Security and Threats for Data Management in Cl...AJASTJournal
 
A Comprehensive Review on Data Security and Threats for Data Management in Cl...
A Comprehensive Review on Data Security and Threats for Data Management in Cl...A Comprehensive Review on Data Security and Threats for Data Management in Cl...
A Comprehensive Review on Data Security and Threats for Data Management in Cl...AJASTJournal
 
Pillars Of Cloud Computing: Decoding The Fundamentals
Pillars Of Cloud Computing: Decoding The FundamentalsPillars Of Cloud Computing: Decoding The Fundamentals
Pillars Of Cloud Computing: Decoding The FundamentalsCiente
 
Navigating the Cloud: Trends and Technologies Shaping Security and Compliance
Navigating the Cloud: Trends and Technologies Shaping Security and ComplianceNavigating the Cloud: Trends and Technologies Shaping Security and Compliance
Navigating the Cloud: Trends and Technologies Shaping Security and ComplianceUrolime Technologies
 
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah SheikhISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah SheikhShah Sheikh
 
Cloud implementation security challenges
Cloud implementation security challengesCloud implementation security challenges
Cloud implementation security challengesbornresearcher
 
Cloud Computing: Hindernisse und Chancen für Großunternehmen
Cloud Computing: Hindernisse und Chancen für GroßunternehmenCloud Computing: Hindernisse und Chancen für Großunternehmen
Cloud Computing: Hindernisse und Chancen für GroßunternehmenJohn Rhoton
 
Are your insurance processes cloud compatible?
Are your insurance processes cloud compatible?Are your insurance processes cloud compatible?
Are your insurance processes cloud compatible?Cognizant
 

Similar to Information Security Governance (20)

Information Security Governance: Government Considerations for the Cloud Comp...
Information Security Governance: Government Considerations for the Cloud Comp...Information Security Governance: Government Considerations for the Cloud Comp...
Information Security Governance: Government Considerations for the Cloud Comp...
 
Cloud Computing Security: Government Acquisition Considerations for the Cloud...
Cloud Computing Security: Government Acquisition Considerations for the Cloud...Cloud Computing Security: Government Acquisition Considerations for the Cloud...
Cloud Computing Security: Government Acquisition Considerations for the Cloud...
 
Requirements and Challenges for Securing Cloud Applications and Services
Requirements and Challenges for Securing Cloud Applications and ServicesRequirements and Challenges for Securing Cloud Applications and Services
Requirements and Challenges for Securing Cloud Applications and Services
 
Strategies for assessing cloud security
Strategies for assessing cloud securityStrategies for assessing cloud security
Strategies for assessing cloud security
 
Strategies for assessing cloud security
Strategies for assessing cloud securityStrategies for assessing cloud security
Strategies for assessing cloud security
 
Ast 0064255 strategies-for_assessing_cloud_security
Ast 0064255 strategies-for_assessing_cloud_securityAst 0064255 strategies-for_assessing_cloud_security
Ast 0064255 strategies-for_assessing_cloud_security
 
Cloud Security: Perception VS Reality
Cloud Security: Perception VS RealityCloud Security: Perception VS Reality
Cloud Security: Perception VS Reality
 
Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0
 
Cloud Security Guidance: IBM Recommendations For The Implementation Of Cloud ...
Cloud Security Guidance: IBM Recommendations For The Implementation Of Cloud ...Cloud Security Guidance: IBM Recommendations For The Implementation Of Cloud ...
Cloud Security Guidance: IBM Recommendations For The Implementation Of Cloud ...
 
A Comprehensive Review on Data Security and Threats for Data Management in Cl...
A Comprehensive Review on Data Security and Threats for Data Management in Cl...A Comprehensive Review on Data Security and Threats for Data Management in Cl...
A Comprehensive Review on Data Security and Threats for Data Management in Cl...
 
A Comprehensive Review on Data Security and Threats for Data Management in Cl...
A Comprehensive Review on Data Security and Threats for Data Management in Cl...A Comprehensive Review on Data Security and Threats for Data Management in Cl...
A Comprehensive Review on Data Security and Threats for Data Management in Cl...
 
Pillars Of Cloud Computing: Decoding The Fundamentals
Pillars Of Cloud Computing: Decoding The FundamentalsPillars Of Cloud Computing: Decoding The Fundamentals
Pillars Of Cloud Computing: Decoding The Fundamentals
 
Navigating the Cloud: Trends and Technologies Shaping Security and Compliance
Navigating the Cloud: Trends and Technologies Shaping Security and ComplianceNavigating the Cloud: Trends and Technologies Shaping Security and Compliance
Navigating the Cloud: Trends and Technologies Shaping Security and Compliance
 
cloud1_aggy.pdf
cloud1_aggy.pdfcloud1_aggy.pdf
cloud1_aggy.pdf
 
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah SheikhISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
 
Cloud security v2
Cloud security v2Cloud security v2
Cloud security v2
 
Cloud implementation security challenges
Cloud implementation security challengesCloud implementation security challenges
Cloud implementation security challenges
 
Cloud Computing: Hindernisse und Chancen für Großunternehmen
Cloud Computing: Hindernisse und Chancen für GroßunternehmenCloud Computing: Hindernisse und Chancen für Großunternehmen
Cloud Computing: Hindernisse und Chancen für Großunternehmen
 
G0314043
G0314043G0314043
G0314043
 
Are your insurance processes cloud compatible?
Are your insurance processes cloud compatible?Are your insurance processes cloud compatible?
Are your insurance processes cloud compatible?
 

More from Booz Allen Hamilton

You Can Hack That: How to Use Hackathons to Solve Your Toughest Challenges
You Can Hack That: How to Use Hackathons to Solve Your Toughest ChallengesYou Can Hack That: How to Use Hackathons to Solve Your Toughest Challenges
You Can Hack That: How to Use Hackathons to Solve Your Toughest ChallengesBooz Allen Hamilton
 
Examining Flexibility in the Workplace for Working Moms
Examining Flexibility in the Workplace for Working MomsExamining Flexibility in the Workplace for Working Moms
Examining Flexibility in the Workplace for Working MomsBooz Allen Hamilton
 
Booz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of DirectorsBooz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of DirectorsBooz Allen Hamilton
 
Homeland Threats: Today and Tomorrow
Homeland Threats: Today and TomorrowHomeland Threats: Today and Tomorrow
Homeland Threats: Today and TomorrowBooz Allen Hamilton
 
Preparing for New Healthcare Payment Models
Preparing for New Healthcare Payment ModelsPreparing for New Healthcare Payment Models
Preparing for New Healthcare Payment ModelsBooz Allen Hamilton
 
The Product Owner’s Universe: Agile Coaching
The Product Owner’s Universe: Agile CoachingThe Product Owner’s Universe: Agile Coaching
The Product Owner’s Universe: Agile CoachingBooz Allen Hamilton
 
Immersive Learning: The Future of Training is Here
Immersive Learning: The Future of Training is HereImmersive Learning: The Future of Training is Here
Immersive Learning: The Future of Training is HereBooz Allen Hamilton
 
Nuclear Promise: Reducing Cost While Improving Performance
Nuclear Promise: Reducing Cost While Improving PerformanceNuclear Promise: Reducing Cost While Improving Performance
Nuclear Promise: Reducing Cost While Improving PerformanceBooz Allen Hamilton
 
Frenemies – When Unlikely Partners Join Forces
Frenemies – When Unlikely Partners Join ForcesFrenemies – When Unlikely Partners Join Forces
Frenemies – When Unlikely Partners Join ForcesBooz Allen Hamilton
 
Booz Allen Secure Agile Development
Booz Allen Secure Agile DevelopmentBooz Allen Secure Agile Development
Booz Allen Secure Agile DevelopmentBooz Allen Hamilton
 
Booz Allen Industrial Cybersecurity Threat Briefing
Booz Allen Industrial Cybersecurity Threat BriefingBooz Allen Industrial Cybersecurity Threat Briefing
Booz Allen Industrial Cybersecurity Threat BriefingBooz Allen Hamilton
 
Booz Allen Hamilton and Market Connections: C4ISR Survey Report
Booz Allen Hamilton and Market Connections: C4ISR Survey ReportBooz Allen Hamilton and Market Connections: C4ISR Survey Report
Booz Allen Hamilton and Market Connections: C4ISR Survey ReportBooz Allen Hamilton
 
Modern C4ISR Integrates, Innovates and Secures Military Networks
Modern C4ISR Integrates, Innovates and Secures Military NetworksModern C4ISR Integrates, Innovates and Secures Military Networks
Modern C4ISR Integrates, Innovates and Secures Military NetworksBooz Allen Hamilton
 
Agile and Open C4ISR Systems - Helping the Military Integrate, Innovate and S...
Agile and Open C4ISR Systems - Helping the Military Integrate, Innovate and S...Agile and Open C4ISR Systems - Helping the Military Integrate, Innovate and S...
Agile and Open C4ISR Systems - Helping the Military Integrate, Innovate and S...Booz Allen Hamilton
 
Booz Allen Field Guide to Data Science
Booz Allen Field Guide to Data Science Booz Allen Field Guide to Data Science
Booz Allen Field Guide to Data Science Booz Allen Hamilton
 

More from Booz Allen Hamilton (20)

You Can Hack That: How to Use Hackathons to Solve Your Toughest Challenges
You Can Hack That: How to Use Hackathons to Solve Your Toughest ChallengesYou Can Hack That: How to Use Hackathons to Solve Your Toughest Challenges
You Can Hack That: How to Use Hackathons to Solve Your Toughest Challenges
 
Examining Flexibility in the Workplace for Working Moms
Examining Flexibility in the Workplace for Working MomsExamining Flexibility in the Workplace for Working Moms
Examining Flexibility in the Workplace for Working Moms
 
The True Cost of Childcare
The True Cost of ChildcareThe True Cost of Childcare
The True Cost of Childcare
 
Booz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of DirectorsBooz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of Directors
 
Inaugural Addresses
Inaugural AddressesInaugural Addresses
Inaugural Addresses
 
Military Spouse Career Roadmap
Military Spouse Career Roadmap Military Spouse Career Roadmap
Military Spouse Career Roadmap
 
Homeland Threats: Today and Tomorrow
Homeland Threats: Today and TomorrowHomeland Threats: Today and Tomorrow
Homeland Threats: Today and Tomorrow
 
Preparing for New Healthcare Payment Models
Preparing for New Healthcare Payment ModelsPreparing for New Healthcare Payment Models
Preparing for New Healthcare Payment Models
 
The Product Owner’s Universe: Agile Coaching
The Product Owner’s Universe: Agile CoachingThe Product Owner’s Universe: Agile Coaching
The Product Owner’s Universe: Agile Coaching
 
Immersive Learning: The Future of Training is Here
Immersive Learning: The Future of Training is HereImmersive Learning: The Future of Training is Here
Immersive Learning: The Future of Training is Here
 
Nuclear Promise: Reducing Cost While Improving Performance
Nuclear Promise: Reducing Cost While Improving PerformanceNuclear Promise: Reducing Cost While Improving Performance
Nuclear Promise: Reducing Cost While Improving Performance
 
Frenemies – When Unlikely Partners Join Forces
Frenemies – When Unlikely Partners Join ForcesFrenemies – When Unlikely Partners Join Forces
Frenemies – When Unlikely Partners Join Forces
 
Booz Allen Secure Agile Development
Booz Allen Secure Agile DevelopmentBooz Allen Secure Agile Development
Booz Allen Secure Agile Development
 
Booz Allen Industrial Cybersecurity Threat Briefing
Booz Allen Industrial Cybersecurity Threat BriefingBooz Allen Industrial Cybersecurity Threat Briefing
Booz Allen Industrial Cybersecurity Threat Briefing
 
Booz Allen Hamilton and Market Connections: C4ISR Survey Report
Booz Allen Hamilton and Market Connections: C4ISR Survey ReportBooz Allen Hamilton and Market Connections: C4ISR Survey Report
Booz Allen Hamilton and Market Connections: C4ISR Survey Report
 
CITRIX IN AMAZON WEB SERVICES
CITRIX IN AMAZON WEB SERVICESCITRIX IN AMAZON WEB SERVICES
CITRIX IN AMAZON WEB SERVICES
 
Modern C4ISR Integrates, Innovates and Secures Military Networks
Modern C4ISR Integrates, Innovates and Secures Military NetworksModern C4ISR Integrates, Innovates and Secures Military Networks
Modern C4ISR Integrates, Innovates and Secures Military Networks
 
Agile and Open C4ISR Systems - Helping the Military Integrate, Innovate and S...
Agile and Open C4ISR Systems - Helping the Military Integrate, Innovate and S...Agile and Open C4ISR Systems - Helping the Military Integrate, Innovate and S...
Agile and Open C4ISR Systems - Helping the Military Integrate, Innovate and S...
 
Women On The Leading Edge
Women On The Leading Edge Women On The Leading Edge
Women On The Leading Edge
 
Booz Allen Field Guide to Data Science
Booz Allen Field Guide to Data Science Booz Allen Field Guide to Data Science
Booz Allen Field Guide to Data Science
 

Recently uploaded

Organizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessOrganizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessSeta Wicaksana
 
MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?Olivia Kresic
 
Memorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMMemorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMVoces Mineras
 
Marketplace and Quality Assurance Presentation - Vincent Chirchir
Marketplace and Quality Assurance Presentation - Vincent ChirchirMarketplace and Quality Assurance Presentation - Vincent Chirchir
Marketplace and Quality Assurance Presentation - Vincent Chirchirictsugar
 
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptxThe-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptxmbikashkanyari
 
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607dollysharma2066
 
Chapter 9 PPT 4th edition.pdf internal audit
Chapter 9 PPT 4th edition.pdf internal auditChapter 9 PPT 4th edition.pdf internal audit
Chapter 9 PPT 4th edition.pdf internal auditNhtLNguyn9
 
Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Kirill Klimov
 
Kenya Coconut Production Presentation by Dr. Lalith Perera
Kenya Coconut Production Presentation by Dr. Lalith PereraKenya Coconut Production Presentation by Dr. Lalith Perera
Kenya Coconut Production Presentation by Dr. Lalith Pereraictsugar
 
Guide Complete Set of Residential Architectural Drawings PDF
Guide Complete Set of Residential Architectural Drawings PDFGuide Complete Set of Residential Architectural Drawings PDF
Guide Complete Set of Residential Architectural Drawings PDFChandresh Chudasama
 
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!Doge Mining Website
 
TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024Adnet Communications
 
Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03DallasHaselhorst
 
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...ictsugar
 
Buy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy Verified Accounts
 
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City GurgaonCall Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaoncallgirls2057
 
International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...ssuserf63bd7
 
Digital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfDigital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfJos Voskuil
 
Darshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfDarshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfShashank Mehta
 

Recently uploaded (20)

Organizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessOrganizational Structure Running A Successful Business
Organizational Structure Running A Successful Business
 
MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?
 
Call Us ➥9319373153▻Call Girls In North Goa
Call Us ➥9319373153▻Call Girls In North GoaCall Us ➥9319373153▻Call Girls In North Goa
Call Us ➥9319373153▻Call Girls In North Goa
 
Memorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMMemorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQM
 
Marketplace and Quality Assurance Presentation - Vincent Chirchir
Marketplace and Quality Assurance Presentation - Vincent ChirchirMarketplace and Quality Assurance Presentation - Vincent Chirchir
Marketplace and Quality Assurance Presentation - Vincent Chirchir
 
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptxThe-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
 
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
 
Chapter 9 PPT 4th edition.pdf internal audit
Chapter 9 PPT 4th edition.pdf internal auditChapter 9 PPT 4th edition.pdf internal audit
Chapter 9 PPT 4th edition.pdf internal audit
 
Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024
 
Kenya Coconut Production Presentation by Dr. Lalith Perera
Kenya Coconut Production Presentation by Dr. Lalith PereraKenya Coconut Production Presentation by Dr. Lalith Perera
Kenya Coconut Production Presentation by Dr. Lalith Perera
 
Guide Complete Set of Residential Architectural Drawings PDF
Guide Complete Set of Residential Architectural Drawings PDFGuide Complete Set of Residential Architectural Drawings PDF
Guide Complete Set of Residential Architectural Drawings PDF
 
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!
 
TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024
 
Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03
 
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
 
Buy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail Accounts
 
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City GurgaonCall Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaon
 
International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...
 
Digital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfDigital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdf
 
Darshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfDarshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdf
 

Information Security Governance

  • 1. Information Security Governance Government Considerations for the Cloud Computing Environment by Jamie Miller miller_jamie@bah.com Larry Candler candler_larry@bah.com Hannah Wald wald_hannah@bah.com
  • 2.
  • 3. Table of Contents Introduction........................................................................................................................ 1 Public Clouds ..................................................................................................................... 2 Private Clouds . .................................................................................................................. 2 Community Clouds ............................................................................................................. 3 Hybrid Clouds .................................................................................................................... 4 Information Security Management and Governance Framework .............................................. 4 Architecting and Establishing the Information Security Program (PLAN).................................... 5 Representative CCE–Related Artifacts of the Plan Phase........................................................ 9 Implementing and Operating the Information Security Program (DO)........................................ 9 Monitoring and Measuring the Information Security Program (CHECK)................................... 10 Managing and Improving the Information Security Program (ACT). ......................................... 11 . Representing CCE–Related Artifacts of the Check and Act Phases........................................ 12 Summary and Conclusions. ............................................................................................... 13 . Glossary of Acronyms........................................................................................................ 13 Glossary of Terms............................................................................................................. 14 About Booz Allen............................................................................................................... 16 Principal Offices................................................................................................................ 17
  • 4. Information Security Governance Government Considerations for the Cloud Computing Environment Introduction “Cloud computing is a model for enabling convenient, Outcomes of Effective Information on-demand network access to a shared pool of configurable Security Governance in a CCE computing resources (e.g., networks, servers, storage, • Strategic Alignment—Information security applications, and services) that can be rapidly provisioned practices aligned with the agency’s and released with minimal management effort or service enterprise strategy and agreed-upon risk provider interaction.” 1 profile Moving information assets to a cloud computing • Value Delivery—A standard set of environment (CCE) offers the cloud user the potential information to effectively manage and for reduced costs, on-demand self-service, ubiquitous monitor cloud provider security controls network access, location-independent resource pooling, rapid elasticity, and measured service. CCEs • Risk Management—An understanding of are offered in a variety of deployment and service accepted risk exposure models, as this paper describes, each with its own • Performance Measurement—A characteristics for cost/benefit, efficiency, flexibility, measurement process with feedback on risk, and cloud consumer control. Although the progress made potential cost savings and flexibility advantages of operating in the cloud are compelling, cloud users need to understand the security risks, compliance complications, and potential legal issues inherent in the CCE. Federal agencies desiring to take advantage relevant to that framework to help inform agency of cloud computing benefits will need to invest in leaders, information security professionals, and proactive and strategic management of the new information security governance participants on how environment. To do so, they must implement or to take advantage of the benefits of the CCE without modify information security management systems and exposing their mission to excessive information governance programs to mitigate security risks and security risk or potential legal and regulatory comply with their legal, regulatory, and contractual compliance failures. security requirements. Information security governance is the mechanism As with the adoption of other new technologies and through which organizations can ensure effective service offerings, transition to the CCE will likely be management of information security. Booz Allen evolutionary, not revolutionary. Many organizations, Hamilton developed the information security particularly federal agencies, will migrate some management and governance framework presented capabilities to the cloud while maintaining existing in this paper. We have also customized it for—and computing environments for other capabilities, thus implemented it in—several government and commercial operating in a hybrid mode for the foreseeable future.2 client environments. The focus of this paper is the The goal of this paper is to present an information adaptation of our information security governance security governance framework and key considerations model for federal government entities planning to 1Please see http://csrc.nist.gov/groups/SNS/cloud-computing/index.html. 2Cloud Computing User Transition Framework (C3F), Booz Allen Hamilton, 2009. 1
  • 5. become users of cloud computing services. Potential cloud consumers from effectively measuring or cloud service providers to the Government will require demonstrating compliance with any kind of security a somewhat different adaptation of the information requirements. In the future, providers of public services security management and governance framework, but will probably adapt their offerings and increase the this will be the topic of a separate white paper. flexibility of SLAs and contracts to better accommodate the unique legal, regulatory, and contractual Before we present our proposed information security information security compliance requirements of governance framework, it is first necessary to review the federal government environment. Some positive the challenges and risks associated with each of the signs of movement in this direction are beginning four existing cloud computing deployment models. To to appear in the market, as evidenced by Amazon’s that effect, we offer a high-level description of each recent introduction of optional “virtual private cloud” deployment model, including graphical depictions. services that combine the outsourcing advantages of public clouds with increased customer visibility, control, Public Clouds and service tailoring. Organizations should limit public The most common type of CCE is the public cloud. In cloud deployment to public information and systems this construct, the cloud infrastructure is owned and with acceptable risk profiles and no legal or regulatory operated by an organization that provides services to security requirements until service providers adapt to multiple enterprises and individuals on a utility basis meet the user community’s security, compliance, and (consumers are often referred to as “tenants”) (see liability needs.4 Exhibit 1). Public clouds present the highest security risk to federal agency cloud consumers because of the lack of direct control over information security control Private Clouds In sharp contrast to the public cloud is the private implementation and monitoring, global multi-tenancy CCE. In the private cloud, the cloud infrastructure is with other users, virtualization and data location owned/leased and operated by a single organization management, limited service-level agreement (SLA) solely for the user community of that organization (see flexibility, contractual liability limitations, and the Exhibit 2). An example in the Federal Government is an lack of common legal and regulatory environments agency-wide cloud that offers services to all entities between cloud providers and cloud consumers.3 Lack within that agency. Cost efficiencies and economies of visibility compounds these issues and prevents of scale are likely to be more limited in private clouds Exhibit 1 | Public Cloud Illustration Many, Many Organizations e.g. Google Internet Microsoft Amazon Core Network Public Clouds Source: Booz Allen Hamilton 3This specific issue is addressed in depth by the Booz Allen Cloud Computing White 4Cloud Computing Security Report, Security Considerations for Public Cloud Service Paper, June 2, 2008, and Booz Allen’s Cloud Computing Basics: Cloud Computing 101 Acquisition, Booz Allen Hamilton, August 2009. (White Paper). 2
  • 6. Exhibit 2 | Private Cloud Illustration Organization’s Private Network Internet Core Network Private Cloud Source: Booz Allen Hamilton than public clouds, but information security risk and independent service provider with experience in governance issues are minimized largely because of the community and knowledge of the specific user the shared mission goals and legal/regulatory security community’s characteristics. Two examples in the requirements between the cloud service provider and Federal Government are the Defense Information the cloud consumers. Systems Agency (DISA) Rapid Access Computing Environment (RACE) and the National Aeronautics and Community Clouds Space Administration’s (NASA) Nebula (both are still in In a community CCE, multiple tenant organizations with the early stages of development). Community clouds many common characteristics (e.g., mission goals, represent a lower information security risk profile legal and regulatory security requirements, compliance than a public cloud environment and fewer legal and considerations) share the cloud infrastructure, thus regulatory compliance issues, but they carry certain forming a “community” (see Exhibit 3). The cloud risks associated with multi-tenancy. owner may be a member of the community or an Exhibit 3 | Community Cloud Illustration Internet Organization #1 Private Network Organization #2 Private Network Community Cloud Source: Booz Allen Hamilton 3
  • 7. Hybrid Clouds Information Security Management and Hybrid CCEs represent a combination of two or Governance Framework more cloud deployment models (e.g., two public Booz Allen developed the information security clouds, one public and one community cloud) that management and governance framework and has remain unique entities but are bound together by customized and deployed it in a variety of client standardized or proprietary technology that enables environments. This framework is a system of data and application portability throughout the hybrid management and functional processes implemented environment (see Exhibit 4). As a result, hybrid clouds in a standard quality management (or Plan, Do, Check, present a combination of the information security risks Act) cycle of continuous improvement. The framework and governance challenges inherent in the deployment is based on evolving international standards5 and models they combine. A combination of private and planned evolution of the National Institute of Standards community clouds represents the lowest risk; a and Technology (NIST) Risk Management Framework.6 combination of multiple public cloud environments Seven management processes—strategy and planning, presents the greatest information security risks and policy portfolio management, risk management, challenges to legal and regulatory compliance. awareness and training, communication and outreach, compliance and performance management, and Each CCE presents a different profile of benefits and management oversight—comprise this framework and risks that organizations should carefully consider support the functional processes of the Do phase (see before cloud adoption. Organizations should use a Exhibit 5). suitable framework that helps them address risks and ensures their requirements are met. Although Although the purpose of each of the seven framework the information security management and governance processes will not change when applied to a CCE, model we describe in the next section can be adapted many of the process considerations and required to any of the cloud computing deployment models, we actions will need to be modified to effectively plan, focus our discussion primarily on information security manage, and govern information security in a CCE. governance within the community cloud environment In all cases, it will be necessary to clarify specific because we believe the community CCE is the most roles, responsibilities, and accountability for each likely near-term adoption and migration strategy for major process step. Some steps may be points for federal government agencies. Exhibit 4 | Hybrid Cloud Illustration Organization’s Private Network “Spill Over” Internet Capacity as Needed Core Network Private Cloud Public or Community Cloud Source: Booz Allen Hamilton 5ISO/IEC 27001 Information Technology – Security Techniques – Information Security Management Systems – Requirements. 6NIST SP 800-39 Managing Risk from Information Systems. 4
  • 8. Exhibit 5 | Information Security Governance Framework Architect and Establish (Plan) Implement and Operate (Do) Monitor and Review (Check, Act) Management Processes Functional Processes Management Processes Strategy and Human Communications Asset Planning Management Resources and Outreach Security Physical and Comms and Environmental Operations Security Management Compliance and Policy Portfolio Performance Management Identity and Information Management Access Systems Management Acquisition Incident Business Risk Management Continuity Awareness and Management Management Training Management Oversight Source: Booz Allen Hamilton negotiation with prospective cloud service providers for These processes comprise the Plan phase of the inclusion in SLAs and contracts. continual improvement process. Our assumption in the following discussion is that Strategy and Planning Process management and governance processes are primarily Strategy and planning are essential to an effective the responsibility of a centralized information security information security management and governance function (such as the office of the Chief Information program. The primary purposes of the strategy and Security Officer [CISO]) for an agency or large planning process are to— government entity, with considerable participation by information technology management (such as the • Establish information security program direction office of the Chief Information Officer [CIO]). This and guide activities centralized security and technology group would • Ensure alignment of the information security perform the cloud provider acquisition function program with mission goals and objectives and manage the service provider relationship over the duration of the agreement. This group would • Define the information security program vision, also provide the information, policy, and guidelines goals, requirements, and scope necessary for users to follow when implementing cloud computing-based services. Architect and Establish (Plan) Implement and Operate (Do) Monitor and Review (Check, Act) Management Processes Functional Processes Management Processes Architecting and Establishing the Strategy and Planning Asset Human Communications and Outreach Information Security Program (PLAN) Management Resources Security Physical and Comms and Environmental Operations Designing and planning for an effective information Policy Portfolio Security Management Compliance and Performance Management Identity and Information Management security governance structure occurs through three Access Management Systems Acquisition major management processes: strategy and planning, Incident Business Risk Management Continuity Awareness and Management Management Training policy portfolio management, and risk management. Management Oversight 5
  • 9. • Ensure consistency with the enterprise information Policy Portfolio Management Process security architecture Architect and Establish (Plan) Implement and Operate (Do) Monitor and Review (Check, Act) • Proactively plan activities to achieve goals and Management Processes Functional Processes Management Processes meet requirements Strategy and Planning Asset Management Human Resources Security Communications and Outreach Physical and Comms and • Determine the operating model to enable Environmental Operations Security Management Compliance and Policy Portfolio Performance Management Identity and Information Management enterprise program efficiency. Access Management Systems Acquisition Incident Business Risk Continuity Awareness and The process is performed in collaboration with the Management Management Management Training risk management and policy portfolio management Management Oversight processes to ensure plans effectively communicate management intent, clearly define roles and The major purposes of the security policy portfolio responsibilities, sufficiently identify and address management process are to— information security risks, and provide management • Define and communicate management clear choices for resource allocation and optimization. expectations of information security The activities of the strategy and planning process • Translate goals and requirements into actionable will not change significantly to accommodate the mandates use of cloud computing services, but additional knowledge and understanding of the information • Establish clearly defined roles and responsibilities security risks and issues related to compliance and for information security performance management in varying cloud computing • Inform compliance measurement deployment and service models will be required. The major impact of the CCE on the strategy and • Facilitate efficient and consistent implementations planning process will be the development of CCE- with supporting standards, guidelines, and based cost/benefit analyses that include the cost procedures. of effective governance to manage risk and ensure These purposes will not materially change when legal, regulatory, and contractual compliance. In applied to a CCE. However, the policy portfolio will conjunction with the risk management process, the require additional policies, guidelines, standards, and strategy and planning process will define information procedures to effectively communicate and govern security implementations that are allowable for each information security in a CCE. An overall policy on cloud computing service model (refer to the Risk rules governing agency acquisition and use of cloud Management Process section) based on the relative computing services will be needed to communicate risk rating of the information and systems migrating agency leadership intentions for the safe use of to the cloud (e.g., cloud services allowed by system cloud computing, as well as the authorization process categorization). In addition, the process will clarify required to initiate such use. Agencies will also need roles, responsibilities, and accountability for baseline to document guidelines for the appropriate evaluation information security capabilities in each environment and acquisition of cloud computing service providers, allowed. The planning process will also determine along with environments that meet information and the cloud service provider contractual requirements system risk and compliance requirements. Also, the and negotiations and will include the long-term policy portfolio management process (in coordination management of the provider relationship. with the strategy and planning and risk management processes [Plan phase] and with the approval and authority of the management oversight process [Act 6
  • 10. phase]) will need to provide guidance on the minimum Architect and Establish (Plan) Implement and Operate (Do) Monitor and Review (Check, Act) information security and compliance management Management Processes Functional Processes Management Processes requirements to be included in SLAs and contracts with Strategy and Planning Asset Management Human Resources Security Communications and Outreach prospective cloud service providers. Physical and Environmental Comms and Operations Management Security Compliance and Policy Portfolio Performance Management Identity and Information Management A review of all agency security policies must occur to Access Management Systems Acquisition determine the changes required to ensure effective Risk Management Incident Management Business Continuity Management Awareness and Training governance in a cloud environment. Each policy should be tailored to reflect the unique cloud deployment Management Oversight model and account for the information and information systems authorized for cloud migration. Additional policy • Enable better optimization of security expenditures, and supporting guidance, standards, and procedures resources, and activities will be necessary to effectively manage the functional • Inform security priorities and planning control processes when operating in a CCE (e.g., configuration and change management guidelines, • Provide the basis for measuring information incident management, chain of evidence and e-discovery, security program efficiency and effectiveness. mission continuity of cloud services, the monitoring Risk management methodologies will require and reporting of cloud service compliance, system and modification to effectively consider, treat, or accept data life-cycle assurance, and compliance testing and the risks inherent in migrating agency information assurance of cloud-based services). Guidelines may also and systems to a CCE. For practical reasons, we limit be developed to specify mandatory and recommended our discussion to the use of private, community, or tools for use in the monitoring and evaluation of cloud a hybrid of both CCEs as the most likely evolution of service compliance and performance (e.g., certification federal agency CCE transition. As noted earlier, until and accreditation [C&A] tools, technical compliance tools the providers of public cloud services make significant such as Layer7). Policy decisions regarding each of the changes to their current offerings and SLAs, the use functional control processes must account for the level of of those services by the Federal Government will control each organization is willing to transfer to the cloud need to be limited to public information and systems provider while ensuring the goals and requirements of the with minimal risk and no legal or regulatory security information security program are met. requirements. Risk Management Process Limiting our discussion to the use of private, The risk management process will require modification community, or combined hybrid cloud services will and significant additional variable considerations to still require the consideration and inclusion of securely migrate agency services to a CCE. The primary additional risk factors related to the relative degrees purposes of the risk management process include— of agency control over the service models adopted. The risk methodology will also need to determine risk • Enable information asset-based protection and mitigations and the residual risks of each service mitigation planning model for the hierarchy of risk profiles associated • Enhance the organization’s ability to select and with agency information assets and systems. For apply protection based on the specific risks and example, agencies will need to modify their current threats affecting an asset risk calculations that focus on system categorization, privacy, and regulation to appropriately assess changes • Ensure consistent information security risk to the risks of these systems when migrating to a CCE assessment methodologies are used throughout utilizing one or more of the three cloud service models. the organization 7
  • 11. Exhibit 6 summarizes the models and their relative and SaaS builds on both IaaS and PaaS, resulting risk. These example risk ratings may be modified to fit in an increasing assumption of control by the cloud with agency-specific risk assessment methodologies, provider and therefore greater security risk to the cloud but in general they are consistent with the degree consumer). of direct agency control represented by each service New risk analysis methodologies should be closely model. Each cloud service model can be assessed as monitored during the compliance and performance an information service asset with unique risk ratings management process (Check phase) and modified and resultant control selection for risk mitigation (e.g., as necessary to reduce overall information security contract terms, SLA content, compliance, monitoring risk over time. In all cases, the modified risk analysis tools). methodologies and resulting risk rankings must be The relative risk ratings increase as the cloud reviewed during the management oversight process consumer moves from IaaS to PaaS and finally to (Act phase) to ensure management participation, SaaS. The service models build on one another, risk awareness, review, and acceptance of both risk resulting in cumulative risk as the cloud provider treatment options and resultant residual risks. assumes more direct control (i.e., PaaS builds on IaaS, Exhibit 6 | Service Model Risk Characteristics Service Model Risk Characteristics Relative Additional Risk The capability provided to the cloud consumer is to rent processing, storage, networks, and other fundamental computing resources and Infrastructure to deploy and run arbitrary software, which can include operating as a service systems and applications. The consumer does not manage or control Medium (IaaS) the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly select networking components (e.g., firewalls, load balancers). The capability provided to the consumer is to deploy consumer- created applications onto the cloud infrastructure using programming Platform as a languages and tools supported by the provider (e.g., Java, Python, Service (PaaS) .Net). The consumer does not manage or control the underlying cloud High infrastructure, network, servers, operating systems, or storage, but the consumer has control over the deployed applications and possibly application hosting environment configurations. The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure and accessible from various client devices through a thin client interface, such as a web Software as a browser (e.g., web-based e-mail). The consumer does not manage or Very High Service (SaaS) control the underlying cloud infrastructure, network, servers, operating systems, storage, or individual application capabilities, with the possible exception of limited user-specific application configuration settings. Source: Booz Allen Hamilton 8
  • 12. Representative CCE-Related Artifacts of the Implementing and Operating the Information Plan Phase Security Program (DO) The three management processes of the information Because this paper focuses on information security security governance framework’s Plan phase will governance, we will not discuss in detail the functional produce several documents to inform and guide users processes that constitute the Do phase of the in the effective and appropriate use of cloud computing Plan, Do, Check, Act cycle. The implementation and services. Some specific examples are included in operation of information security controls contained each process description, but Exhibit 7 summarizes in each of the functional process areas will vary artifacts that are typical outputs of the governance Architect and Establish (Plan) Implement and Operate (Do) Monitor and Review (Check, Act) model and that will likely have specific references to Management Processes Functional Processes Management Processes operating in a CCE. In some cases, the cloud provider Strategy and Planning Asset Human Communications and Outreach Management Resources may be partially or completely responsible for these Security Physical and Comms and Environmental Operations artifacts, depending on the final agreements between Policy Portfolio Security Management Compliance and Performance Management Identity and Information Management the cloud consumer and the cloud provider. Access Management Systems Acquisition Incident Business Risk Management Continuity Awareness and Management Management Training Management Oversight Exhibit 7 | Plan Phase Artifacts Management Example Artifact Contract/SLA Implications Process • Security Strategic Plan • Goal Performance • Consolidated Security Requirements • Requirements Compliance • Organization Model Modifications • Relationship Management Strategy & • Roles & Responsibilities Charts • Consumer/Provider Planning • CCE Implementation Plans • None • Budget & Resource Requirements • None • CCE Contract & SLA • Terms & Conditions • CCE Security Policy • Terms & Conditions • CCE Acquisition Policy • Terms & Conditions • CCE Authorization Procedure • None Policy Portfolio • CCE Standards/Guidelines • None Management • CCE Monitoring/Compliance Tools • Terms & Conditions • CCE Configuration Guidelines • Technical Compliance • CCE-Specific Processes • Terms & Conditions • Risk Management Procedure • None • Risk Methodology Modifications • None • Service Model Risks • None Risk • Risk Assessment Reports • None Management • CCE Controls & Risk Treatments • Terms/Responsibilities • Systems/Assets Allowed in CCE • None Source: Booz Allen Hamilton 9
  • 13. significantly depending on CCE deployment and the • Clarify roles and responsibilities service models employed. However, other Booz Allen • Drive the ongoing competency of information papers address the implementation and operation of security staff. information security functional processes and controls, and this topic is not essential to discussions related Execution of these important management processes to the effective management and governance of will not vary as a result of the introduction of a CCE. information security in a cloud environment. However, the processes will need to include formal awareness, training, communication, and outreach Monitoring and Measuring the Information to inform all relevant agency users of the new Security Program (CHECK) policies, guidelines, standards, procedures, risks, Three management processes are included in the and compliance issues related to the migration of Check phase of the information security management information services to a CCE. and governance framework: awareness and training, communication and outreach, and compliance and Compliance and Performance Management Process performance management. Of these three, the Architect and Establish (Plan) Implement and Operate (Do) Monitor and Review (Check, Act) compliance and performance management process Management Processes Functional Processes Management Processes represents the area with the most significant issues Strategy and Planning Asset Management Human Resources Communications and Outreach Security for consideration when migrating services to a CCE. Physical and Environmental Comms and Operations Security Management Compliance and Policy Portfolio Performance Management Identity and Information Management Access Systems Awareness and Training and Communication and Management Acquisition Incident Business Outreach Processes Risk Management Continuity Awareness and Management Management Training Architect and Establish (Plan) Implement and Operate (Do) Monitor and Review (Check, Act) Management Oversight Management Processes Functional Processes Management Processes Strategy and Planning Asset Management Human Resources Security Communications and Outreach Compliance and performance management is the key Physical and Environmental Comms and Operations process in the Check phase of the framework. The Security Management primary purposes of the process include— Compliance and Policy Portfolio Performance Management Identity and Information Management Access Systems Management Acquisition Risk Management Incident Management Business Continuity Management Awareness and • Create regular measurement and reporting of Training progress and issues Management Oversight • Inform and prioritize program improvements The major purposes of these management processes • Record progress toward achieving strategic goals are complementary and similar. The purposes and compliance with requirements include— • Drive continuous improvement of the information • Consistently communicate the importance of security program information security throughout the organization • Minimize potential for recurrence of systemic • Educate staff on required actions related to issues changes in regulatory, legislative, and other mandates • Optimize consistency and efficiency of security implementations • Broaden and deepen the security awareness of the organization • Inform modifications to risk analyses and risk mitigations • Enhance compliance through better understanding and knowledge 10
  • 14. • Measure and report on compliance with legal, the cloud consumer); and clearly define accountability regulatory, and contractual requirements; internal for legal liability related to an information security policies; and technical guidelines and standards. breach in the cloud. The purposes of the compliance and performance Measurement and monitoring reports should be management process remain unchanged in a CCE, but presented in periodic management reviews of the the execution of the process will require significant overall information security program to the information modification to effectively monitor and measure security governance body, along with recommendations compliance and performance in the cloud. Focusing for corrective and preventive actions. again on agency use of private clouds, community clouds, or hybrid combinations will lead to enhanced Managing and Improving the Information information security compliance and performance in a Security Program (ACT) public cloud environment. Participation by management representing all agency stakeholder organizations is essential to the effective Compliance includes legal, regulatory, and contractual management and oversight of any information security security compliance; compliance with internal policies, management system. The process and the governance guidelines, standards, and procedures; and technical bodies that execute it form the governance program compliance checking. All compliance and performance and represent the Act phase of the continuous checking is dependent on a comprehensive improvement model. measurement and management reporting system covering each area of compliance, as well as the Management Oversight Process information security program’s effectiveness in meeting An information security governance body conducts the goals, objectives, and requirements. Compliance and functions of the management oversight process. This performance measurement and reporting will require body consists of senior leadership and representatives detailed specification in the SLAs and contracts with from each functional area of the organization to— the cloud service provider covering each service model allowed in the agreements. • Ensure ongoing management involvement in program direction and priorities In the case of private or community cloud service providers, there will be a greater level of trust, • Establish enterprise information security understanding, and flexibility in the agreement governance negotiations because of the shared mission goals and • Ensure the information security program supports common legal and regulatory compliance requirements mission goals and objectives between the cloud provider and the cloud consumer. Based on the cloud service risk profiles; strategic • Reinforce the importance of information security planning of the cloud service; and CCE-specific throughout the organization policies, guidelines, standards, and procedures defined • Oversee risk management to balance mission in the Plan phase, federal agency cloud consumers goals and information security costs can determine their minimum information security requirements and controls for each level of cloud • Track and optimize information security resource service and drive the SLA and contract negotiations allocation to a satisfactory agreement. SLAs and contracts must • Authorize improvements to the information security minimize security risks; enable effective monitoring program on a continuing basis. and measuring of all legal, regulatory, and contractual security requirements (by either the service provider or 11
  • 15. These management oversight objectives are valid sponsors and monitors the effectiveness of cloud- regardless of the information security operating specific awareness, training and communication, and environments deployed. However, the governance outreach programs to ensure broad awareness of body will need to actively participate in the review, agency policy and guidelines by all responsible users. authorization, and communication of all information Finally, management must be vigilant in its review of security plans, policies and supporting documentation, compliance and monitoring of cloud services and must risks, and compliance issues related to the use of drive continuous improvement in the overall information cloud-based services. Therefore, the governance body security program, including all cloud-based services. will need to include or consult with cloud computing information technology and information security subject Representative CCE-Related Artifacts of the matter experts. The group should also include or Check and Act Phases consult with agency counsel to ensure a complete The four management processes of the Check and Act understanding and inclusion of legal and liability issues phases of the information security management and specific to a CCE and to verify sufficient coverage of governance framework will result in several documents all issues in the negotiated SLAs and contracts for and reports to inform and guide users in the effective cloud-based services. It is imperative that management and appropriate use of cloud computing services and Exhibit 8 | Act Phase Artifacts Management Example Artifact Contract/SLA Implications Process • User Security Awareness • Provider Participation? – CCE Policy – Yes Awareness – CCE Authorization – No & Training; – CCE Guidelines/Standards – Sometimes Communication – CCE Procedures – Sometimes & Outreach • CCE Security Technical Training – No • Awareness Tests & Records – No • Compliance/Performance Measures • Terms & Conditions • Legal, Regulatory Compliance • Roles, Responsibilities • Policy Portfolio Compliance • Roles, Responsibilities Compliance & • Privacy Compliance • Roles, Responsibilities Performance • Technical Compliance • Roles, Responsibilities Management • Log Monitoring Reports • Roles, Responsibilities • Incident Management Reporting • Roles, Responsibilities • Internal Compliance Audits • Terms, Responsibilities • Performance Measurement Reports • Terms, Responsibilities • Technical Controls Testing • Terms, Responsibilities • SLA Reporting • Terms & Conditions • Recommended Improvement Plans • Negotiation Risk • CCE Management Review Reports • None Management • Authorized Improvement Plans • Negotiation Source: Booz Allen Hamilton 12
  • 16. to report on the compliance and performance of cloud- An organization’s mission and risk profile must drive based systems. Some specific examples are included the implementation of the management processes in each process description, but Exhibit 8 summarizes described in this paper, as well as the artifacts they artifacts that are typical outputs of the governance produce. It is also vital to treat the management model and that are likely to have specific references to processes as integrated components of a larger operating in a CCE. In some cases, the cloud provider information security governance framework rather may be partially or completely responsible for these than as individual silos. Using this framework to guide artifacts, depending on the final agreements between the transition to and ongoing operations in the CCE the cloud consumer and the cloud provider. will ultimately enable an organization to maximize its benefits in the cloud while sensibly and cost-effectively Summary and Conclusions addressing the cloud’s inherent risks. Cloud computing takes advantage of economies of scale to offer compelling cost benefits to federal Glossary of Acronyms agencies for information services performed in support C&A Certification and Accreditation of their mission. Migration of agency information C3F Booz Allen’s Cloud Computing User Transition assets and systems to a CCE can also provide Framework impressive benefits related to deployment flexibility and service on demand and can enable capabilities not CCE Cloud Computing Environment feasible in many enterprise computing environments, CIO Chief Information Officer such as massive data analysis and intelligence analysis.7 However, the nature of cloud deployment CISO Chief Information Security Officer and service models presents new information security DISA Defense Information Systems Agency, part of risks and introduces complications to compliance with the Department of Defense legal, regulatory, and contractual security requirements for cloud consumers. Some complications have serious IaaS Infrastructure as a Service legal liability implications. NIST National Institute of Standards and Technology. Key to the successful adoption and transition of NIST guidelines on information security information systems to a CCE is the implementation/ are officially standard practice for federal modification of a strategic proactive information information technology and are codified in security management and governance framework. At information security regulations Booz Allen, we have developed a framework that we PaaS Platform as a Service have successfully implemented in several commercial and federal government client environments. Our model RACE Rapid Access Computing Environment. This consists of a set of management processes that refers to a working prototype cloud developed interact in a Plan, Do, Check, Act cycle of continuous by DISA. As of this writing, it is being used for improvement to effectively manage and govern open-source software development, and many enterprise information security. The management additional functions are in the works processes of the governance model require some SaaS Software as a Service modifications to the major steps in their execution to effectively manage the risk and compliance issues SLA Service-Level Agreement. In this case, this inherent in a CCE. refers to a contract between the cloud computing provider and client(s) Information security governance is a critical component of a successful transition to the cloud. SP Special Publication 7Massive Data Analytics and the Cloud—A Revolution in Intelligence Analysis, Drew Cohen and Joshua D. Sullivan, 2009. 13
  • 17. Glossary of Terms Cloud The “cloud” consists of computing resources (software, operating platform, memory, and processors) that are abstracted from the user by some form of virtualization and (often) physical separation between the user and the infrastructure on which the services are supported. “Cloud computing” means the use of a cloud for IT functions. Cloud The capability provided to the consumer is to provision processing, storage, networks, and Infrastructure as other fundamental computing resources where the consumer is able to deploy and run a Service (IaaS) arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems; storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls). Cloud Platform The capability provided to the consumer is to deploy onto the cloud infrastructure consumer- as a Service created or acquired applications created using programming languages and tools supported (PaaS) by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations. Cloud Software The capability provided to the consumer is to use the provider’s applications running on a as a Service cloud infrastructure. The applications are accessible from various client devices through a (SaaS) thin client interface such as a web browser (e.g., web-based email). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. Community The cloud infrastructure is shared by several organizations and supports a specific community Cloud that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise. Hybrid Cloud The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds). Multi-tenancy Property of a cloud environment used by multiple customers (“tenants”). Contrast with the “single-tenancy” private cloud, which is used by only one customer. Private Cloud The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise. Public Cloud The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services. Service Model Refers to the ownership of the cloud infrastructure. See the Introduction for descriptions of different service models. 14
  • 18. 15
  • 19. About Booz Allen Booz Allen Hamilton has been at the forefront of technology, systems engineering, and program strategy and technology consulting for 95 years. Every management, Booz Allen is committed to delivering day, government agencies, institutions, corporations, results that endure. and not-for-profit organizations rely on the firm’s With more than 22,000 people and $4.5 billion in expertise and objectivity, and on the combined annual revenue, Booz Allen is continually recognized for capabilities and dedication of our exceptional people its quality work and corporate culture. In 2009, for the to find solutions and seize opportunities. We combine fifth consecutive year, Fortune magazine named Booz a consultant’s unique problem-solving orientation with Allen one of “The 100 Best Companies to Work For,” deep technical knowledge and strong execution to help and Working Mother magazine has ranked the firm clients achieve success in their most critical missions. among its “100 Best Companies for Working Mothers” Providing a broad range of services in strategy, annually since 1999. operations, organization and change, information Contact Information: Jamie Miller Larry Candler Hannah Wald Associate Associate Consultant miller_jamie@bah.com candler_larry@bah.com wald_hannah@bah.com 703/377-1274 703/377-4534 703/377-6646 To learn more about the firm and to download digital versions of this article and other Booz Allen Hamilton publications, visit www.boozallen.com. 16
  • 20. Principal Offices ALABAMA KANSAS OHIO Huntsville Leavenworth Dayton CALIFORNIA MARYLAND PENNSYLVANIA Los Angeles Aberdeen Philadelphia San Diego Annapolis Junction San Francisco Lexington Park SOUTH CAROLINA COLORADO Linthicum Charleston Colorado Springs Rockville TEXAS Denver MICHIGAN Houston FLORIDA Troy San Antonio Pensacola Sarasota NEBRASKA VIRGINIA Tampa Omaha Arlington Chantilly GEORGIA NEW JERSEY Falls Church Atlanta Eatontown Herndon HAWAII McLean Honolulu NEW YORK Norfolk Rome Stafford ILLINOIS O’Fallon WASHINGTON, DC The most complete, recent list of offices and their and addresses and telephone numbers can be found on www.boozallen.com by clicking the “Offices” link under “About Booz Allen.” www.boozallen.com ©2009 Booz Allen Hamilton Inc. 09.205.09