SlideShare a Scribd company logo

NIST-Cloud-Presentation-Industry-Day-Release.pptx

Download as PPTX, PDF
K
KellyMcBrair

Cloud Assessments Industry Day slides

Technology
1 of 17
SaaS Email Working Group Meeting Cloud Assessments Industry Day February, 2016 John Connor, IT Security Specialist, OISM, NIST Background Photo - JILA strontium atomic clock (a joint institute of NIST and the University of Colorado Boulder)
“Certain commercial vendors are identified in this presentation for example purposes. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the vendors identified are necessarily the best available for any given purpose.” This presentation was created by NIST’s Office of the Chief Information Officer for informational purposes only and is not an official NIST publication. Industry Day OISM
Industry Day OISM IN THE NEWS - 2015 1 to look at in more detail…
Industry Day OISM Hacking Team (July 2015) Hacking Team, an Italian company that makes surveillance software used by governments to police the Internet was hacked. All company information exposed. Christian Pozzi, senior system and security engineer for the company: The leaked security engineer's list of passwords: UserName : Neo Password : Passw0rd UserName : c.pozzi Password : P4ssword Information from various public news reports.
5 Industry Day OISM Requirements: ‘‘The head of each agency shall be responsible for providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of ‘‘(i) information collected or maintained by or on behalf of the agency; and ‘‘(ii) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency Federal Information Security Management Act of 2002 (FISMA) section 3544. Federal agency responsibilities See OMB Memo M-14-04 November 18, 2013 - Excellent FAQ on all aspects of FISMA, including cloud
6 Industry Day OISM What does this have to do with “The Cloud” ? Any vendor who stores, accesses, CAN access, touches, manipulates etc… Government data MUST be fully assessed against all applicable controls. (ii) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency OMB Memo M-14-04 November 18, 2013 #25, 26, 27 & 48 specifically on 3rd part and cloud vendors See NIST SP-135 for definition of “cloud”
7 Industry Day OISM Risk Based Decisions: Security plans, security assessment reports, and plans of action and milestones for common controls are used by authorizing officials within the organization to make risk-based decisions in the security authorization process for their information systems. When security controls are provided to an organization by an external provider (e.g., through contracts, interagency agreements, lines of business arrangements, licensing agreements, and/or supply chain arrangements), the organization ensures that the information needed for authorizing officials to make risk-based decisions, is made available by the provider. NIST Special Publication 800-37 FISMA is Risk Based – Authorizing Officials weigh residual risks vs the risk to the Agency of exposure. Not pass/fail
8 Industry Day OISM Involves 2 parts: 1. Assessment of the CSP • Could involve multiple assessments CSP will often use subcontractors For example a SaaS CSP may use Amazon Web Services to host the data or May use Iron Mountain to store backups. Those providers must be assessed. • Could leverage other assessments Assessment could be conducted by the agency, leverage another agencies assessment, partially leverage non-FISMA assessments, leverage FedRAMP assessment. 2. Assessment of agency specific controls There will ALWAYS be an agency specific implementation part How NIST assesses a “Cloud” Service Provider (CSP) (applies to any 3rd party vendor)
Federal Computer Security Managers’ Forum OISM Vendor Backups Log Files Code Scanning Password Safe Hosting Physical Backups File Shares A cloud vendor may be using other vendors… Who may be using other vendors… Who may be using…
10 Industry Day OISM Different types of cloud assessments (example use cases) Social Media • Publically available, low criticality levels • Confidentially not an issue, availability not a direct issue, integrity a concern Unauthorized modification of system information could be expected to have an adverse effect… • Scope out of testing CSP, test agency specific implementation, document mitigations • Still requires an assessment! Enterprise Level (SaaS, PaaS, IaaS) • Enterprise level, often moderate* criticality levels • Full testing of CSP required • Full testing of agency specific implementation • Leverage FedRAMP, PCI, SAS 70/SSAE 16, HIPPA Everything in between… • Could have low impact levels, but not public and require login • Could be a CSP that leveraged another PaaS and has limited access • Must follow FISMA process to determine impact • Finding balance of testing – ‘Commensurate with the risk’
11 Industry Day OISM Software as a Service (SaaS) Government User Accesses SaaS Hosted In Data Center SaaS Vendor Corporate HQ accesses servers for administration or SaaS for help desk SaaS Vendor telecommuters may access through HQ or directly. Things to realize: • Even if data center is secure the vendor is responsible for configuring the servers. • If the vendor can access Gov’t data from HQ or admin telecommuters, all controls are in play for them. Typical Small Business Cloud Vendor layout
12 Industry Day OISM Leveraging other assessments SSAE 16 (formerly SAS-70) (Statement on Standards for Attestation Engagements) PCI (Payment Card Industry) HIPPA (Health Insurance Portability and Accountability Act) Sarbanes–Oxley others… (will get into FedRAMP shortly) • Do not encompass all FISMA (800-53)/FedRAMP controls • Will not meet all requirements • Some are pass/fail – no explanation of mitigating controls For instance PCI only requires a 7 character password 8.2.3 Passwords/phrases must meet the following: Require a minimum length of at least seven characters. Contain both numeric and alphabetic characters. Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 3.0 November 2013 Risk Based Decision
13 Industry Day OISM Cloud Service Providers (CSP) Chicken and the egg problem for the vendors Resources necessary for compliance Fairness to small businesses Need to protect taxpayer data
14 Industry Day OISM Incident response How will the vendor notify if a possible breach or incident has occurred? How with they interface with an agencies incident response team? Will they share logs (could be difficult if a shred tenant)? Some other Challenges Background Investigations All personnel who have access to Government data are required to have background investigations conducted by a Federal Government entity. OPM requirements (IPv6, PIV, TIC, 508) OPM Cloud First mandate vs. other OPM mandates. Many cloud vendors may not be able to currently meet all Federal Government technical requirements. Continuous Monitoring Most likely do not have ‘feeds’ from vendor. What continuous monitoring is in place?
Industry Day OISM http://www.fedramp.gov OMB Authorizing Memo December 8, 2011: https://cio.gov/wp-content/uploads/2012/09/fedrampmemo.pdf Contact: info@fedramp.gov FedRAMP does not issue ATO ONLY an agency can issue an ATO JAB board provides ‘provisional’ authorization only All cloud projects must meet FedRAMP (not just FISMA) requirements (as of June 6, 2014, which has passed) One assessment Leveraged by multiple agencies
16 Industry Day OISM FedRAMP is an extension of FISMA. • Additional SP 800-53 controls • 1 additional low control (independence) • 46 additional moderate controls • High baseline available • Specific FedRAMP templates Challenge with FedRAMP will be Continuous Monitoring Ultimately up to the authorizing agency to ensure proper continuous monitoring Uses validated Third Party Assessor (3PAO) for assessment.
17 Industry Day OISM Background Image: Deer at the NIST campus in Gaithersburg, MD Thank You For further information: NIST CSC Publications (FIPS and SP’s: http://csrc.nist.gov/publications/ Specifically: 800-37: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r1.pdf 800-53: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf FedRAMP: https://www.fedramp.gov/

Recommended

An Introduction to zOS Real-time Infrastructure and Security Practices
An Introduction to zOS Real-time Infrastructure and Security PracticesAn Introduction to zOS Real-time Infrastructure and Security Practices
An Introduction to zOS Real-time Infrastructure and Security PracticesJerry Harding
 
Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the MainframeBig Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the MainframePrecisely
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Ben Rothke
 
f6_cyber_security_and_your_agency.pdf
f6_cyber_security_and_your_agency.pdff6_cyber_security_and_your_agency.pdf
f6_cyber_security_and_your_agency.pdfSurendhar57
 
Cybersecurity Compliance in Government Contracts
Cybersecurity Compliance in Government ContractsCybersecurity Compliance in Government Contracts
Cybersecurity Compliance in Government ContractsRobert E Jones
 
How can i find my security blind spots ulf mattsson - aug 2016
How can i find my security blind spots ulf mattsson - aug 2016How can i find my security blind spots ulf mattsson - aug 2016
How can i find my security blind spots ulf mattsson - aug 2016Ulf Mattsson
 
Hacking appliances
Hacking appliancesHacking appliances
Hacking appliancesJonathan Suldo
 
PSIM: Why Should I Be Interested?
PSIM: Why Should I Be Interested?PSIM: Why Should I Be Interested?
PSIM: Why Should I Be Interested?Adlan Hussain
 

Recommended

An Introduction to zOS Real-time Infrastructure and Security Practices
An Introduction to zOS Real-time Infrastructure and Security PracticesAn Introduction to zOS Real-time Infrastructure and Security Practices
An Introduction to zOS Real-time Infrastructure and Security PracticesJerry Harding
 
Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the MainframeBig Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the MainframePrecisely
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Ben Rothke
 
f6_cyber_security_and_your_agency.pdf
f6_cyber_security_and_your_agency.pdff6_cyber_security_and_your_agency.pdf
f6_cyber_security_and_your_agency.pdfSurendhar57
 
Cybersecurity Compliance in Government Contracts
Cybersecurity Compliance in Government ContractsCybersecurity Compliance in Government Contracts
Cybersecurity Compliance in Government ContractsRobert E Jones
 
How can i find my security blind spots ulf mattsson - aug 2016
How can i find my security blind spots ulf mattsson - aug 2016How can i find my security blind spots ulf mattsson - aug 2016
How can i find my security blind spots ulf mattsson - aug 2016Ulf Mattsson
 
Hacking appliances
Hacking appliancesHacking appliances
Hacking appliancesJonathan Suldo
 
PSIM: Why Should I Be Interested?
PSIM: Why Should I Be Interested?PSIM: Why Should I Be Interested?
PSIM: Why Should I Be Interested?Adlan Hussain
 
Analyzing Your GovCon Cybersecurity Compliance
Analyzing Your GovCon Cybersecurity ComplianceAnalyzing Your GovCon Cybersecurity Compliance
Analyzing Your GovCon Cybersecurity ComplianceRobert E Jones
 
Analyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity ComplianceAnalyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity ComplianceRobert E Jones
 
ZSAH Security - Web
ZSAH Security - WebZSAH Security - Web
ZSAH Security - WebFahd Khan
 
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05 Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05 sucesuminas
 
ISACA 2016 Application Security RGJ
ISACA 2016 Application Security RGJISACA 2016 Application Security RGJ
ISACA 2016 Application Security RGJRene Jaspe, CISSP®, CSSLP®
 
9-Steps-Info-Sec-Whitepaper-final.pdf
9-Steps-Info-Sec-Whitepaper-final.pdf9-Steps-Info-Sec-Whitepaper-final.pdf
9-Steps-Info-Sec-Whitepaper-final.pdfSoniaCristina49
 
Data Security For Compliance 2
Data Security For Compliance 2Data Security For Compliance 2
Data Security For Compliance 2Flaskdata.io
 
Bridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical DataBridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical DataIBM Security
 
David valovcin big data - big risk
David valovcin big data - big riskDavid valovcin big data - big risk
David valovcin big data - big riskIBM Sverige
 
Splunk for Security Breakout Session
Splunk for Security Breakout SessionSplunk for Security Breakout Session
Splunk for Security Breakout SessionSplunk
 
CISSPCertified Information SystemsSecurity ProfessionalCop.docx
CISSPCertified Information SystemsSecurity ProfessionalCop.docxCISSPCertified Information SystemsSecurity ProfessionalCop.docx
CISSPCertified Information SystemsSecurity ProfessionalCop.docxmccormicknadine86
 
CISSPCertified Information SystemsSecurity ProfessionalCop.docx
CISSPCertified Information SystemsSecurity ProfessionalCop.docxCISSPCertified Information SystemsSecurity ProfessionalCop.docx
CISSPCertified Information SystemsSecurity ProfessionalCop.docxsleeperharwell
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Ben Rothke
 
Automatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security StandardsAutomatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security Standardsautomatskicorporation
 
The Security Challenge: What's Next?
The Security Challenge: What's Next?The Security Challenge: What's Next?
The Security Challenge: What's Next?Cognizant
 
Rapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance GuideRapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance GuideRapid7
 
Penetration testing 5 reasons Why Organizations Should Adopt it
Penetration testing 5 reasons Why Organizations Should Adopt itPenetration testing 5 reasons Why Organizations Should Adopt it
Penetration testing 5 reasons Why Organizations Should Adopt itTestingXperts
 
Maceo Wattley Contributor Infosec
Maceo Wattley Contributor InfosecMaceo Wattley Contributor Infosec
Maceo Wattley Contributor InfosecDr. Maceo D. Wattley
 
SIEM evaluator guide for soc analyst
SIEM evaluator guide for soc analystSIEM evaluator guide for soc analyst
SIEM evaluator guide for soc analystInfosecTrain
 
Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Karl Kispert
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 

More Related Content

Similar to NIST-Cloud-Presentation-Industry-Day-Release.pptx

Analyzing Your GovCon Cybersecurity Compliance
Analyzing Your GovCon Cybersecurity ComplianceAnalyzing Your GovCon Cybersecurity Compliance
Analyzing Your GovCon Cybersecurity ComplianceRobert E Jones
 
Analyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity ComplianceAnalyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity ComplianceRobert E Jones
 
ZSAH Security - Web
ZSAH Security - WebZSAH Security - Web
ZSAH Security - WebFahd Khan
 
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05 Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05 sucesuminas
 
9-Steps-Info-Sec-Whitepaper-final.pdf
9-Steps-Info-Sec-Whitepaper-final.pdf9-Steps-Info-Sec-Whitepaper-final.pdf
9-Steps-Info-Sec-Whitepaper-final.pdfSoniaCristina49
 
Data Security For Compliance 2
Data Security For Compliance 2Data Security For Compliance 2
Data Security For Compliance 2Flaskdata.io
 
Bridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical DataBridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical DataIBM Security
 
David valovcin big data - big risk
David valovcin big data - big riskDavid valovcin big data - big risk
David valovcin big data - big riskIBM Sverige
 
Splunk for Security Breakout Session
Splunk for Security Breakout SessionSplunk for Security Breakout Session
Splunk for Security Breakout SessionSplunk
 
CISSPCertified Information SystemsSecurity ProfessionalCop.docx
CISSPCertified Information SystemsSecurity ProfessionalCop.docxCISSPCertified Information SystemsSecurity ProfessionalCop.docx
CISSPCertified Information SystemsSecurity ProfessionalCop.docxmccormicknadine86
 
CISSPCertified Information SystemsSecurity ProfessionalCop.docx
CISSPCertified Information SystemsSecurity ProfessionalCop.docxCISSPCertified Information SystemsSecurity ProfessionalCop.docx
CISSPCertified Information SystemsSecurity ProfessionalCop.docxsleeperharwell
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Ben Rothke
 
Automatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security StandardsAutomatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security Standardsautomatskicorporation
 
The Security Challenge: What's Next?
The Security Challenge: What's Next?The Security Challenge: What's Next?
The Security Challenge: What's Next?Cognizant
 
Rapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance GuideRapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance GuideRapid7
 
Penetration testing 5 reasons Why Organizations Should Adopt it
Penetration testing 5 reasons Why Organizations Should Adopt itPenetration testing 5 reasons Why Organizations Should Adopt it
Penetration testing 5 reasons Why Organizations Should Adopt itTestingXperts
 
SIEM evaluator guide for soc analyst
SIEM evaluator guide for soc analystSIEM evaluator guide for soc analyst
SIEM evaluator guide for soc analystInfosecTrain
 
Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Karl Kispert
 

Similar to NIST-Cloud-Presentation-Industry-Day-Release.pptx (20)

Analyzing Your GovCon Cybersecurity Compliance
Analyzing Your GovCon Cybersecurity ComplianceAnalyzing Your GovCon Cybersecurity Compliance
Analyzing Your GovCon Cybersecurity Compliance
 
Analyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity ComplianceAnalyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity Compliance
 
ZSAH Security - Web
ZSAH Security - WebZSAH Security - Web
ZSAH Security - Web
 
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05 Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
 
ISACA 2016 Application Security RGJ
ISACA 2016 Application Security RGJISACA 2016 Application Security RGJ
ISACA 2016 Application Security RGJ
 
9-Steps-Info-Sec-Whitepaper-final.pdf
9-Steps-Info-Sec-Whitepaper-final.pdf9-Steps-Info-Sec-Whitepaper-final.pdf
9-Steps-Info-Sec-Whitepaper-final.pdf
 
Data Security For Compliance 2
Data Security For Compliance 2Data Security For Compliance 2
Data Security For Compliance 2
 
Bridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical DataBridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical Data
 
David valovcin big data - big risk
David valovcin big data - big riskDavid valovcin big data - big risk
David valovcin big data - big risk
 
Splunk for Security Breakout Session
Splunk for Security Breakout SessionSplunk for Security Breakout Session
Splunk for Security Breakout Session
 
CISSPCertified Information SystemsSecurity ProfessionalCop.docx
CISSPCertified Information SystemsSecurity ProfessionalCop.docxCISSPCertified Information SystemsSecurity ProfessionalCop.docx
CISSPCertified Information SystemsSecurity ProfessionalCop.docx
 
CISSPCertified Information SystemsSecurity ProfessionalCop.docx
CISSPCertified Information SystemsSecurity ProfessionalCop.docxCISSPCertified Information SystemsSecurity ProfessionalCop.docx
CISSPCertified Information SystemsSecurity ProfessionalCop.docx
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)
 
Automatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security StandardsAutomatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security Standards
 
The Security Challenge: What's Next?
The Security Challenge: What's Next?The Security Challenge: What's Next?
The Security Challenge: What's Next?
 
Rapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance GuideRapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance Guide
 
Penetration testing 5 reasons Why Organizations Should Adopt it
Penetration testing 5 reasons Why Organizations Should Adopt itPenetration testing 5 reasons Why Organizations Should Adopt it
Penetration testing 5 reasons Why Organizations Should Adopt it
 
Maceo Wattley Contributor Infosec
Maceo Wattley Contributor InfosecMaceo Wattley Contributor Infosec
Maceo Wattley Contributor Infosec
 
SIEM evaluator guide for soc analyst
SIEM evaluator guide for soc analystSIEM evaluator guide for soc analyst
SIEM evaluator guide for soc analyst
 
Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016
 

Recently uploaded

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 

Recently uploaded (20)

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 

NIST-Cloud-Presentation-Industry-Day-Release.pptx

  • 1. SaaS Email Working Group Meeting Cloud Assessments Industry Day February, 2016 John Connor, IT Security Specialist, OISM, NIST Background Photo - JILA strontium atomic clock (a joint institute of NIST and the University of Colorado Boulder)
  • 2. “Certain commercial vendors are identified in this presentation for example purposes. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the vendors identified are necessarily the best available for any given purpose.” This presentation was created by NIST’s Office of the Chief Information Officer for informational purposes only and is not an official NIST publication. Industry Day OISM
  • 3. Industry Day OISM IN THE NEWS - 2015 1 to look at in more detail…
  • 4. Industry Day OISM Hacking Team (July 2015) Hacking Team, an Italian company that makes surveillance software used by governments to police the Internet was hacked. All company information exposed. Christian Pozzi, senior system and security engineer for the company: The leaked security engineer's list of passwords: UserName : Neo Password : Passw0rd UserName : c.pozzi Password : P4ssword Information from various public news reports.
  • 5. 5 Industry Day OISM Requirements: ‘‘The head of each agency shall be responsible for providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of ‘‘(i) information collected or maintained by or on behalf of the agency; and ‘‘(ii) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency Federal Information Security Management Act of 2002 (FISMA) section 3544. Federal agency responsibilities See OMB Memo M-14-04 November 18, 2013 - Excellent FAQ on all aspects of FISMA, including cloud
  • 6. 6 Industry Day OISM What does this have to do with “The Cloud” ? Any vendor who stores, accesses, CAN access, touches, manipulates etc… Government data MUST be fully assessed against all applicable controls. (ii) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency OMB Memo M-14-04 November 18, 2013 #25, 26, 27 & 48 specifically on 3rd part and cloud vendors See NIST SP-135 for definition of “cloud”
  • 7. 7 Industry Day OISM Risk Based Decisions: Security plans, security assessment reports, and plans of action and milestones for common controls are used by authorizing officials within the organization to make risk-based decisions in the security authorization process for their information systems. When security controls are provided to an organization by an external provider (e.g., through contracts, interagency agreements, lines of business arrangements, licensing agreements, and/or supply chain arrangements), the organization ensures that the information needed for authorizing officials to make risk-based decisions, is made available by the provider. NIST Special Publication 800-37 FISMA is Risk Based – Authorizing Officials weigh residual risks vs the risk to the Agency of exposure. Not pass/fail
  • 8. 8 Industry Day OISM Involves 2 parts: 1. Assessment of the CSP • Could involve multiple assessments CSP will often use subcontractors For example a SaaS CSP may use Amazon Web Services to host the data or May use Iron Mountain to store backups. Those providers must be assessed. • Could leverage other assessments Assessment could be conducted by the agency, leverage another agencies assessment, partially leverage non-FISMA assessments, leverage FedRAMP assessment. 2. Assessment of agency specific controls There will ALWAYS be an agency specific implementation part How NIST assesses a “Cloud” Service Provider (CSP) (applies to any 3rd party vendor)
  • 9. Federal Computer Security Managers’ Forum OISM Vendor Backups Log Files Code Scanning Password Safe Hosting Physical Backups File Shares A cloud vendor may be using other vendors… Who may be using other vendors… Who may be using…
  • 10. 10 Industry Day OISM Different types of cloud assessments (example use cases) Social Media • Publically available, low criticality levels • Confidentially not an issue, availability not a direct issue, integrity a concern Unauthorized modification of system information could be expected to have an adverse effect… • Scope out of testing CSP, test agency specific implementation, document mitigations • Still requires an assessment! Enterprise Level (SaaS, PaaS, IaaS) • Enterprise level, often moderate* criticality levels • Full testing of CSP required • Full testing of agency specific implementation • Leverage FedRAMP, PCI, SAS 70/SSAE 16, HIPPA Everything in between… • Could have low impact levels, but not public and require login • Could be a CSP that leveraged another PaaS and has limited access • Must follow FISMA process to determine impact • Finding balance of testing – ‘Commensurate with the risk’
  • 11. 11 Industry Day OISM Software as a Service (SaaS) Government User Accesses SaaS Hosted In Data Center SaaS Vendor Corporate HQ accesses servers for administration or SaaS for help desk SaaS Vendor telecommuters may access through HQ or directly. Things to realize: • Even if data center is secure the vendor is responsible for configuring the servers. • If the vendor can access Gov’t data from HQ or admin telecommuters, all controls are in play for them. Typical Small Business Cloud Vendor layout
  • 12. 12 Industry Day OISM Leveraging other assessments SSAE 16 (formerly SAS-70) (Statement on Standards for Attestation Engagements) PCI (Payment Card Industry) HIPPA (Health Insurance Portability and Accountability Act) Sarbanes–Oxley others… (will get into FedRAMP shortly) • Do not encompass all FISMA (800-53)/FedRAMP controls • Will not meet all requirements • Some are pass/fail – no explanation of mitigating controls For instance PCI only requires a 7 character password 8.2.3 Passwords/phrases must meet the following: Require a minimum length of at least seven characters. Contain both numeric and alphabetic characters. Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 3.0 November 2013 Risk Based Decision
  • 13. 13 Industry Day OISM Cloud Service Providers (CSP) Chicken and the egg problem for the vendors Resources necessary for compliance Fairness to small businesses Need to protect taxpayer data
  • 14. 14 Industry Day OISM Incident response How will the vendor notify if a possible breach or incident has occurred? How with they interface with an agencies incident response team? Will they share logs (could be difficult if a shred tenant)? Some other Challenges Background Investigations All personnel who have access to Government data are required to have background investigations conducted by a Federal Government entity. OPM requirements (IPv6, PIV, TIC, 508) OPM Cloud First mandate vs. other OPM mandates. Many cloud vendors may not be able to currently meet all Federal Government technical requirements. Continuous Monitoring Most likely do not have ‘feeds’ from vendor. What continuous monitoring is in place?
  • 15. Industry Day OISM http://www.fedramp.gov OMB Authorizing Memo December 8, 2011: https://cio.gov/wp-content/uploads/2012/09/fedrampmemo.pdf Contact: info@fedramp.gov FedRAMP does not issue ATO ONLY an agency can issue an ATO JAB board provides ‘provisional’ authorization only All cloud projects must meet FedRAMP (not just FISMA) requirements (as of June 6, 2014, which has passed) One assessment Leveraged by multiple agencies
  • 16. 16 Industry Day OISM FedRAMP is an extension of FISMA. • Additional SP 800-53 controls • 1 additional low control (independence) • 46 additional moderate controls • High baseline available • Specific FedRAMP templates Challenge with FedRAMP will be Continuous Monitoring Ultimately up to the authorizing agency to ensure proper continuous monitoring Uses validated Third Party Assessor (3PAO) for assessment.
  • 17. 17 Industry Day OISM Background Image: Deer at the NIST campus in Gaithersburg, MD Thank You For further information: NIST CSC Publications (FIPS and SP’s: http://csrc.nist.gov/publications/ Specifically: 800-37: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r1.pdf 800-53: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf FedRAMP: https://www.fedramp.gov/