White paper explores some of the challenges encountered when attempting to perform traditional security authorization or certification and authentication processes for cloud computing environments (CCEs).
InfoSec Technology Management of User Space and Services Through Security Thr...ecarrow
The focus of this paper will demonstrate the need to clearly define
and segregate various user space environments in the enterprise
network infrastructure with controls ranging from administrative
to technical and still provide the various services needed to
facilitate the work space environment and administrative
requirements of an enterprise system. Standards assumed are
industry practices and associated regulatory requirements with
implementations as they apply to the various contextual
applications. This is a high level approach to understanding the
significance and application of an effective secure network
infrastructure. The focus is on end user needs and the associated
services to support those needs. Conceptually user space is a
virtual area allocated to the end user needs identified with specific
services to support those needs by creating a virtual playground.
To manage risk, the concept of creating a "security threat gateway
(STG)" isolates and secures each user space with its associated
services. Emphasis will be placed on the functional managerial
process and application of the STG, safeguarding one user space
from another, to facilitate the use of the needed services to
perform the operational tasks of the organization. When user’s
needs and associated components are clearly identified, then it is
possible for anyone to use this model as a template, to guide them
in creating an effective strategy for their own network security.
This approach is practical in orientation and application, focusing
on a high level perspective and assumes the reader already has a
low level technical background for a tactical implementation in
mitigating risk to the enterprise network infrastructure.
APPLYING GEO-ENCRYPTION AND ATTRIBUTE BASED ENCRYPTION TO IMPLEMENT SECURE AC...IJCNCJournal
Cloud computing is utility-based computing provides many benefits to its clients but security is one aspect which is delaying its adoptions. Security challenges include data security, network security and infrastructure security. Data security can be achieved using Cryptography. If we include location information in the encryption and decryption process then we can bind access to data with the location so that data can be accessed only from the specified locations. In this paper, we propose a method based on the symmetric cryptography, location-based cryptography and ciphertext policy – Attribute-based encryption (CP-ABE) to implements secure access control to the outsourced data. The Symmetric key is used to encrypt that data whereas CP-ABE is used to encrypt the secret key and the location lock value before uploading on the server. User will download encrypted data and the symmetric secret key XORed with the Location Lock value, using his attributes based secret key he can obtain first XORed value of Symmetric secret key and location lock value. Using anti-spoof GPS Location lock value can be obtained which can be used to retrieve the symmetric secret key. We have adopted Massage Authentication Code (MAC) to ensure Integrity and Availability of the data. This protocol can be used in the Bank, government organization, military services or any other industry those are having their offices/work location at a fixed place, so data access can be bounded to that location.
A SECURITY FRAMEWORK IN CLOUD COMPUTING INFRASTRUCTUREIJNSA Journal
In a typical cloud computing diverse facilitating components like hardware, software, firmware,
networking, and services integrate to offer different computational facilities, while Internet or a private
network (or VPN) provides the required backbone to deliver the services. The security risks to the cloud
system delimit the benefits of cloud computing like “on-demand, customized resource availability and
performance management”. It is understood that current IT and enterprise security solutions are not
adequate to address the cloud security issues. This paper explores the challenges and issues of security
concerns of cloud computing through different standard and novel solutions. We propose analysis and
architecture for incorporating different security schemes, techniques and protocols for cloud computing,
particularly in Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) systems. The proposed
architecture is generic in nature, not dependent on the type of cloud deployment, application agnostic and
is not coupled with the underlying backbone. This would facilitate to manage the cloud system more
effectively and provide the administrator to include the specific solution to counter the threat. We have also
shown using experimental data how a cloud service provider can estimate the charging based on the
security service it provides and security-related cost-benefit analysis can be estimated.
InfoSec Technology Management of User Space and Services Through Security Thr...ecarrow
The focus of this paper will demonstrate the need to clearly define
and segregate various user space environments in the enterprise
network infrastructure with controls ranging from administrative
to technical and still provide the various services needed to
facilitate the work space environment and administrative
requirements of an enterprise system. Standards assumed are
industry practices and associated regulatory requirements with
implementations as they apply to the various contextual
applications. This is a high level approach to understanding the
significance and application of an effective secure network
infrastructure. The focus is on end user needs and the associated
services to support those needs. Conceptually user space is a
virtual area allocated to the end user needs identified with specific
services to support those needs by creating a virtual playground.
To manage risk, the concept of creating a "security threat gateway
(STG)" isolates and secures each user space with its associated
services. Emphasis will be placed on the functional managerial
process and application of the STG, safeguarding one user space
from another, to facilitate the use of the needed services to
perform the operational tasks of the organization. When user’s
needs and associated components are clearly identified, then it is
possible for anyone to use this model as a template, to guide them
in creating an effective strategy for their own network security.
This approach is practical in orientation and application, focusing
on a high level perspective and assumes the reader already has a
low level technical background for a tactical implementation in
mitigating risk to the enterprise network infrastructure.
APPLYING GEO-ENCRYPTION AND ATTRIBUTE BASED ENCRYPTION TO IMPLEMENT SECURE AC...IJCNCJournal
Cloud computing is utility-based computing provides many benefits to its clients but security is one aspect which is delaying its adoptions. Security challenges include data security, network security and infrastructure security. Data security can be achieved using Cryptography. If we include location information in the encryption and decryption process then we can bind access to data with the location so that data can be accessed only from the specified locations. In this paper, we propose a method based on the symmetric cryptography, location-based cryptography and ciphertext policy – Attribute-based encryption (CP-ABE) to implements secure access control to the outsourced data. The Symmetric key is used to encrypt that data whereas CP-ABE is used to encrypt the secret key and the location lock value before uploading on the server. User will download encrypted data and the symmetric secret key XORed with the Location Lock value, using his attributes based secret key he can obtain first XORed value of Symmetric secret key and location lock value. Using anti-spoof GPS Location lock value can be obtained which can be used to retrieve the symmetric secret key. We have adopted Massage Authentication Code (MAC) to ensure Integrity and Availability of the data. This protocol can be used in the Bank, government organization, military services or any other industry those are having their offices/work location at a fixed place, so data access can be bounded to that location.
A SECURITY FRAMEWORK IN CLOUD COMPUTING INFRASTRUCTUREIJNSA Journal
In a typical cloud computing diverse facilitating components like hardware, software, firmware,
networking, and services integrate to offer different computational facilities, while Internet or a private
network (or VPN) provides the required backbone to deliver the services. The security risks to the cloud
system delimit the benefits of cloud computing like “on-demand, customized resource availability and
performance management”. It is understood that current IT and enterprise security solutions are not
adequate to address the cloud security issues. This paper explores the challenges and issues of security
concerns of cloud computing through different standard and novel solutions. We propose analysis and
architecture for incorporating different security schemes, techniques and protocols for cloud computing,
particularly in Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) systems. The proposed
architecture is generic in nature, not dependent on the type of cloud deployment, application agnostic and
is not coupled with the underlying backbone. This would facilitate to manage the cloud system more
effectively and provide the administrator to include the specific solution to counter the threat. We have also
shown using experimental data how a cloud service provider can estimate the charging based on the
security service it provides and security-related cost-benefit analysis can be estimated.
Modern internet services rely on web and cloud technology, and as such they are no longer independent packages with in-built security, but are constructed through the combination and reuse of other services distributed across the web. While the ability to build applications in this way results in highly innovative services, it creates new issues in terms of security. Trusted computing aims to provide a way to meet the evolving security requirements of users, businesses, regulators and infrastructure owners.
Never Compromise Your Mission: 5 Ways to Strengthen Data and Network Security...Unisys Corporation
To learn more visit: http://www.unisys.com/stealth
For years, security involved layering perimeter defenses and physical technology infrastructure that drove up operations and IT costs. But advanced, innovative technologies are driving public sector leaders to step outside the conventional Band-Aid approach. A new breed of public sector security opportunities around software-defined networking has emerged – one that strengthens security and cuts costs. The key – hide all endpoints completely from attackers so there’s no vector to target. There are five ways public sector leaders can increase security and decrease costs:
Cloak your endpoints and go undetectable;
Segment your data center by using communities of interest;
Isolate disparate networks;
Move mission-critical workloads to a more secure cloud;
Convert existing computing devices into secure communications tools.
Security in Cloud Computing For Service Delivery Models: Challenges and Solut...IJERA Editor
Cloud computing, undoubtedly, is a path to expand the limits or add powerful capabilities on-demand with
almost no investment in new framework, training new staff, or authorizing new software. Though today
everyone is talking about cloud but, organizations are still in dilemma whether it’s safe to deploy their business
on cloud. The reason behind it; is nothing but Security. No cloud service provider provides 100% security
assurance to its customers and therefore, businesses are hesitant to accept cloud and the vast benefits that come
along with it. The absence of proper security controls delimits the benefits of cloud. In this paper, a review on
different cloud service models and a survey of the different security challenges and issues while providing
services in cloud is presented .The paper focuses on the security issues specific to service delivery model (SaaS,
IaaS and PaaS) of cloud environment. This paper also explores the various security solutions currently being
applied to protect cloud from various kinds of intruders.
Evasion Streamline Intruders Using Graph Based Attacker model Analysis and Co...Editor IJCATR
Network Intrusion detection and Countermeasure Election in virtual network systems (NICE) are used to establish a
defense-in-depth intrusion detection framework. For better attack detection, NICE incorporates attack graph analytical procedures into
the intrusion detection processes. We must note that the design of NICE does not intend to improve any of the existing intrusion
detection algorithms; indeed, NICE employs a reconfigurable virtual networking approach to detect and counter the attempts to
compromise VMs, thus preventing zombie VMs. NICE includes two main phases: deploy a lightweight mirroring-based network
intrusion detection agent (NICE-A) on each cloud server to capture and analyze cloud traffic. A NICE-A periodically scans the virtual
system vulnerabilities within a cloud server to establish Scenario Attack Graph (SAGs), and then based on the severity of identified
vulnerability toward the collaborative attack goals, NICE will decide whether or not to put a VM in network inspection state. Once a
VM enters inspection state, Deep Packet Inspection (DPI) is applied, and/or virtual network reconfigurations can be deployed to the
inspecting VM to make the potential attack behaviors prominent.
FIRECOL: A COLLABORATIVE PROTECTION NETWORK FOR THE DETECTION OF FLOODING DDO...Deenuji Loganathan
Distributed denial-of-service (DDoS) attacks remain a major security problem, the mitigation of which is very hard especially when it comes to highly distributed botnet-based attacks. The early discovery of these attacks, although challenging, is necessary to protect end-users as well as the expensive network infrastructure resources. In this paper, we address the problem of DDoS attacks and present the theoretical foundation, architecture, and algorithms of FireCol. The core of FireCol is composed of intrusion prevention systems (IPSs) located at the Internet service providers (ISPs) level. The IPSs form virtual protection rings around the hosts to defend and collaborate by exchanging selected traffic information. The evaluation of FireCol using extensive simulations and a real dataset is presented, showing FireCol effectiveness and low overhead, as well as its support for incremental deployment in real networks.
Modern internet services rely on web and cloud technology, and as such they are no longer independent packages with in-built security, but are constructed through the combination and reuse of other services distributed across the web. While the ability to build applications in this way results in highly innovative services, it creates new issues in terms of security. Trusted computing aims to provide a way to meet the evolving security requirements of users, businesses, regulators and infrastructure owners.
Never Compromise Your Mission: 5 Ways to Strengthen Data and Network Security...Unisys Corporation
To learn more visit: http://www.unisys.com/stealth
For years, security involved layering perimeter defenses and physical technology infrastructure that drove up operations and IT costs. But advanced, innovative technologies are driving public sector leaders to step outside the conventional Band-Aid approach. A new breed of public sector security opportunities around software-defined networking has emerged – one that strengthens security and cuts costs. The key – hide all endpoints completely from attackers so there’s no vector to target. There are five ways public sector leaders can increase security and decrease costs:
Cloak your endpoints and go undetectable;
Segment your data center by using communities of interest;
Isolate disparate networks;
Move mission-critical workloads to a more secure cloud;
Convert existing computing devices into secure communications tools.
Security in Cloud Computing For Service Delivery Models: Challenges and Solut...IJERA Editor
Cloud computing, undoubtedly, is a path to expand the limits or add powerful capabilities on-demand with
almost no investment in new framework, training new staff, or authorizing new software. Though today
everyone is talking about cloud but, organizations are still in dilemma whether it’s safe to deploy their business
on cloud. The reason behind it; is nothing but Security. No cloud service provider provides 100% security
assurance to its customers and therefore, businesses are hesitant to accept cloud and the vast benefits that come
along with it. The absence of proper security controls delimits the benefits of cloud. In this paper, a review on
different cloud service models and a survey of the different security challenges and issues while providing
services in cloud is presented .The paper focuses on the security issues specific to service delivery model (SaaS,
IaaS and PaaS) of cloud environment. This paper also explores the various security solutions currently being
applied to protect cloud from various kinds of intruders.
Evasion Streamline Intruders Using Graph Based Attacker model Analysis and Co...Editor IJCATR
Network Intrusion detection and Countermeasure Election in virtual network systems (NICE) are used to establish a
defense-in-depth intrusion detection framework. For better attack detection, NICE incorporates attack graph analytical procedures into
the intrusion detection processes. We must note that the design of NICE does not intend to improve any of the existing intrusion
detection algorithms; indeed, NICE employs a reconfigurable virtual networking approach to detect and counter the attempts to
compromise VMs, thus preventing zombie VMs. NICE includes two main phases: deploy a lightweight mirroring-based network
intrusion detection agent (NICE-A) on each cloud server to capture and analyze cloud traffic. A NICE-A periodically scans the virtual
system vulnerabilities within a cloud server to establish Scenario Attack Graph (SAGs), and then based on the severity of identified
vulnerability toward the collaborative attack goals, NICE will decide whether or not to put a VM in network inspection state. Once a
VM enters inspection state, Deep Packet Inspection (DPI) is applied, and/or virtual network reconfigurations can be deployed to the
inspecting VM to make the potential attack behaviors prominent.
FIRECOL: A COLLABORATIVE PROTECTION NETWORK FOR THE DETECTION OF FLOODING DDO...Deenuji Loganathan
Distributed denial-of-service (DDoS) attacks remain a major security problem, the mitigation of which is very hard especially when it comes to highly distributed botnet-based attacks. The early discovery of these attacks, although challenging, is necessary to protect end-users as well as the expensive network infrastructure resources. In this paper, we address the problem of DDoS attacks and present the theoretical foundation, architecture, and algorithms of FireCol. The core of FireCol is composed of intrusion prevention systems (IPSs) located at the Internet service providers (ISPs) level. The IPSs form virtual protection rings around the hosts to defend and collaborate by exchanging selected traffic information. The evaluation of FireCol using extensive simulations and a real dataset is presented, showing FireCol effectiveness and low overhead, as well as its support for incremental deployment in real networks.
Prof. Dr. Alexander Mädche, University of Mannheim
Dr. Hendrik Meth, BorgWarner IT Services Europa GmbH
Walldorf, September 11th 2015
SAP University Alliance EMEA Conference
B2B 포럼 2016
B2B에 관련한 최신의 정보,트렌드, 및 인사이트를 접할 수 있는 포럼, 귀하의 고객이 B2B라면 !!
꼭 관심을 가져보십시요.
B2B 산업에 종사하는 마케터, 영업맨, 경영자, 기획관리, 전략팀, 벤쳐 기업을 위한 지식 포럼입니다. 국내에서는 B2B 영역에서는 정보를 얻기가 힘든데요, 2015년 포럼에 대한 여러분의 높은 관심과 참여, 그리고 피드백을 바탕으로 B2B 마케팅과 영업에 관련된 높은 품질의 강연 포럼을 경험할 수 있도로 준비했습니다.
올해는 2016년 관점에서, B2B 마케팅&영업 트렌드와 인사이트를 제대로 얻도록 국내외에서, 분야별 전무가들을 모셨습니다.
B2B Advertising in the Digital World: The Targeted Approach to SuccessDemandbase
Find out why 95% of B2B Marketers say Account-Based Advertising drives success.
If you’re here, it’s because you’ve noticed that traditional display advertising isn’t proving the value necessary to drive sales growth and you’re ready to take your B2B ad campaigns to the next level.
Get ready to be the rock star on your team – in less than 45 minutes you’ll learn how Account-Based Advertising aligns marketing with sales and delivers the results your execs expect.
Booz Allen Hamilton’s cross-disciplinary expertise in program management includes systems integration, technology, strategic planning, stakeholder analysis and management, wargaming, and other capabilities for implementing 3-D Program Management to help US government agencies successfully manage and deliver complex programs.
Information Security Governance: Government Considerations for the Cloud Comp...Booz Allen Hamilton
How users can take advantage of the cloud computing environment’s benefits without experiencing excessive security risks or new legal or regulatory compliance challenges.
A breakdown of the top misconceptions enterprises are facing when assessing the security levels of cloud computing environments, and the realities behind them
An study of security issues & challenges in cloud computingijsrd.com
"Cloud Computing" is a term, which involves virtualization, distributed computing, networking and web-services. It is a way of offering services to users by allowing them to tap into a massive pool of shared computing resources such as servers, storage and network. User can use services by simply plug into the cloud and pay only for what he uses. All these features made a cloud computing very advantageous and demanding. But the data privacy is a key security problem in cloud computing which comprises of data integrity, data confidentiality and user privacy specific concerns. Most of the persons do not prefer cloud to store their data as they are having a fear of losing the privacy of their confidential data. This paper introduces some cloud computing data security problem and its strategy to solve them which also satisfies the user regarding their data security.
A SECURITY FRAMEWORK IN CLOUD COMPUTING INFRASTRUCTUREIJNSA Journal
In a typical cloud computing diverse facilitating components like hardware, software, firmware, networking, and services integrate to offer different computational facilities, while Internet or a private network (or VPN) provides the required backbone to deliver the services. The security risks to the cloud system delimit the benefits of cloud computing like “on-demand, customized resource availability and performance management”. It is understood that current IT and enterprise security solutions are not adequate to address the cloud security issues. This paper explores the challenges and issues of security concerns of cloud computing through different standard and novel solutions. We propose analysis and architecture for incorporating different security schemes, techniques and protocols for cloud computing, particularly in Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) systems. The proposed architecture is generic in nature, not dependent on the type of cloud deployment, application agnostic and is not coupled with the underlying backbone. This would facilitate to manage the cloud system more effectively and provide the administrator to include the specific solution to counter the threat. We have also shown using experimental data how a cloud service provider can estimate the charging based on the security service it provides and security-related cost-benefit analysis can be estimated.
Although many organizations have adopted the cloud and are reaping the
benefits of a cloud computing platform, there are still concerns with the
handling of sensitive information on a public cloud platform. For such
organizations an alternate option is available, and it means having their own
private cloud.
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah SheikhShah Sheikh
ISACA Journal Publication Volume 5 written by Shah Sheikh - published in Q4 2013. Based on the Cloud Security Alliance Framework whitepaper titled "Does your Cloud have a Secure Lining?"
It auditing to assure a secure cloud computingingenioustech
Dear Students
Ingenious techno Solution offers an expertise guidance on you Final Year IEEE & Non- IEEE Projects on the following domain
JAVA
.NET
EMBEDDED SYSTEMS
ROBOTICS
MECHANICAL
MATLAB etc
For further details contact us:
enquiry@ingenioustech.in
044-42046028 or 8428302179.
Ingenious Techno Solution
#241/85, 4th floor
Rangarajapuram main road,
Kodambakkam (Power House)
http://www.ingenioustech.in/
Cloud Computing Security: Government Acquisition Considerations for the Cloud...Booz Allen Hamilton
This study provides insight into information assurance and mission assurance challenges posed by public cloud computing environments (CCE), and how accounting for those risks through acquisition security measures affect public CCE options.
The paradigm called “Cloud computing” acts as a mechanism for attaining the resources of shared technology and infrastructure cost-effectively. The on-demand services are accomplished to execute the various operations across the network. Regularly, the last client doesn't know about the area of open physical assets and devices. Developing, using, and dealing with their applications 'on the cloud', which includes virtualization of assets that keeps and guides itself are led by arranged activities to clients. Calculation experience the new methodology of cloud computing which perhaps keeps the world and can set up all the human necessities. At the end of the day, cloud computing is the ensuing normal step in the development of on-request data innovation administrations and items. The Cloud is an allegory for the Internet and is an idea for the secured confused foundation; it likewise relies upon drawing network graphs on a computer. In this work, thorough investigations of distributed computing security and protection concerns are given. The work distinguishes both the identified and unidentified attacks, vulnerabilities in the cloud, security attacks and also the solutions to control these threats and attacks. Moreover, the restrictions of the present solutions and offers various perceptions of security viewpoints are distinguished and explored. At long last, a cloud security system is given in which the different lines of protection and the reliance levels among them are identified.
A traditional computing environment requires a costly
infrastructure to offer a better service to users. The introduction
of cloud computing has changed the working environment from
traditional to virtual. A larger number of IT companies are
utilizing the cloud. On the one hand, the cloud attracts more
number of consumers by offering services with minimized
capital cost and virtual infrastructure. On the other hand, there
are a risk and security challenges in cloud computing that
makes the user not to move completely towards it. The cloud
environment is more vulnerable to security breaches and data
theft. Moreover, insider attacks are more frequent in larger
enterprises. An unauthenticated user can cause more damage
to company reputation. The cloud service providers are trying
to provide a secure work environment for users. However,
there is a lack of global standards and policies to invoke
security measures in cloud computing. This study aims to
highlight and classify security challenges and trust issues in the
cloud environment.
The survey was conducted in various institutions and
governmental organizations in Saudi Arabia to study the
opinions of stakeholders on cloud computing security
challenges and risks.
Links:
http://sites.google.com/site/ijcsis/
https://google.academia.edu/JournalofComputerScience
https://www.linkedin.com/in/ijcsis-research-publications-8b916516/
http://www.researcherid.com/rid/E-1319-2016
You Can Hack That: How to Use Hackathons to Solve Your Toughest ChallengesBooz Allen Hamilton
“Hackathon” has become a trendy word in today’s business vernacular, and for good reason. The word “hackathon” comes from both “hack” and “marathon.” If you think of a “hack” as a creative solution and “marathon” as a continuous, often competitive event, you’re at the heart of what a hackathon is about. Hackathons enable creative problem solving through an innovative and often competitive structure that engages stakeholders to come up with unconventional solutions to pressing challenges. Hackathons can be used to develop new processes, products, ways of thinking, or ways of engaging stakeholders and partners, with benefits ranging from solving tough problems to broader cultural and organizational improvements.
This playbook was designed to make hackathons accessible to everyone. That means not only can all kinds of organizations benefit from hackathons, but that all kinds of employees inside those groups—executives, project managers, designers, or engineers—should participate and can benefit, too. Use this playbook as a reference and allow the best practices we outline to guide you in designing a hackathon structure that works for you and enables your organization to achieve its desired outcomes. Give yourself anywhere from six weeks to a few months to plan your hackathon, depending on the components, approach, number of participants, and desired outcomes.
Contact Director Brian MacCarthy at MacCarthy_Brian2@bah.com for more information about Booz Allen’s hackathon offering.
Booz Allen's U.S. Commercial Leader and Executive Vice President, Bill Phelps, recently released his list of 10 Cyber Priorities for Boards of Directors. As we peer into how business, technology, regulatory, and cyber threat realities are evolving in the coming year, here is a reference guide for board members to use in validating their company's cybersecurity approach.
We looked at the data. Here’s a breakdown of some key statistics about the nation’s incoming presidents’ addresses, how long they spoke, how well, and more.
Our Military Spouse Forum built a roadmap to help you navigate your career between deployments, moves, and the unpredictable. Interested in how Booz Allen can help you navigate your career? Check out our opportunities at www.boozallen.com/careers
In August 2016, Booz Allen partnered with Market Connections to conduct a survey of National Security Leaders and the General Public to understand their perspectives on the current threats. Fifteen years after the September 11 attacks, we wanted to know what keeps them up at night today, and what they will be worried about in 15 years. This infographic provides the high-level results of our survey and we will be releasing a more detailed report later in the month of September – so stay tuned. #NationalSecurity2031
Booz Allen convened some of the smartest minds to explore making healthcare more accessible. This report shares the latest healthcare payment trends and what policy experts discovered when planning for different health reform scenarios.
An interactive workshop that guides you through the many relationships that exist in an agile team, with a business value emphasis. Team members gain empathy, discover expectations of others and the importance of these agile team relationships.
An immersive environment allows students to be completely “immersed” in a self-contained simulated or artificial environment while experiencing it as real. With immersive learning, you can show realistic visual and training environments to teach complex tasks and concepts.
Nuclear Promise: Reducing Cost While Improving PerformanceBooz Allen Hamilton
To remain competitive, nuclear operators must take aim at all addressable costs, ensuring maintenance is optimized, taking proactive steps to minimize unplanned outages and, where possible, reducing administrative and other overhead costs. There are multiple opportunities to reduce capital and operational spending, while improving safety and reliability.
General Motors and Lyft; Target and Walmart; Netflix and Amazon - we call these “frenemies”. A strange trend is emerging as unlikely partner companies join forces, and they’re transforming industries around the world. Understanding what's driving the frenemies trend, knowing what options best fit your needs, and making yourself an effective partner are all critical to success.
Threats to industrial control systems are on the rise. This briefing explores potential threats and vulnerabilities as well as what organizations can do to guard against them.
Booz Allen Hamilton and Market Connections: C4ISR Survey ReportBooz Allen Hamilton
Booz Allen Hamilton partnered with government market research firm Market Connections, Inc. to conduct the survey of military decision-makers. The research examined the main features of Integrated C4ISR through Enterprise Integration: engineering, operations and acquisition. Two-thirds of respondents (65 percent) agree agile incremental delivery of modular systems with integrated capabilities can enable rapid insertion of new technologies.
Modern C4ISR Integrates, Innovates and Secures Military NetworksBooz Allen Hamilton
A majority of the military believe Integrated C4ISR through Enterprise Integration would provide utility to their organization. Check out other key findings from our study in this infographic http://bit.ly/1OZOjG2
Agile and Open C4ISR Systems - Helping the Military Integrate, Innovate and S...Booz Allen Hamilton
Integrated C4ISR is a force multiplier that significantly improves situational awareness and decision making to give warfighters a decisive battlefield advantage. This advantage stems from Booz Allen Hamilton’s Enterprise Integration approach http://bit.ly/25nDBRg: bringing together three disciplines and their communities—engineering, operations, and acquisition.
Booz Allen Hamilton created the Field Guide to Data Science to help organizations and missions understand how to make use of data as a resource. The Second Edition of the Field Guide, updated with new features and content, delivers our latest insights in a fast-changing field. http://bit.ly/1O78U42
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
20 Comprehensive Checklist of Designing and Developing a WebsitePixlogix Infotech
Dive into the world of Website Designing and Developing with Pixlogix! Looking to create a stunning online presence? Look no further! Our comprehensive checklist covers everything you need to know to craft a website that stands out. From user-friendly design to seamless functionality, we've got you covered. Don't miss out on this invaluable resource! Check out our checklist now at Pixlogix and start your journey towards a captivating online presence today.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
Building RAG with self-deployed Milvus vector database and Snowpark Container...Zilliz
This talk will give hands-on advice on building RAG applications with an open-source Milvus database deployed as a docker container. We will also introduce the integration of Milvus with Snowpark Container Services.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Security Authorization: An Approach for Community Cloud Computing Environments
1. Security Authorization
An Approach for Community Cloud Computing Environments
by
Perry Bryden
bryden_perry@bah.com
Daniel C. Kirkpatrick
kirkpatrick_daniel@bah.com
Farideh Moghadami
moghadami_farideh@bah.com
2. Security Authorization
An Approach for Community Cloud Computing Environments
The objective of this paper is to provide an approach servers, storage, applications, and services) that can
to performing assessment and authorization of cloud be rapidly provisioned and released with minimal
computing environments (CCE) in accordance with existing management effort or service provider interaction.
National Institute of Standards and Technology (NIST) This cloud model promotes availability and is
guidance. Although the assessment and authorization composed of five essential characteristics, three
approach described in this paper can be adapted to service models, and four deployment models.2
all of the private, public, hybrid, and community cloud
In some ways, cloud computing is an expansion of
deployment models, the primary focus of this paper
server hosting, outsourcing, web-based computing,
is providers and consumers of CCE services for civil
managed security services, and other past and present
agencies utilizing the community cloud deployment model.
service offerings. New and different in cloud computing
Consistent with the full transformation of the certification
are the five essential characteristics of—
and accreditation (C&A) process into the six-step Risk
Management Framework (RMF) described in NIST Special • On-demand self-service
Publication (SP) 800-37 Revision 1, Guide for Security
• Broad network access
Authorization of Federal Information Systems: A Security
Life Cycle Approach,1 throughout this paper we use the • Resource pooling
term “security authorization” when referring to the assess
• Rapid elasticity
and authorize steps of the RMF. In addition, we use the
term “provider” to refer to the organization providing CCE • Measured service.
services to other organizations and “consumer” to identify
The community CCE deployment model, or community
an organization acquiring and utilizing the CCE services of
CCE, discussed in this paper will also provide one of
a provider.
three service models:
The following sections provide a brief introduction to cloud
• Infrastructure as a service (IaaS)
computing services and security authorization processes
and the significant issues encountered when attempting to • Platform as a service (PaaS)
perform traditional security authorization for CCE services.
• Software as a service (SaaS).
The introduction is followed by “A New Approach to Cloud
Computing Security Authorization,” which provides guidance NIST defines the community cloud deployment
for performing security authorization of CCE services. model as “the cloud infrastructure shared by several
This approach differs from the traditional approach and organizations in support of a specific community
is tailored specifically to the cloud environment. The final that has shared concerns (e.g., mission, security
section summarizes the proposed approach. requirements, policy, and compliance considerations).
It may be managed by the organizations or a third party
Cloud Computing and may exist on premise or off premise.”3
According to NIST—
Appendix B includes the full NIST definition of the five
Cloud computing is a model for enabling convenient, essential characteristics, three service models, and
on-demand network access to a shared pool of four deployment models.
configurable computing resources (e.g., networks,
1 http://csrc.nist.gov/publications/drafts/800-37-Rev1/SP800-37-rev1-IPD.pdf. 2 http://csrc.nist.gov/groups/SNS/cloud-computing/index.html.
3 Ibid.
1
3. Security Authorization federal agencies and support contractors to facilitate
Security authorization is the successful application and demonstrate compliance with the Federal
of the RMF process described in NIST SP 800-37, Information Security Management Act of 2002 (FISMA).
illustrated in Exhibit 1. NIST developed the RMF to
provide organizations with a structured yet flexible Information Security
process for managing risk related to the operation and Security is a property of a well-designed system. As
use of information systems. Organizations use the RMF defined by FISMA, “The term ‘information security’
to determine the appropriate risk mitigation needed means protecting information and information systems
to protect the information systems and infrastructure from unauthorized access, use, disclosure, disruption,
that support organizational mission and business modification, or destruction”4 to provide—
processes. The RMF incorporates a well-defined set • Confidentiality. Preserving authorized restrictions
of information security standards and guidelines for on access and disclosure, including means
for protecting personal privacy and proprietary
information
Exhibit 1 | Risk Management Framework
• Integrity. Guarding against improper information
Architecture Organizational modification or destruction; includes ensuring
Description Inputs information non-repudiation and authenticity
Architecture Laws, Directives,
Reference Models Policy Guidance • Availability. Ensuring timely and reliable access to
Segment and Strategic Goals and
Solution Objectives
and use of information.5
Architectures Priorities and
Mission and Resource Security is not a feature; it is a property of a
Business PROCESS Availability
OVERVIEW
system. It results from thorough analysis of security
Processes Supply Chain
Information Starting Point Considerations requirements, sound architecture and design, and
System Boundaries secure coding practices.
Step 1
CATEGORIZE Purpose of Security Authorization
Repeat as
Information
necessary
System NIST SP 800-37 Revision 1 defines security
Step 6 Step 2 authorization as the means to—
MONITOR SELECT
Security Security
• Ensure that managing risk from the operation and
Controls Controls use of federal information systems is consistent
RISK with the organization’s mission/business objectives
MANAGEMENT and overall risk strategy established by senior
leadership through the risk executive function
FRAMEWORK
Step 5 Step 3
• Ensure that information security requirements,
AUTHORIZE IMPLEMENT
Information Security
including necessary security controls, are integrated
System Controls into the organization’s enterprise architecture and
system development lifecycle (SDLC) processes
Step 4
ASSESS • Support consistent, well-informed, and ongoing
Security
Controls security authorization decisions (through continuous
monitoring), security transparency, and risk-related
Source: NIST SP 800-37 Revision 1 information
4 http://csrc.nist.gov/drivers/documents/FISMA-final.pdf.
5 Ibid.
2
4. • Achieve more secure information and information The application of security controls within a complex
systems within the Federal Government through information system or a system of systems, can
the implementation of appropriate risk mitigation present significant challenges to an organization.
strategies.6 To make this problem more manageable, the
information system owner, in collaboration with
Security authorization is a process for assessing the
the authorizing official, senior information security
security of a system or application by identifying risks
officer, enterprise information security architect, and
and determining which identified risks have been
information system security engineer, examines the
mitigated to the extent that the cost (time, difficulty,
purpose of the information system and considers
etc.) to exploit them is greater than the expected gain
the feasibility of decomposing the system into more
from exploiting them. Where risks cannot be sufficiently
manageable components. The decomposition of an
mitigated, security authorization provides a process for
information system into multiple components, or
documenting these residual risks. This documentation
subsystems each with its own subsystem boundary,
provides information for an authorizing official or
facilitates a more targeted application of security
designated representative to use in determining
controls to achieve adequate security and a more
whether or not to allow the system to operate within
cost-effective risk management process. The system
the enterprise. A new or updated security authorization
decomposition into subsystem components is
is required when the system is initially deployed,
reflected in the security plan for that system.7
periodically in accordance with federal or agency policy,
and whenever a significant change to the system or Even though the complex information system
the operational environment occurs. (system of systems) is decomposed into subsystem
components that can be assessed independently, the
Practice of Security Authorization components of the system are defined up front and
In traditional (non-cloud computing) environments, the authorization is applied to the entire information
information resources are allocated to an information system.
system to define the boundary for that system.
Each subsystem component of a traditional information
Performing security authorization on these traditional
system includes hardware, an operating system,
systems requires defining the boundary; selecting,
network components, the data store, and the
implementing, and assessing the security controls; and
application with its user interface. Security controls,
making an authorization decision. Section 2.3 of NIST
as defined in NIST SP 800-53, Recommended Security
SP 800-37 Revision 1 states that—
Controls for Federal Information Systems, address
One of the most challenging problems for information all of these layers for each system. The selection,
system owners, authorizing officials, chief information implementation, and assessment of these security
officers, senior information security officers, controls, which are the criteria for security authorization
and enterprise information security architects is testing, are based on a view of systems as pre-defined
identifying establishing appropriate boundaries collections of platforms, data sources, applications,
for information systems. Well defined boundaries and user interfaces that are owned and operated by a
establish the scope of protection for organizational single organization for a known set of users.
information systems (i.e., what the organization
agrees to protect under its direct management Cloud Computing Security Authorization
control or within the scope of its responsibilities) Challenges
and include the people, processes, and information The traditional approach to security authorization lacks
technologies that are part of the systems supporting the flexibility to address CCE services. Exhibit 2 shows
the organization’s missions and business processes. a notional architecture for an IaaS CCE with multiple
6 Ibid. 7 Ibid.
3
5. consumers—also known as tenants—each operating which is required to perform a security authorization
unique applications. of their information system. Specific challenges to the
traditional security authorization approach encountered
The CCE depicted in Exhibit 2 shows that the
in community CCEs include the following:
physical, environmental, personnel, computing,
storage, and network security controls are under the • Traditional security authorization approaches require
direct management control of the CCE provider. The a separate security authorization of the CCE provider
“software layer” forms the foundation on which the for each of the potentially hundreds of consumers
CCE consumer’s information systems and applications (tenants).
depend. In the community CCE, the provider has
• The capability for near real-time expansion and
potentially hundreds of consumers or tenants, each of
contraction (or elasticity) of CCEs is a challenge
Exhibit 2 | Notional IaaS CCE With Traditional Security Authorization Boundary
er B
Consum re
Infras tructu
cture on 3
Applicati
Infrastru
rovider
ervice P
Cloud S
er A
Consum re
Infra structu on 4
Applicati
on 1 cation 1
Applicati Appli
on 3
Applicati n
Applicatio on 4
Applicati
on 2
n Applicati
Applicatio perating Sy
stem
O
n System hine
Applicatio Operating Virtual Mac
Applicatio
n em hine
Ope rating Syst Virtual Mac
Syst em hine
Operating Virtual Mac
hine
on 2 Virtual Mac
Applicati
Layer
Software
ion of g
Virtualizat Computin
Network r
Laye
Hardware
Storage Ser vers
Network
Laye r Storage
Hardware
Ser vers s
Facilitie
Network Personnel
Storage ta l
Environmen
Facilitie
s Physical
Personnel
ta l
Environmen
Physical
Source: Booz Allen Hamilton
4
6. in the traditional security authorization approach, security authorization boundary in this fashion requires
in which systems and components are statically addressing four different considerations:
defined.
• Establishing standardized system configurations that
• The varying degree of direct management control can be authorized by “type”
by the CCE consumer in the IaaS, PaaS, and SaaS
• Managing the potentially large and rapidly changing
service models and the directly associated degree
number of subsystems within a CCE
of risk for the corresponding service model must be
addressed. • Appropriately measuring the risk of the CCE provider
and consumer configurations
A security authorization approach is needed that
addresses these new security authorization challenges • Carefully analyzing the level of service the CCE
within the community CCE. provider is able to provide.
Service-level agreements (SLA) must be in place
A New Approach To Cloud Computing
between provider and consumer to ensure all parties
Security Authorization
understand and agree on the services being provided.
Ideally, security authorization for CCE services will
complement the flexible design and rapid deployment The independent authorization of the CCE provider
features of the services. Booz Allen Hamilton’s can allow the CCE consumer to inherit operational
recommended approach for achieving this goal is to security protections, just as traditional information
define each CCE provider service as an independent systems inherit operational security protections
information system with its own security authorization from their operational environment. This inheritance
boundary, as shown in the red box in Exhibit 3 model of security authorization can be applied within
(page 6). As a result, the line of demarcation between the provider CCE as well. For example, a separate
security controls under the direct management control assessment of each facility could be performed, and
of consumer and provider organizations is more easily the storage environment could be assessed separately.
and consistently determined. The individual assessments would be combined to
create an entity called the provider CCE security
In Booz Allen’s recommended approach, each
authorization.
community CCE provider service is independently
authorized, so each CCE consumer must authorize
CCE Provider Security Authorization
only the portion of the CCE services under its direct
CCE provider services comprise a collection of
management control. The CCE provider now performs
networks, servers, storage, and applications. These
one authorization per service offering, and each
hardware platforms exist in one or more physical
CCE consumer is accountable for authorizing the
sites, as shown in the “facilities” and “hardware
instantiation of its information system, thus inheriting
layer” of Exhibit 2. This CCE provider environment
the provider’s authorization of the underlying layers.
can be authorized following the existing approach for
Instead of relying on static information system
independently authorizing information systems.
boundaries, in Booz Allen’s approach the authorization
is centered on a given service offering, with specific NIST SP 800-37 Revision 1 defines three types of
requirements for any hardware, software, networks, security controls that must be allocated:
storage, and facilities used in support of the service.
• System-Specific Controls. Controls implemented
This shift in approach addresses the challenges within an information system
outlined in the previous section. Redefining the
5
7. • Common Controls. Controls inherited by an with the organization’s enterprise architecture and
information system information security architecture. By allocating
security controls to an information system (e.g.,
• Hybrid Controls. Controls that have both system-
access controls, identification and authentication
specific and common characteristics.8
controls, audit controls) or the system’s environment
NIST SP 800-37 Revision 1 also explains the following: of operation (e.g., physical and environmental
protection controls, personnel security controls),
Security controls are allocated either to an
the organization assigns responsibility to specific
information system or its environment of operation.
organizational entities for the development,
The allocation of security controls is consistent
Exhibit 3 | Notional IaaS CCE With Redefined Security Authorization Boundary
er B
Consum re
tu
In frastruc
cture on 3
tru Applicati
er Infras
e Provid
Clou d Servic
er A
Consum re
tu
In frastruc Applicati
on 4
n1 on 1
A pplicatio Applicati
on 3
Applicati n
Applicatio on 4
Application 2 n Applicati
Applicatio Syst em
Operating
n System hine
Applicatio Operating Virtual Mac
plication System hine
Ap Operating Virtual Mac
System hine
Operating Virtual Mac
hine
on 2 Virtual Mac
Applicati
rovider
Cloud P
Contr olled by
ers
IaaS Lay
Layer
Software
ion of g
Virtualizat Computin
Network
Layer
Hardware
Storage Ser vers
Network
Layer Storage
Hardware
Ser vers s
Facilitie
Network Personnel
Storage ta l
Environmen
Facilitie
s Physical
Personnel
Enviro nmental
Physical
Source: Booz Allen Hamilton
8 Ibid.
6
8. implementation, assessment, authorization, and recommended information security governance
monitoring of those controls.9 framework comprises seven management
processes: strategy and planning, policy portfolio
Using this model, the CCE provider and consumer
management, risk management, awareness and
establish a collaborative workgroup involving the chief
training, communication and outreach, compliance
information officer, senior agency information security
and performance management, and management
officers, authorizing officials, information system
oversight.10
owners, and information system security officers from
each organization. The purpose of this workgroup is • Establish terms and conditions for the provider and
to establish an agreement allocating security controls consumer CCE through SLAs, including the following:
to the CCE provider or the CCE consumer. The CCE
– Information Ownership. The organization
consumer then inherits the CCE provider security
documents the ownership of information and
controls as “common security controls” for the
asserts ownership [Assignment: organization-
purposes of the CCE consumer security authorization.
defined ownership type] of information stored
Exhibit 4 shows the shift in levels of inherited security
on information systems provided by the cloud
controls by CCE service model. This variation of
services provider through an SLA with that
inherited security controls does not affect the security
provider.
authorization approach.
– Right to Audit. The organization asserts the right
Evaluating the risks associated with deploying an
to audit the cloud services provider’s assurance
information system for which components outside
documentation and to review [Assignment:
the information system’s own authorization boundary
organization-defined frequency] third-party
provide the majority of its security control enforcement
assessment reports of the cloud services provider
is a challenge. The following strategies help address
through an SLA with the cloud services provider.
this challenge:
– Unauthorized Disclosure. The organization
• Establish and follow a governance framework that
asserts through an SLA with the cloud services
considers the unique challenges of the CCE. Our
provider that the provider may not disclose
Exhibit 4 | Shift of Controls by Service Model
Imp Consum
tions tions leme
nted er
Applica Imp Consum Applica Inhe
rited
leme
nted er Con Secur
trols ity Cap Auditin
abili
Con Secur
trols ity ties g
Platform as a Pre- +
Pre- Software c
as a c
Con ertified Se r vice Con ertified
figu
Platform figu
ratio (SaaS) ratio
ucture Ser vic e ns
Infrastr ice Inhe Inhe +
ns Inhe +
as a Se
rv ri
Cert ted Type (PaaS) rited Cert
rited
T
(IaaS) ifica Cert T
ifica ype ifica ype
tion tion tion
s s s
Source: Booz Allen Hamilton
9 Ibid. 10 This topic is addressed in depth by Booz Allen’s Information Security Governance:
Implications for the Cloud Computing Environment; available at www.boozallen.com.
7
9. organization-owned information without prior actual or proposed changes to the information
written approval of the organization’s authorizing system and its environment of operation.11
official.
• Test the system in a representative CCE
– Investigations. The organization asserts environment.
through an SLA with the cloud services provider
• Authorize the provider CCE independently.
the right to obtain results of security incident
investigations at the cloud services provider’s • Authorize the consumer CCE system for deployment
facilities and conduct follow-up investigations. on provider CCE.
– Information Dispersal. The organization CCE providers and CCE consumers can apply this
documents information dispersal restrictions same approach, resulting in a set of security controls
[Assignment: organization-defined restrictions] and identified vulnerabilities associated with the
and enforces these restrictions through an SLA service delivered by the CCE provider to each CCE
with the cloud services provider. consumer. The set of security controls and identified
vulnerabilities for each CCE provider may be different.
– Cloud Services Availability. The organization
Therefore, the residual risk associated with each
defines acceptable levels of availability
service offering may be different for each consumer
[Assignment: organization-defined system uptime,
CCE. It is important to take this into consideration
throughput and response time] through an SLA
when designing and deploying each consumer CCE.
with the cloud services provider.
A recommended list of security controls from NIST
• Establish formal communication procedures between
SP 800-53 Revision 3 that are applicable to CCEs is
CCE provider and consumer regarding upgrades and
available separately from this white paper.12 These
maintenance, computing resource allocation, and
controls should be considered a supplement to the
incident and emergency response.
control baseline for a given system.
• Conduct an independent risk assessment of the CCE.
CCE Consumer Security Authorization
• Allocate security control enforcement responsibilities
Using the CCE provider security authorization approach
to the CCE provider and consumer and identify
described above, individual CCE consumers still require
dependencies.
a new or updated security authorization package under
• Establish standardized system, subsystem, and some circumstances, including—
application configurations that can be authorized by
• When the system is initially deployed
type and then create hardened images implementing
applicable security controls to simplify the • Periodically in accordance with federal or agency
deployment of each subsystem type. policy
• Employ (for information system components under • Whenever a significant change to the system or
the CCE’s control) automated mechanisms to the operational environment of the consumer CCE
maintain an up-to-date, complete, accurate, and occurs.
readily available inventory for use in monitoring
To demonstrate compliance with the assigned
and management to address the dynamic nature of
security control baseline, it is necessary to first
CCEs (done by the CCE provider and consumer).
determine which organization (provider or consumer)
• Establish effective security change management is responsible for enforcing each security control and
processes, including security impact analyses on then to identify dependencies between the consumer
11 This topic is addressed in depth by Booz Allen’s Security Change Management: The
Answer to Evolving Security Requirements; available at www.boozallen.com.
12 Booz Allen-recommended security controls for CCEs; available at www.boozallen.com.
8
10. CCE and the provider CCE. The System Security Plan, security controls from the CCE where they reside. This
as defined by NIST SP 800-37, provides the means inheritance simplifies the requirements for security
to document the security controls designated as authorization of the type of system. Each unique
system-specific controls, common security controls, subsystem configuration and set of system-specific
and hybrid security controls. It is also important to controls is implemented using hardened images and,
identify operational conditions for the consumer CCE in turn, authorized without affecting the authorization
relevant to the specific provider CCE where the system status of the provider or consumer CCE. This approach
will be deployed. The conditions associated with that supports the dynamic nature of a CCE, in which a
environment will generally provide significant indicators number of authorized subsystems can rapidly increase
of the risk associated with the system environment. or decrease to support demand. The use of hardened
and authorized subsystem images further streamlines
Because the provider CCE security authorization
the deployment of each system type.
addresses many of the security controls for a
consumer CCE, the process of performing security
Automated Security Authorization Tool
authorization for a consumer CCE can be streamlined.
NIST SP 800-37 Revision 1 guidance encourages the
Consumer CCEs require continuous monitoring that
use of automation and automated support tools to
provides visibility into the provider CCE, combined with
provide senior leaders the necessary information to
effective security change management processes.
make credible, risk-based decisions with regard to the
Changes to the provider CCE necessitate an update
organizational information systems supporting their
of the security authorization for individual CCE
core missions and business functions. In harmony
consumers.
with this guidance, we strongly recommend that the
CCE provider and consumer implement an automated
Subsystem “Type” Authorization
security authorization process/compliance tool and
Subsystems are approved for operation based on the
create “parent-child” relationships between the
level of risk they introduce to the organization, which
environments. This tool would automate and streamline
depends on several factors. Two risk factors are (1) the
the security authorization process and generate
degree of compliance with the assigned set of security
all required NIST security authorization package
controls from NIST SP 800-53 and (2) the number
deliverables, while helping information assurance (IA)
and severity of the vulnerabilities identified in the
managers and senior decision makers comprehend the
subsystem design. Booz Allen recommends the use
scope and state of IA activities across their enterprise.
of hardened images with all of the applicable security
Specifically, this tool would track security control
controls applied wherever possible. All subsystems
allocations, dependencies, and inheritance; simplify the
exist within network boundaries and rely on the
generation of security authorization evidence required
boundary protection devices of the network to provide
by CCE consumers; and simplify the maintenance of
security. Subsystems that exist within a common
CCE provider security control implementations.
set of boundary protection devices are authorized
separately. NIST SP 800-37 Revision 1 allows for
a subsystem (with its own subsystem boundary) to
be authorized by type to facilitate a more targeted
application of security controls to achieve adequate
security and a more cost-effective risk management
process. This type authorization of standardized
subsystems or applications, within the provider or
consumer boundaries, allows the inheritance of
9
11. Conclusion • Establish SLAs Between CCE Provider and
Security authorization can be accomplished in a Consumer. SLAs must be in place between the
community CCE—while maintaining the rapid elasticity provider and consumer to ensure all parties
and other characteristics of CCEs—by implementing understand and agree on the services provided.
the following six actions: Six key areas for SLAs are described in the CCE
Provider Security Authorization section.
• Redefine the Concept of Information System
Boundaries. CCEs comprise resource pools of Booz Allen understands the unique security
networks, servers, storage, applications, and authorization challenges our federal government clients
services that expand and contract to support face when deploying CCEs. Our approach to security
demand. As a result, each CCE is considered a authorization for civil community CCEs provides a
system for the purposes of security authorization. framework to help organizations successfully address
the challenges of these environments. We have the
• Authorize Provider CCE, Consumer CCE, and experience to identify and solve today’s problems, and
Subsystems. Subsystems are dependent on the we can tailor our approaches to any organization’s
environment in which they operate, which includes specific needs. Booz Allen offers a full spectrum
the provider CCE and consumer CCE. Subsystem of security services for program assessment, risk
type authorization is performed today, enabling management, security architecture, design and
streamlined security authorization for provider and system implementation, security monitoring, solution
consumer CCEs as independent systems. integration and testing, security authorization,
• Identify an Appropriate Inheritance Mechanism operations security assessment, and compliance
for CCEs. Authorization of individual CCEs requires determination.
identifying which security controls each consumer
CCE inherits from its provider CCE so that the
security authorization of the consumer CCE can focus
on only the controls the service does not inherit.
• Identify an Appropriate Mechanism for Monitoring
and Management of CCE. CCEs comprise resource
pools of networks, servers, storage, applications,
and services that expand and contract to support
demand. As a result, each CCE must leverage
automated tools to maintain an up-to-date,
complete, accurate, and readily available inventory
of information system components for use in
monitoring and management.
• Measure the Risk of the CCE Provider and
Consumer Configurations Appropriately. Risk
assessment of the CCE must address the unique
analysis, mitigation, and continuous management
and identification of risks within CCEs. The output
of the risk assessment should be strategies for
sustained compliance with the guidelines of NIST SP
800-53 during the SDLC.
10
12. Appendix A Acronyms
C&A Certification and Accreditation
CCE Cloud Computing Environment
CIO Chief Information Officer
FISMA Federal Information Security Management Act
IaaS Infrastructure as a Service
NIST National Institute of Standards and
Technology
OMB Office of Management and Budget
PaaS Platform as a Service
RMF Risk Management Framework
SaaS Software as a Service
SDLC System Development Lifecycle
SLA Service-Level Agreement
SP Special Publication
11
13. Appendix B Cloud Computing Definitions13 Service Models
Cloud Software as a Service (SaaS). The capability
Essential Characteristics provided to the consumer is to use the provider’s
On-Demand Self-Service. A consumer can applications running on a cloud infrastructure. The
unilaterally provision computing capabilities, such applications are accessible from various client
as server time and network storage, as needed devices through a thin client interface, such as a
automatically without requiring human interaction web browser (e.g., web-based e-mail). The consumer
with each service’s provider. does not manage or control the underlying cloud
Broad Network Access. Capabilities are available infrastructure, including network, servers, operating
over the network and accessed through standard systems, storage, or even individual application
mechanisms that promote use by heterogeneous capabilities, with the possible exception of limited
thin or thick client platforms (e.g., mobile phones, user-specific application configuration settings.
laptops, PDAs). Cloud Platform as a Service (PaaS). The capability
Resource Pooling. The provider’s computing provided to the consumer is to deploy onto the
resources are pooled to serve multiple consumers cloud infrastructure consumer-created or acquired
using a multi-tenant model, with different physical applications created using programming languages
and virtual resources dynamically assigned and and tools supported by the provider. The consumer
reassigned according to consumer demand. There does not manage or control the underlying cloud
is a sense of location independence in that the infrastructure, including network, servers, operating
customer generally has no control or knowledge systems, or storage, but has control over the
over the exact location of the provided resources deployed applications and possibly application
but may be able to specify location at a higher level hosting environment configurations.
of abstraction (e.g., country, state, datacenter). Cloud Infrastructure as a Service (IaaS).
Examples of resources include storage, processing, The capability provided to the consumer is to
memory, network bandwidth, and virtual machines. provision processing, storage, networks, and
Rapid Elasticity. Capabilities can be rapidly and other fundamental computing resources where
elastically provisioned, in some cases automatically, the consumer is able to deploy and run arbitrary
to quickly scale out and rapidly released to quickly software, which can include operating systems
scale in. To the consumer, the capabilities available and applications. The consumer does not manage
for provisioning often appear to be unlimited and or control the underlying cloud infrastructure but
can be purchased in any quantity at any time. has control over operating systems, storage, and
deployed applications and possibly limited control of
Measured Service. Cloud systems automatically select networking components (e.g., host firewalls).
control and optimize resource use by leveraging
a metering capability at some level of abstraction Deployment Models
appropriate to the type of service (e.g., storage, Private Cloud. The cloud infrastructure is operated
processing, bandwidth, active user accounts). solely for an organization. It may be managed by
Resource usage can be monitored, controlled, the organization or a third party and may exist on
and reported, providing transparency for both the premise or off premise.
provider and consumer of the utilized service.
Community Cloud. The cloud infrastructure is
shared by several organizations and supports
a specific community that has shared concerns
13 Draft NIST working definition of cloud computing v15; http://csrc.nist.gov/groups/SNS/
cloud-computing/index.html.
12
14. (e.g., mission, security requirements, policy, and
compliance considerations). It may be managed by
the organization or a third party and may exist on
premise or off premise.
Public Cloud. The cloud infrastructure is made
available to the general public or a large industry
group and is owned by an organization selling cloud
services.
Hybrid Cloud. The cloud infrastructure is a
composition of two or more clouds (private,
community, or public) that remain unique entities
but are bound together by standardized or
proprietary technology that enables data and
application portability (e.g., cloud bursting for load
balancing between clouds).
12
15. About Booz Allen
Booz Allen Hamilton has been at the forefront of information technology, systems engineering, and
strategy and technology consulting for 95 years. Every program management, Booz Allen is committed to
day, government agencies, institutions, corporations, delivering results that endure.
and not-for-profit organizations rely on the firm’s
With more than 22,000 people and $4.5 billion in
expertise and objectivity, and on the combined
annual revenue, Booz Allen is continually recognized
capabilities and dedication of our exceptional people
for its quality work and corporate culture. In 2009, for
to find solutions and seize opportunities. We combine
the fifth consecutive year, Fortune magazine named
a consultant’s unique problem-solving orientation
Booz Allen one of “The 100 Best Companies to Work
with deep technical knowledge and strong execution
For,” and Working Mother magazine has ranked the
to help clients achieve success in their most critical
firm among its “100 Best Companies for Working
missions. Providing a broad range of services in
Mothers” annually since 1999.
strategy, operations, organization and change,
Contact Information:
Perry Bryden Daniel C. Kirkpatrick Farideh Moghadami
Associate Associate Associate
bryden_perry@bah.com kirkpatrick_daniel@bah.com moghadami_farideh@bah.com
703/984-1105 703/377-4165 703/377-7979
To learn more about the firm and to download digital versions of this article and other Booz Allen Hamilton
publications, visit www.boozallen.com.
13