Posted December 12th, 2011 by rybolov
Contrary to what you might hear this week in the trade press, FedRAMP is not fully unveiled although there was some much-awaited progress. There was a memo that came out from the administration (PDF caveat). Basically what it does is lay down the authority and responsibility for the Program Management Office and set some timelines. This is good, and we needed it a year and a half ago.
However, people need to stop talking about how FedRAMP has solved all their problems because the entire program isn’t here yet. Until you have a process document and a catalog of controls to evaluate, you don’t know how the program is going to help or hinder you, so all the press about it is speculation.
Posted in DISA, FISMA, NIST, Outsourcing, Risk Management | No Comments »
Tags: 800-37 • 800-53 • 800-53A • accreditation • C&A • catalogofcontrols • categorization • certification • cloud • cloudcomputing • comments • compliance • dhs • fedramp • fisma • government • infosec • infosharing • itsatrap • management • moneymoneymoney • NIST • omb • scalability • security
Posted April 26th, 2011 by rybolov
Interesting blog post on Microsoft’s TechNet, but the real gem is the case filing and summary from the DoJ (usual .pdf caveat applies). Basically the Reader’s Digest Condensed Version is that the Department of Interior awarded a cloud services contract to Microsoft for email. The award was protested by Google for a wide variety of reasons, you can go read the full thing for all the whinging.
But this is the interesting thing to me even though it’s mostly tangential to the award protest:
- Google has an ATO under SP 800-37 from GSA for its Google Apps Premiere.
- Google represents Google Apps for Government as having an ATO which, even though 99% of the security controls could be the same, is inaccurate as presented.
- DOI rejected Google’s cloud because it had state and local (sidenote: does this include tribes?) tenants which might not have the same level of “security astuteness” as DOI. Basically what they’re saying here is that if one of the tenants on Google’s cloud doesn’t know how to secure their data, it affects all the tenants.
So this is where I start thinking. I thunk until my thinker was sore, and these are the conclusions I came to:
- There is no such thing as “FISMA Certification”, there is a risk acceptance process for each cloud tenant. Cloud providers make assertions of what common controls that they have built across all
- Most people don’t understand what FISMA really means. This is no shocker.
- For the purposes of this award protest, the security bits do not matter because
- This could all be solved in the wonk way by Google getting an ATO on their entire infrastructure and then no matter what product offerings they add on top of it, they just have to roll it into the “Master ATO”.
- Even if the cloud infrastructure has an ATO, you still have to authorize the implementation on top of it given the types of data and the implementation details of your particular slice of that cloud.
And then there’s the “back story” consisting of the Cobell case and how Interior was disconnected from the Internet several times and for several years. The Rybolov interpretation is that if Google’s government cloud potentially has tribes as a tenant, it increases the risk (both data security and just plain politically) to Interior beyond what they are willing to accept.
Obligatory Cloud photo by jonicdao.
Posted in FISMA, NIST, Outsourcing | 2 Comments »
Tags: 800-37 • 800-53 • accreditation • certification • cloud • cloudcomputing • compliance • fisma • government • infosec • management • NIST • risk • security
Posted November 22nd, 2010 by rybolov
Considering that it’s a secondary source and therefore subject to being corrected later in an official announcement, but this is pretty big. Requiring the Departments and Agencies to consider cloud solutions both scares me (security, governance, and a multitude of other things about rushing into mandated solutions) and excites me (now cloud solutions are formally accepted as viable).
However, before you run around either proclaiming that “this is the death of serverhuggers” or “the end is nigh, all is lost” or even “I for one welcome our fluffy white overlords”, please consider the following:
- A “secure, reliable, cost-effective cloud option” is a very loaded statement very open to interpretation
- They already have to consider open source solutions
- They already have to consider in-sourcing
- They already have to consider outsourcing
- “Cloud” more often than not includes private clouds or community clouds
- Isn’t this just another way to say “quit reinventing the wheel”?
- Some Government cloud initiatives are actually IT modernization initiatives riding the bandwagon-du-jour
- Switching from Boeing, Northrup, and SAIC beltway bandit overlords to Google, Amazon, and SalesForce cloud overlords still mean that you have overlords
Posted in Outsourcing, Rants | 2 Comments »
Tags: cashcows • cloud • cloudcomputing • fedramp • google • government • itsatrap • management • moneymoneymoney • scalability
Posted June 2nd, 2010 by rybolov
A couple of weeks ago I went to the NIST Cloud Conference for the afternoon security sessions. You can go grab the slides off the conference site. Good stuff all around.
Come to think of it, I haven’t blogged about FedRAMP, maybe it’s time to.
FedRAMP is a way to do security authorization (formerly certification and accreditation, get with the times, man) on a cloud then let tenant projects use that authorization. Hmmm, sounds like…. a General Support System with common controls and Major Applications that inherit those controls. This isn’t really anything new, just the “bread and butter” security management concepts scoped to a cloud. Basically what will happen with FedRAMP is that they have 3 standards: DoD, DHS, and GSA (most stringent first) and cloud providers get authorized against that standard. Then when a project wants to build on that cloud, they can use that authorization for their own authorization package.
All things considered, FedRAMP is an awesome idea. Now if we can get the holdout agencies to actually acknowledge their internal common controls, I’ll be happy–the background story being that some number of months ago I was told by my certifier that “we don’t recognize common controls so even though you’re just a simple web application you have to justify every control even if it’s provided to you as infrastructure.” No, still not bitter at all here, but I digress….
And then there are the pieces that I haven’t seen worked out yet:
- Mechanism of Sharing: As a service provider, it’s hard enough to keep one agency happy. Add in 5 of them and it gets nearly impossible. This hasn’t really been figured out, but in Rybolov’s small, myopic world, a panel of agencies owning an authorization for a cloud provider means that the cloud never gets authorized. The way this has been “happening in the wild” is that one agency owns the authorization and all the other agencies get the authorization package from that agency.
- Using FedRAMP is Optional: An agency or project can require their own risk assessment and authorization even though a FedRAMP one is available. This means that if the agency’s auditors don’t understand the process or the “risk monkeys” (phrase courtesy of My Favorite Govie) decree it, you lose any kind of cost savings and time savings that you would get by participating in FEDRAMP.
- Cloud Providers Rule the Roost: Let’s face it, as much as the Government wants to pretend that the cloud providers are satisfying the Government’s security requirements, we all know that due to the nature of catalogs of controls and solution engineering, the vendor here has the advantage. Nothing new, it’s been happening that way with outsourcing, only now it’s immediately evident. Instead of trying to play ostrich and stick our heads in the sand, why don’t we look at the incentives for the cloud providers and see what makes sense for their role in all this.
- Inspector General Involvement: I don’t see this happening, and to be honest, this scares the hell out of me. Let me just invoke Rybolov’s Law: “My solution is only as good as my auditor’s ability to understand it.” IE, if the IGs and other auditors don’t understand FedRAMP, you don’t really have a viable solution.
The Big Ramp photo by George E. Norkus. FedRAMP has much opportunity for cool photos.
Posted in FISMA, NIST, Outsourcing, Risk Management, What Doesn't Work, What Works | 2 Comments »
Tags: 800-37 • 800-53 • accreditation • C&A • catalogofcontrols • categorization • certification • cloud • compliance • dhs • fedramp • fisma • government • infosec • management • NIST • risk • scalability • security
Posted May 25th, 2010 by rybolov
As I’m going through a wide variety of control frameworks in a managed services/cloud environment, I’m reminded of how controls work when you’re a service provider. Mentally, I break them down into four “buckets”:
- Controls that I provide to all customers as part of my baseline. In other words, these are things that I do for all of my customers because it’s either part of the way that I do business or it makes sense to do it once and scale it out to everybody. Typically these are holistic information security program things (ISO 17799/27001/27002 or similar) matched up with my service-delivery architecture.
- Controls that I provide as an add-on service. Not all of my customers need these but I want to offer them to my customers to help them with their security program. Usually these are services and products supporting a regulatory framework specific to one industry: PCI-DSS, FISMA, GLBA, etc fit in here if my market is not exclusive to customers governed by those regulations. In order to keep the base cost for the other customers low, these aren’t included in the base service but are available for a price.
- Controls that I am planning on building. I don’t have them yet but they’re on my roadmap. Sometimes this is how I get into new markets by building the products and services that match up against the regulatory framework for that market, then build to that as a specification.
- Controls that I will not provide. Maybe this control doesn’t apply to my products and service (The “We don’t actually own a Windows/HP-UX/AIX server” problem). Maybe the controls framework didn’t scope my solutions into its assumptions. Maybe the economics of this didn’t work out. Maybe I don’t provide this because it’s dishonest for both myself and you as my customer for me to say I provide this–think along the lines of accepting risk on your behalf which puts me into a conflict of interest. This is why any vendor who says they provide 100% compliancy against FooFramework is lying.
Transparency ties it all together. The good providers will tell you upfront which controls belong in which buckets.
Tool Bucket photo by tornatore.
Posted in Outsourcing, What Works | 2 Comments »
Tags: 800-53 • accreditation • auditor • catalogofcontrols • certification • compliance • infosec • infosharing • management • scalability • security
Posted December 13th, 2009 by rybolov
A small presentation Dan Philpott and I put together for Potomac Forum about getting sane social media policy out of your security staff. I also recommend reading something I put out a couple of months ago about Social Media Threats and Web 2.0.
Posted in FISMA, NIST, Outsourcing, Risk Management, Speaking | 4 Comments »
Tags: 800-53 • accreditation • catalogofcontrols • certification • compliance • fisma • gov20 • government • infosec • infosharing • itsatrap • management • NIST • omb • risk • scalability • speaking