Category Archives: policies

April 1, 2012

FedRAMP : Cloud Controls to Manage Risk

By erinkbanks

Just like I did for FISMA, I wanted to review the Federal Risk and Authorization Management Program Security Controls (FedRAMP) current release and provide you with my view of it. They indicate the purpose of the document is to “list the security controls and corresponding enhancements that Federal Agencies and Cloud Service Providers (CSP) must implement within a cloud computing environment to satisfy FedRAMP requirements”. They stated that “the controls were selected to address the unique risks of cloud computing environments, including by not limited to: multi-tenancy, visibility, control/responsibility, shared resource pooling, and trust.”    I have broken it into specific categories below.  It is also broken into the control number and name, control baseline, control parameter requirements, and additional requirements and guidance. They also indicated that it is designed to go with NIST SP 800-53 rev 3. Now compared with FISMA, FedRAMP was completely spelled out in an excel sheet… no creative writing on their part. And when it comes down to it… a completely different message and path of possibly getting to the same place. FISMA provides guidance and FedRAMP provides controls.

If we stick with FISMA as a relationship guideline, we can say that FedRAMP is the “most haves” for any relationships. For instance, I don’t want to be in a relationship with a guy unless he is 5’10″ or taller, blue eyes, dark hair, and can make me laugh (just to clarify, these aren’t actually my requirements… exactly). Now where is that “same place” that these entities were trying to get to? In opinion these documents were implemented in order to progress movement into the cloud and make users feel better getting there. The question becomes which way are you helping entities. Are you educating them so that they feel better or are you educating them by telling them you must have capabilities and not really explaining why? Personally I believe in educating people and not just telling them how it should be or what you must have. Are there any exceptions to the controls or is it this way or nothing? A prime example is auditable events, AU-2(4) indicates a requirements of “the service provider configures the auditing features of operating systems, databases, and applications to record security-related events, to include logon/logoff and all failed access attempts”. That’s it? No other events?

Don’t get me wrong, anything that promotes movement into the cloud and anything that helps people with that process is great in my eyes. No matter whether they guide you or tell you exactly where to go, documents like these are necessary.  I just question the method by which we get people there. I believe in simplicity, I believe that you need to educate those that are on the journey but this is not easy. I mean the NIST document is 237 pages… that is not simplification. How does 237 pages of ONE document help us? This isn’t a relationship guide, this makes me want to stay single the rest of my life.

1.1 : Access Control (AC)
1.2 : Awareness and Training (AT)
1.3 : Audit and Accountability (AU)
1.4 : Assessment and Authorization (CA)
1.5 : Configuration Management (CM)
1.6 : Contingency Planning (CP)
1.7 : Identification and Authentication (IA)
1.8 : Incident Response (IR)
1.9 : Maintenance (MA)
1.10 : Media Protection (MP)
1.11 : Physical and Environment Protection (PE)
1.12 : Planning (PL)
1.13 : Personnel Security (PS)
1.14 : Risk Assessment (RA)
1.15 : System and Services Acquisition (SA)
1.16 : System and Communications Protection (SC)
1.17 : System and Information Integrity (SI)

Leave a comment | posted in cloud security, cloud security and compliance, policies

November 22, 2011

Policies Are (some) Man’s Best Friend

By erinkbanks

I recently got into a discussion (not an argument… a discussion) with a fellow electrical engineer. We were discussing the impact of Steve Jobs and his recent passing. To be completely honest, I am a true Apple believer through and through. To the 6 iPods, 3 Mac laptops, iPad, iPhone, AirPort, and my personal favorite, Apple TV that I own… wait lets not forget the Apple stock… I believe in Apple but most importantly, I trust them. If you look at a couple of blog posts back, you will see my triangle of trust. Part of that triangle is TRUST… another part is POLICY. Apple has policies. In order to get an application into their App Store, you need to meet their policies. I love the fact that because I purchase items from the App Store my risk level is reduced. Not just any app can go in to the store. Clearly I do not jail break my iPhone, I find no reason to. Why? I use my phone for personal use (and a blackberry for work), I don’t need an unstable, unsecure environment, I don’t need to put myself into any more risk.

You see, my fellow EE wanted to submit some apps and he was upset because his apps didn’t meet Apple’s policies. He didn’t like this fact at all but he seemed to forget who he was writing the app for. As I tried to explain to him, not everyone that accesses the app store is an EE. This is a smart phone but that doesn’t necessarily mean that everyone that uses it is smart. Policies are in place to protect those that don’t quite understand the ramifications of their actions. The policy for password configuration is there so that people don’t use “password” for their password. When people use this word, they clearly are not thinking about security. So what do we have to do? Put a policy in place that says you must special characters, capitals, etc. At least make it harder to get hacked and make it “P@$$w0rd”… let’s make them work for it. If you don’t have policies like this, people will do anything. This isn’t just needed for security, we have policies for everything both for personal and authoritative reasons. Policies such as locking the door at night, turning the alarm on, turning the lights off when you leave the room, wearing a helmet when I snowboard, speed limits, wearing seat belts, or wearing a helmet when I ride a motorcycle. Policies are everywhere and they create stability, why would you not use them in your data center and your corporate environments. The kids need to be home by 11:00 pm, why wouldn’t you ensure virtual machines are deleted?

It would be great if we lived in a world where policies did not need to be implemented, I would love that and I am not saying that we need to have rules for everything. I understand his frustration and I understand this is why he does not have an iPhone but if you forget who your audience is, if you forget the level of security knowledge that is out there, then maybe your app should not be available in the store. I am not saying that the App Store is perfect and that all Apps are 100% safe but when I am still explaining to my nephews and nieces about the information they are posting on facebook and youtube, then I will take the policies. It gives us all one less thing to worry about… I will take that any day.

2 comments | posted in policies, security

Follow

Get every new post delivered to your Inbox.