云计算与建筑设计IT安全等CloudComputingArchitectureIT SecurityOperational Perspectives.pptVIP

FISMA Clouds IaaS Customer Security Plan Coverage Options At inception little guidance existed on cloud computing control responsibilities security plan coverage FedRAMP primarily addresses cloud provider responsibilities Other than control parsing definitions Customers are given little guidance on implementing and managing FISMA requirements in a highly dynamic shared management environment We have developed the following options: Option Description Issues Customer Owned Customer responsible for own security plan with no assistance from provider None to Providers Burdensome to customers Facilitated Customer responsible for own security plan using NASA template May still be burdensome to customers. Not scalable unless automated. Agency Owned Agency or Center level “Group” security plans associated with Cloud providers serve as aggregation point for customer. May be burdensome to Agency or Center. Requires technology to automate input and aggregation of customer data. FISMA Clouds Current NASA Requirements/Tools may Impede Cloud Implementation Default security categorization of Scientific and Space Science data as “Moderate” Independent assessment required for every major change Currently requires 3rd party document-centric audit Not scalable to cloud environments e-Authentication/AD integration required for all NASA Apps NASA implementations don’t currently support LDAP/SAML-based federated identity management Function-specific stove-piped compliance tools STRAW/PIA tool/AA Repository/NASA electronic forms Can’t easily automate compliance process for new apps * FISMA Clouds Emerging Developments in FISMA Clouds Interagency Cloud Computing Security Working Group is developing additional baseline security requirements for cloud computing providers NIST Cloud Computing guidance forthcoming? Move towards automated risk models and security management tools over documentation On the bleeding edge - changing guidance requirements ar