RMF and the Cloud
P. Devon Schall
Probably the most talked-about concept in information technology today is cloud computing, often simply called “The Cloud.”
According to the National Institute of Standards and Technology (NIST), cloud computing is “a model for enabling ubiquitous, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”
For the past few years, departments and agencies across the government have been aggressively pursuing “migration” of systems and applications to the cloud in order to save money and “deliver public value” by increasing operational efficiency.
Moving away from traditional data centers and into the cloud provides a variety of challenges, particularly in the area of information security landscape.
In a survey recently conducted amongst IT professionals, the top three rated cloud issues were security, availability, and performance. These concerns impact the level of trust consumers have with their data existing in a cloud environment.
The top seven cloud security risks and summaries as published by Cloud Security Alliance are listed below:
- Privileged user access. Sensitive data processed outside the enterprise brings with it an inherent level of risk
- Regulatory compliance. Cloud computing providers may be hesitant to undergo external audits and security certifications
- Data location. The customer probably doesn’t know exactly where their data is hosted
- Data segregation. Data segregation. Data in the cloud is typically in a shared environment alongside data from other customers creating confidentiality concerns
- Recovery. A cloud provider should be able to tell what will happen to the data and service in case of a disaster
- Investigative support. Investigating inappropriate or illegal activity may be more difficult in the cloud computing environment
- Long-term viability. Data and logging should remain available even after services are discontinued
The federal government has taken steps to mitigate these risks and concerns in order to facilitate cloud migration without compromising security.
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services. FedRAMP utilizes a baseline set of agreed-upon standards and includes independent evaluation of cloud service providers by authorized Third Party Assessment Organizations (3PAOs).
Sounds an awful lot like the Risk Management Framework (RMF), doesn’t it? In fact, the “baseline set of standards” used by FedRAMP is derived from the very same “security controls catalog” used in RMF.
In the DoD world, the Defense Information Systems Agency (DISA) has established its own cloud authorization program that is essentially an enhanced version of FedRAMP.
Numerous resources exist to support these efforts. The Cloud Computing Security Requirements Guide published by NIST is an invaluable resource in reviewing and ensuring adequate system hardening. DISA Security Technical Implemental Guides (STIGs) are also utilized to verify the risk and threats listed above mitigated.
What is the relationship between RMF and the Cloud? It depends on your perspective.
Cloud computing service providers such as Amazon GovCloud typically undergo an RMF-like authorization process such as FedRAMP or the DISA cloud authorization RMF and the Cloud from Page 1 process. This results in formal authorization by the government, very similar to the RMF Authorization to Operate (ATO). Typically this authorization will include a suite of inheritable controls.
Application owners developing new software for deployment to the cloud, or those migrating existing applications from government data centers to cloud service providers, will follow the normal RMF life cycle leading to ATO. The process will be facilitated by inheritance of controls from the cloud service provider. Typically, control families such as Physical and Environmental, Media Protection and Maintenance can be inherited by the application owner.