Procuring Cloud Based Services Federal Policies

Transcription

1

2 Procuring Cloud Based Services Federal Policies Breakout Session #: D10 Presented by: Pourya Dehnadi Date: Tuesday, July 25, 2017 Time: 11:15am -12:30pm 1

3 The Struggle cio.com in 2016 published: 5 years into the cloud-first policy CIOs still struggling ( "The greatest challenge is not getting a contract in place, but what you find out is where those boundaries cross of who's now responsible because you're in a different infrastructure set-up, and what the cloud provider's going to do versus the contract staff, versus the application support staff versus the infrastructure staff," Marlon Andrews, CIO at NARA The CIO Council and Chief Acquisition Officers Council jointly authored: Creating Effective CloudComputing Contracts for the Federal Government in

4 The CIOC/CAOC Document Selecting a Cloud Service Cloud Service Provider (CSP) and End-User Agreements Service Level Agreements (SLA) Role and Responsibilities (CSP, Agency, Contractor) Standards Security Privacy Electronic Discovery FOIA Electronic Records: compliance with Federal Records Act Source: Creating Effective Cloud Computing Contracts for the Federal Government, CIO Council and Chief Acquisition Officers Council 3

5 Select a Cloud Service: Service Types X as a Service Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Services (IaaS) Desktop as a Service (DaaS) 4

6 Select a Cloud Service: SaaS - Software Subscription-based, provide full functionality Office 365 Netflix and Spotify Quickbooks Online Harvest and Expensify 5

7 Select a Cloud Service: PaaS - Platform Cloud-based services used to build other services Google App Engine AWS Elastic Beanstalk Twilio: SMS and Phone calls CloudFoundry Heroku 6

8 Select a Cloud Service: IaaS - Infrastructure Varying Pricing Models Reserved, On Demand, Spot Services VM, Storage, Network, Content Distribution Examples Amazon Web Services Microsoft Cloud, Azure Google Cloud IBM SmartCloud 7

9 Select a Cloud Service: DaaS - Desktop Virtualized Desktops that can be launched on most computers. Amazon Workspaces Microsoft Azure is providing Windows 10 through Citrix: XenDesktop 8

10 CSP and End-User Agreements CSP will ask Federal Agency to sign a Terms of Service (TOS) agreement Federal Agency should ask CSP to sign an NDA This sets up expectations moving forward 9

11 Service Level Agreements SLAs are your Roadmap and Warranty They need to be READ They need to be TESTED, for example, if the SLA claims that data transport is secure, make sure that it is. Thomas Trappler writes in a paper titled, If It s in the Cloud Get it on Paper: Cloud Computing Contract Issues that you should ensure that the contract: Codifies parameters and minimums for each service and lists remedies for not meeting them. Affirms your institutions ownership of data and your right to get it back. Details the system infrastructure and security, and your right to audit. Specifies your rights to continue or discontinue the service. 10

12 Service Level Agreements Parameters City of LA Contract 11

13 Service Level Agreements Data Ownership - AWS 12

14 Service Level Agreements Termination Lexis Nexis From Drafting and Negotiating Effective Cloud Computing Agreements : At Customer s request, Provider will provide a copy of Customer Information to Customer in an ASCII comma-delimited format on a CD-ROM or DVD-ROM. Upon expiration of this Agreement or termination of this Agreement for any reason, Provider shall (a) deliver to Customer, at no cost to Customer, a current copy of all of the Customer Information in the form in use as of the date of such expiration or termination and (b) completely destroy or erase all other copies of the Customer Information in Provider s or its agents or subcontractors possession in any form, including but not limited to electronic, hard copy, or other memory device. At Customer s request, Provider shall have its officers certify in writing that it has so destroyed or erased all copies of the Customer Information and that it shall not make any use of the Customer Information. 13

15 Service Level Agreements Audit Salesforce.com 14

16 Roles and Responsibilities the greatest challenge we're having now is defining roles and responsibilities and who's going to do what Marlon Andrews, CIO.com Cloud Service Provider, Agency, and the Integrator: who does what? Buying directly from CSP vs through the Integrator: pros and cons. 15

17 Roles and Responsibilities AWS Shared Responsibility Model 16

18 Standards Standard Bodies: Cloud Security Alliance Distributed Management Task Force National Institute of Standards and Technology (NIST) Open Cloud Consortium (OCC) Object Management Group (OMG) Cloud Computing Interoperability Group (CCIG) 17

19 Standards NIST: SP : NIST Cloud Computing Roadmap SP : NIST Cloud Computing Reference Architecture RA defines the following actors: Consumer, Provider, Broker, Auditor, and Carrier Map the actors in your contract to the NIST RA 18

20 Security: What to Consider Security Primer Infrastructure as Code Firewall everything Characterize the data being stored using FISMA (FIPS-199) Risk Levels FedRAMP Compliance 19

21 Security Primer 4 Facets Confidentiality Integrity Availability Non-Repudiation Can the user action be repudiated by the user? Not in FISMA (FIPS 199) 20

22 Security Risk Levels FIPS 199 Objective Low Moderate High Confidentiality Unauthorized disclosure has a limited adverse effect Unauthorized disclosure has a serious adverse effect Unauthorized disclosure has a severe/catastrophic adverse effect Integrity Unauthorized modification or destruction of information has a limited adverse effect Unauthorized modification or destruction of information has a serious adverse effect Unauthorized modification or destruction of information has a severe/catastrophic adverse effect Availability Disruption of access or use has a limited adverse effect Disruption of access or use has a serious adverse effect Disruption of access or use has a severe/catastrophic adverse effect 21

23 Security - FedRAMP AWS East Region Console 22

24 Security - FedRAMP AWS GovCloud Console SES is missing! Really? 23

25 Security - FedRAMP What s covered? Visit Look under JAB Provisional Auths, Agency Auths, or CSP Find the company and product Check its status 24

26 Security - FedRAMP 25

27 Security - FedRAMP 26

28 Security Regulatory Considerations FAR Section FISMA compliance as part of Acquisition process OMB Circular A-130 NIST SP ITAR Compliance 27

29 Privacy Personally Identifiable Information (PII) information which can be used to distinguish or trace an individual s identity, such as their name, social security number, biometric records, etc. alone or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother s maiden name, etc. - OMB 28

30 Privacy Subsection (m) of Privacy Act of 1974 Applicable to any system of record containing PII data Includes Agency and Provider Civil and Criminal Penalties for failure Privacy Impact Assessment E-Government Act of 2002 Conducted during security authorization per FISMA; applies to new systems and updates 29

31 Privacy Location, Location, Location Which countries is my data in and which countries is it going through? Safe Harbor: US-EU Privacy Shield Framework and US- Swiss Privacy Shield Framework Ironically, many countries don t trust us: 27% of UK and Canadian small business IT firms moved data out of the US because of the NSA scandal in Brazil wants to build its own direct connect to EU so that their data doesn t travel through the US. Agencies must establish the countries where the data is exposed at rest or in transit 30

32 Privacy ITAR compliance requires that data stays in the US. AWS GovCloud Region is an example of a service designed for ITAR compliance 31

33 E-Discovery Prepare data stored in the cloud for the discovery process of litigation. In Re Fannie Mae: Agency was found in contempt for failing to meet discovery deadlines after it had spent 9% of its budget trying to comply! 5 areas to address: information management: assert ownership, demand notice search and retrieval: state terms for access storage and preservation: state terms for retention, encryption, etc. transfer: export and chain of custody cost: incorporate e-discovery in the requirements 32

34 FOIA Similar to E-Discovery requirements In addition, reporting of FOIA actions is required Cloud storage + Search can provide a highly efficient FOIA solution that has built in deduplication and de-conflicting. 33

35 Electronic Records Federal Records Act (FRA) requirement of an Agency remains when a Cloud Provider takes over. The Provider needs to be aware of the Agencies requirements under FRA. Handling of permanent records to NARA has to be considered. Destruction of records has to be confirmed and performed according to a schedule. Transition of records should be planned proactively in the event the provider changes. 34

36 Prepare to Buy Make a checklist to use across multiple procurements Know what data you re storing and its risk level In the acquisition plan, research XaaS options 35

37 Prepare to Buy Does the architecture actually leverage the benefits inherent to the cloud, like cost optimization and scaling Is the IS architecture compliant with regulations out of the box? 36

38 Prepare to Buy Look at the cloud provider s partner network as an option. There are many small business partners that can get the job done. Look for interdisciplinary skills, which may include a specific technology or business domain, like Healthcare. Meet SBA requirements by using the small business partners as an alternative to buying directly from the cloud provider. 37

39 References