|
The Abstract of The Paper
|
Potential cloud consumers from effectively measuring or cloud service providers to the Government will require demonstrating compliance with any kind of security a somewhat different adaptation of the information requirements. In the future, providers of public services security management and governance framework, but will probably adapt their offerings and increase the this will be the topic of a separate white paper. flexibility of SLAs and contracts to better accommodate the unique legal, regulatory, and contractual Before we present our proposed information security information security compliance requirements of governance framework, it is first necessary to review the federal government environment. Some positive the challenges and risks associated with each of the signs of movement in this direction are beginning four existing cloud computing deployment models. To to appear in the market, as evidenced by Amazon’s that effect, we offer a high-level description of each recent introduction of optional “virtual private cloud” deployment model, including graphical depictions. services that combine the outsourcing advantages of public clouds with increased customer visibility, control, Public Clouds and service tailoring. Organizations should limit public The most common type of CCE is the public cloud. In cloud deployment to public information and systems this construct, the cloud infrastructure is owned and with acceptable risk profiles and no legal or regulatory operated by an organization that provides services to security requirements until service providers adapt to multiple enterprises and individuals on a utility basis meet the user community’s security, compliance, and (consumers are often referred to as “tenants”) (see liability needs.4 Exhibit 1). Public clouds present the highest security risk to federal agency cloud consumers because of the lack of direct control over information security control Private Clouds In sharp contrast to the public cloud is the private implementation and monitoring, global multi-tenancy CCE. In the private cloud, the cloud infrastructure is with other users, virtualization and data location owned/leased and operated by a single organization management, limited service-level agreement (SLA) solely for the user community of that organization (see flexibility, contractual liability limitations, and the Exhibit 2). An example in the Federal Government is an lack of common legal and regulatory environments agency-wide cloud that offers services to all entities between cloud providers and cloud consumers.3 Lack within that agency. Cost efficiencies and economies of visibility compounds these issues and prevents of scale are likely to be more limited in private clouds Exhibit 1 | Public Cloud Illustration Many, Many Organizations e.g. Google Internet Microsoft Amazon Core Network Public Clouds Source: Booz Allen Hamilton 3This specific issue is addressed in depth by the Booz Allen Cloud Computing White 4Cloud Computing Security Report, Security Considerations for Public Cloud Service Paper, June 2, 2008, and Booz Allen’s Cloud Computing Basics: Cloud Computing 101 Acquisition, Booz Allen Hamilton, August 2009. (White Paper). 2
|