Security pros need to get in front of cloud computing trend, RSA panel says

From: SearchCloudSecurity

Marcia Savage, Site Editor

Cloud computing is an inevitable shift in IT that security teams can’t stop, but innovative security pros can figure out ways to ensure it’s adopted safely. 

That was the message conveyed by a panel of security executives at the RSA Conference 2012 on Wednesday. The cloud computing trend is accelerating and security teams need to adapt, panelists said.

“Most people in this room underestimate how fast we’ll move to cloud,” said Jerry Archer, senior vice president and CSO at Sallie Mae. With some estimating that cloud computing can cut IT costs by 85%, “security is not likely going to stand in the way,” he added.


Feds Offer Agencies Guidance On Cloud Implementation

 Editor’s Note: The joint CIO Council – Chief Acquisition Officers Council publication, “Creating Effective Cloud Computing Contracts for the Federal Government: Best Practices for Acquiring IT as a Service,” is attached below. 

From: Information Week

As agencies adopt cloud services, a new report helps set some guidelines around SLAs, security, and privacy.

By Elizabeth Montalbano

Since cloud computing services represents a paradigm shift from the way federal agencies historically have acquired IT systems, they have a number of new factors to consider–service-level agreements (SLAs), security and privacy among them–as they make plans to implement the cloud, according to a new report.


Linking the Cloud to Continuous Monitoring

From: GovInfoSecurity.com

A Perfect Fit: Continuous Monitoring and Cloud Initiative

By Eric Chabrow

NIST information risk management evangelist Ron Ross sees continuous monitoring playing a vital role in securing cloud computing.

The Federal Risk and Authorization Management Program known as FedRAMP  fits very nicely with continuous monitoring by allowing agencies to define good sets of security requirements for cloud computing providers, Ross says in an interview previewing a presentation he will make at the RSA Conference 2012 in San Francisco later this month.


CRE Comments on Draft CAESARS FE Draft

Attached below are the Center for Regulatory Effectiveness’ comments on the Second Draft of the CAESARS Framework Extension (NIST Interagency Report 7756).  The goal of the CAESARS FE document “is to facilitate enterprise continuous monitoring by presenting a reference model that enables organizations to aggregate collected data from across a diverse set of security tools, analyze that data, perform scoring, enable user queries, and provide overall situational awareness.”

CRE’s comments explain that “one reason why the CAESARS FE is an important IT security document is that it was written to be useful to industry as well as government.” 


Continuous Monitoring: Holy Grail to FISMA Compliance – Is It or Not?

From: WhiteSpace

by Patrick Dean

Well is it or is it not? Who cares? Let’s take out the debate about whether or not the new FISMA regulations actually do anything for security practices, and face the reality that we, as government entities (whether directly employed by or contractually attached to a government entity), must fulfill our compliance obligations. Those of us who want to actually secure our environments will not only abide by the compliance mandates, but we will also implement security standards and practices that truly improve security within our appointed domains.


NIST to Unveil Controls Guidance at RSA

From: BankInfoSecurity.com

Privacy, Insider Threat, Mobile, Cloud Added to SP 800-53 Revision

By Eric Chabrow

NIST’s Ron Ross will be quite busy at RSA Conference 2012, not only promoting revised guidance on security and privacy controls to be unveiled at the securing conclave, but also participating in a panel on one of his favorite topics: continuous monitoring.

Ross, in an interview with Information Security Media Group, says National Institute of Standards and Technology will use the assemblage of information security experts in San Francisco later this month to release one of NIST’s most important pieces of guidance: Special Publication 800-53 Rev. 4, Recommended Security and Privacy Controls for Federal Information Systems and Organizations.


SEC lacks in configuration management, says OIG

Editor’s Note:  The OIG 2011 Annual FISMA Report is attached below.

From: FierceGovernmentIT

The Securities and Exchange Commission hasn’t kept its cybersecurity documentation up to date, resulting in it not conducting baseline control configuration scans and not meeting other requirements of the Federal Information Security Management Act, says the SEC office of inspector general.

In a redacted report dated Feb. 2, the SEC OIG, basing its findings on an assessment conducted by Phoenix, Ariz.-based Networking Institute of Technology, says the agency does have a continuous monitoring program that assesses the security state of information system, including vulnerability scanning, patch management, and ongoing assessment of security controls.


FedRAMP CONOPS calls for big DHS role

From: FierceGovernmentIT

A concept of operations for the FedRAMP governmentwide assessment and authorization of low- and moderate-impact cloud services released Feb. 7 by the program office shows that the Homeland Security Department will have an active role in continuous monitoring and incident response.

The document (.pdf) assigns DHS multiple responsibilities, including real-time monitoring of security posture reports from cloud service providers. Federal officials say any provider of multi-tenant cloud computing at the low and moderate risk level must go through the FedRAMP process, which grants providers a provisional authorization valid at any federal agency. Provisional authorization doesn’t substitute the need for a local agency official to sign an authorization to operate on the local network, but it should significantly speed up the process since agencies won’t have to reassess provider compliance with baseline security controls, federal officials say.


Advancing Security Automation and Standardization: Revised Technical Specifications Issued for the Security Content Automation Protocol (SCAP)

Attached below is the Janauary bulletin from NIST’s Information Technology Laboratory discussing SCAP revisions.



CRE Statement to ISPAB: Develop Metrics for FedRAMP

CRE recommended to the Information Security and Privacy Advisory Board (ISPAB) that metrics are needed to assess whether FedRAMP is living up to its promise.  Specifically, metrics need to be developed which would accurately, objectively and transparently measure the security effectiveness and the cost effectiveness of Cloud Service Providers under the FedRAMP program. 

Moreover, since the federal government will eventually regulate the IT security of critical infrastructure, the metrics developed for FedRAMP will also be needed for whatever new regulatory program(s) come out of the various cybersecurity legislative proposals being deliberated by Congress.  CRE expects that federal regulation of critical infrastructure cyberdefenses will be based on FedRAMP’s conformity assessment approach to regulatory compliance.

Older posts «