Risk Management & Legal Issues in Cloud Practice

Christopher DodoricoDirector, PricewaterhouseCoopers

Wednesday, October 10, 2012

Cloud Computing in the US Federal Government – Where are we today?

The pace of cloud adoption by federal agencies is picking up

• Agencies are starting to “dip their toe in the water” and “learn as they go”

• Embracing the possibilities of cost savings and efficiencies

• Federal agencies see positive movement in the long-awaited framework for cloud providers to address security concerns in a homogenous manner, with a common controls framework

Slide 2

Cloud Computing in the US Federal Government – Where are we at today?

Despite this positive initial movement, agencies are still concerned about security of the cloud

• Issues of working with service providers to manage a myriad of compliance requirements, data location, multi-tenancy, and security continue to concern federal agencies contemplating a movement to the cloud

• Agencies should not rely solely on FedRAMP for information assurance

• Need for automated audit and assessment tools, as well as continuous monitoring

• Initial migration of lower-risk and “less mission-critical” operations to the cloud, as a first step

Slide 3

Cloud Computing in the US Federal Government – Where are we at today?

However, the outlook is still bright

•The combination of education, experience and emerging standards should increase cloud adoption in government

•Security concerns may decrease over time due to continuous process improvement

•Harmonizing multiple, overlapping regulatory requirements through Integrated Compliance are critical

•Patience and Strategy are key – as cloud computing technology, security and cost savings mature, federal agencies will become more comfortable with placing key information in the cloud

Slide 4

Cloud Security Compliance - FedRAMP

• The Federal Risk and Authorization Management Program (FedRAMP) establishes the first regulatory program to provide:

- A standard, mandatory common controls framework for federal Cloud Service Providers (CSPs)

- A standard approach for conducting security assessments of cloud-based systems by Third Party Assessment Organization (3PAO)

- Published controls that are entry into market

• Positive trend toward reuse/reapplication

Yet another compliance requirement?Slide 5

Integrated ComplianceIntegrate Cloud Compliance with Existing Control Frameworks

6

FISMA / FedRAMP

Taking Requirements…..

PCI

HIPAA

ISO

Other Requirements

Identifying Common Controls or Processes….

Integrated Control

Framework

Documenting policy, controls , and criteria that meet minimum requirements across standards….

Execute Integrated ProgramExecute Integrated Program

Executing the program with the integrated framework.

Define & Assess Risk

Identify Data Sources

Develop & Implement ControlsAudit and Correct

Enforce, Monitor & Support

Access Controls

Passwords

Encryption

Training

Risk Assessments

Critical Success Factors for Cloud Compliance

• Cloud environments, and more so public cloud environments, present a unique challenge with respect to the sharing of responsibilities for security controls between the CSP and the user organization

• Appropriate scoping of the environment, location of data, boundary definition, security controls demarcation and clarity about responsibility is critical!

Slide 7

SaaS The cloud provider assumes primary responsibilities for security, and consumers control limited service settings

IaaS The consumer has the greatest responsibilities for security. Due to extensibility, security is required across all layers of implementation

PaaS Responsibility lies somewhere in the middle, with extensibility and security features that must be leveraged by the customer

Critical Success Factors for Cloud Compliance

• Understanding data access controls, specifically:

- How is data classified in a multi-tenant environment?

- How is data classified if multiple organizations are stored in the same data set?

- How is logical access granted to specific data sets?

- What access control mechanisms are used?

• Development, deployment and ongoing management of a cloud environment require significant attention to governance.

- A cloud environment by nature cannot be static as customers and capabilities are changing constantly, and must scale to meet changing business objectives and regulatory requirements.

Slide 8

Critical Success Factors for Cloud Compliance

• Definition of what qualifies as a “Significant Change”

- CSPs and their customers each have a point of view

- Dialogue between CSPs and their customers to come to joint agreement on what might trigger re-accreditation or re-assessment

• Collaboration between subscribers (federal agencies), CSPs, authoritative bodies, assessors/auditors, member organizations and software vendors is critical to the success of federal cloud computing

- Design and development of robust SLAs, legal agreements

- Agreement on applicable control requirements and areas where “scale-up” may be necessary

- Government is doing good job of outreach

Slide 9

PwC

PwC’s Washington Federal Practice assists our federal and commercial clients with their IT regulatory and cloud compliance challenges

Christopher P. Dodorico, Director

christopher.p.dodorico@us.pwc.com

703-861-2205