Staying Safer in Cyberspace: Cloud Security on the HorizonSince announcing its "Cloud First" policy in 2010, the Federal government has correctly identified cloud computing as a way to reduce costs and improve the use of existing assets, and has accordingly prioritized its adoption. It has also taken judicious steps to protect Federal networks from nefarious cyber-attacks and promote the dissemination of best practices for cybersecurity. The Federal government has also embraced mobility as a means to conduct work from any location. But until now, the implementation of these initiatives has been fragmented and lacked coordination across Federal agencies. This paper offers a framework for integrating these programs in a way that enables the Federal government to realize the economic, technological, and mission-effectiveness benefits of cloud services while simultaneously meeting current Federal cybersecurity requirements. It advocates shifting from a compliance-based cybersecurity paradigm to on e that is risk-based and focusing on how to most effectively secure their implementation of cloud services.At a time when the Federal government is facing ever-mounting budgetary pressures, cloud computing can be a useful tool to help agency leaders to deliver mission services while managing expenditures. And in a recent poll, nearly half of all senior national security officials also named cyberwarfare as "the most serious threat facing the United States." The "Staying Safer in Cyberspace" plan we present in this paper differs from the current fragmented approach to securing the cloud by identifying an integrated approach and a coordinating body to develop a network architecture that conforms to the Administration's cybersecurity policies. What's more, it describes the contours of what this network architecture should look like -- from performance metrics down to identity management practices at the end user level. These recommendations delineate essential functions for both the private sector and the Federal government, while allowing for discussion about certain details. Similarly, our plan also allows room for the unique security requirements of departments and agencies to be considered, all within the framework of existing legislation.SafeGov.orgSGo ID-9f31bf10-fd9b-4f1b-b63a-b839f7f7945bSafeGov.org is a forum for IT providers and leading industry experts dedicated to promoting trusted and responsible cloud computing solutions for the public sector.Karen S. EvansJulie M. AndersonBrian D. ShevenaughIT ProvidersCloud Computing Experts... trusted and responsible cloud computing solutions ID-07ccf59a-b46c-4556-94ee-806131b4c0cdTo help Federal entities better integrate the various Federal programs relating to cloud computing and cybersecurity ID-31cf4ee1-8ea0-41ed-9349-5560cc07911dNetwork ArchitectureAdopt and issue an integrated network architecture to address the Administration’s priorities and help agencies implement Federal cybersecurity requirements ID-430baf38-9666-45a5-a978-6a0389ce84f61Security Identity Management CommitteeFederal Chief Information Officer CouncilWithin the next year, the Information Security Identity Management Committee (ISIMC) of the Federal Chief Information Officer (CIO) Council should adopt and issue an integrated network architecture to address the Administration’s priorities and help agencies implement Federal cybersecurity requirements, including the Cross Agency Performance (CAP) Cybersecurity Goals; Open Government; the Data Center Consolidation Initiative; Cloud Services; andMobility.Implementation PlanDraft an implementation plan to help the agencies transition from their current architectures to the proposed architecture ID-9346dfc7-8611-4125-a5e6-9c2a1a7c47151.AISIMCAdditionally, the ISIMC should draft a notional implementation plan with the milestones outlined to help the agencies transition from their current architectures to the proposed architecture that includes theseenhancements.FISMA CoordinationCoordinate with the IGs) to ensure evaluations conducted under FISMA use the recommended architecture, standards, and transition plans ID-db68e22c-f1f1-4b08-b5e1-f6a2f0b892f31.BInspectors GeneralNational Institute of Standards and TechnologyThis should be coordinated with the Inspectors General (IGs) to ensure that the evaluations conducted under Federal Information Security Management Act (FISMA) use the recommended architecture, standards, and transition plans -- instead of selecting their own monitoring plans based on National Institute of Standards and Technology (NIST) publications that do not consider agency implementation plans.Penetration TestingRequire cloud service providers to employ penetration testing capabilities ID-128cd432-615f-4b89-a7c6-2beacfa4ed842FedRAMP’s Joint Authorization BoardCloud Service ProvidersFedRAMP's Joint Authorization Board (JAB) should require that all cloud service providers wishing to do business with the Federal government employ penetration testing capabilities in the implemented operational environment in order to surveil, analyze, and respond to threats in real-time.This process of testing whether computing systems have been penetrated could be similar to the Payment Card Industry's Data Security Standard (PCI DSS), which is a well-established set of industry benchmarks for online payment services. Industry and government must decide together what will be subjected to penetration testing. Adopting the model contracting language included in Appendix 3 would help these entities arrive at a consensus on these and other issues while requiring:Security ProtectionsIntegrate commercial cloud services with Federal security protections ID-890693ef-802d-48ba-9a0b-8415d418d57b2.ACommercial Cloud ServicesAll commercial cloud services be integrated with Federal security protections such as the Trusted Internet Connection (TIC) and Homeland Security Presidential Directive (HSPD) 12 for identity management.Log FilesShare log files ID-7e11787c-b6c8-4513-a72c-42282513aabd2.BCloud Service ProvidersFederal AgenciesDepartment of Homeland SecurityCloud service providers share log files with the contracting Federal agencies and/or directly with the Department of Homeland Security's (DHS) Continuous Diagnostics and Mitigation (CDM) program.Multi-Tenancy IssuesResolve multi-tenancy issues ID-a2000315-08cb-4ea6-9289-e306230c1c992.CFederal GovernmentCloud Service ProvidersThe Federal government, in conjunction with Cloud Service Providers,resolves the multi-tenancy issues associated with the sharing of these data.MetricsIssue metrics to assess the effectiveness of cybersecurity measures ID-b5f1409c-7ff2-4982-96db-e77f8b9105853Office of Management and BudgetDepartment of Homeland SecurityInspectors GeneralOffice of Management and Budget (OMB) and Department of Homeland Security (DHS) should work together to develop and issue metrics that inspectors general (IGs) can use to assess the effectiveness of cybersecurity measures in the FISMA reporting process.Cyber Risk Indicator[Adopt] a Cyber Risk Indicator ID-631469de-7cf3-4d3b-968a-de31f15f9fc23.AWe proposed a Cyber Risk Indicator in our 2013 paper, "Measuring WhatMatters," which argues that cybersecurity risk depends on the performance of an agency's information systems and the maturity of attendant information security policies and processes. We also contend that these factors need to be assessed in the context of organizational priorities.CDM ProgramFurther define the benefits and metrics associated with the DHS' CDM program ID-7d12276b-2c9f-428b-9945-5bb5b1e9ebb83.BThe ISIMC should continue to further define the benefits and metrics associated with the DHS' CDM program. Alignment & Accountability ID-6b24f414-39ac-4ee5-b041-685c45ada00c4OMBNational Security StaffOMB and the National Security Staff (NSS) should:AlignmentEnsure that cybersecurity planning and architecture efforts of the ISIMC and the Committee for National Security Systems are aligned whenever possible. ID-cd40a643-4a57-44b5-b556-ec6d474966ac4.ACommittee for National Security SystemsISIMCAccountabilityHold departments and agencies accountable by assessing their progress towards fulfilling agreed-upon cybersecurity requirements. ID-f991d763-8892-46f4-a538-a8c7d4cec79c4.BDepartmentsAgencies2014-01-23http://safegov.org/media/59206/staying_safer_in_cyberspace.pdfOwenAmburOwen.Ambur@verizon.net