FedRAMP – Lessons Learnt - 3rd Scandinavian Conference on

Federal Risk and Authorization
Management Program - FedRAMP
FedRAMP – Lessons Learnt
Pierre Wettergren, CEO CCG Europe AB
1
w ww.MeetingSphere.se
Pierre Wettergren, MBCI, CBCI
► ABB: 9 years, various positions within quality and line, subcontract,
project, engineering, and improvement management - split 50/50
between ABB Sweden and ABB Switzerland.
► AstraZeneca: 4+ years as Global Head of Business
Continuity Management (BCM)
► Since 2007 engaged as expert in ISO Societal Security standards development
► 4C Strategies: 1,5 year – Senior consultant, accountable for the
BCM business area and Mgr. Gothenburg office
► 5G Continuity: CEO / Senior Consultant
► 2009 Started my own company
► Clever Collaboration Group: Founding partner / CEO
► 2013 peak year:
►
Awarded: ”Security Consultant 2013” (www.SecurityAwards.se)
►
Recognition: ”Highly Recommended – BCM Consultant of the Year”
BCI Global Awards – Business Continuity Institute is an international
organization with 8000 professional members globally.
► Onsala Floor-ball Club (OIBK): Chairman, since 2013
2
w ww.MeetingSphere.se
+46 705 498 598
Skype: pwettergren
Agenda steps
► Practical issues
► Login to follow and comment on this presentation
► http://korta.nu/scsss Enter your name and email address.
This email will later get the report from the complete session.
It’s also this link we use for the closing workshop.
► MeetingSphere - the tool in brief
► FedRAMP
► what it is, purpose of FedRAMP
► what value it brings
► For whom it applies and who are the players
► MeetingSphere FedRAMP journey
3
w ww.MeetingSphere.se
MeetingSphere – In brief
MeetingSphere is an online meeting productivity tool known as an
Group Decision Support System (GDSS) which is designed to:
►
Actively engage participants in face-to-face, online or hybrid meetings
►
Generate a higher volume of inputs
►
Allow people to say what is really on their minds
►
Support online team collaboration (synchronous and asynchronous)
►
Save time and eliminate un-necessary work, administration, and travels
►
Bring accountability and transparency to the decision-making process
►
Real work in real time with fully automatic reporting
Deployment choices includes:
►
On-premises in customer data centers, clouds, and
portable servers
►
Combinations very common, i.e. portable servers
together with others solution depending on demands
on security, demands on availability, intranet only etc.
4
w ww.MeetingSphere.se
MeetingSphere makes the information gathering and
decision-making process more efficient.
2
1
Capture more ideas in a shorter
period of time. Sort into themes.
Kick off the meeting with a
presentation. Utilize the
Presentation Tool – or use
your Web Conference tool
of choice.
3
6
Move content of
Brainstorm to Discussion
for more in-depth
collaboration.
4
Generate Session
Reports instantly with
only a couple of clicks..
Rate
5
Assign responsibility for follow-up
5 Tracker.
actions with Action
w ww.MeetingSphere.se
Move content to Rating
Tool. Rate outcomes by
single or Multiple criteria.
MeetingSphere - Customer uses
►
Regular team calls and web meetings
►
►
Running hybrid workshops
with stakeholders
Online collaborative document
development
►
Proposal development
►
Key account planning
►
Supplier evaluations
►
Focus groups
►
Audit processes
►
Change management programs
►
Project requirements gathering
►
Risk assessment processes
(GAP/HAZID/RA/SWOT/…)
►
Business Continuity Management
►
Project learning reviews
►
Whistleblowing Management (link)
9
w ww.MeetingSphere.se
FedRAMP – What it is, what’s the purpose
Federal Risk and Authorization Management Program
► FedRAMP is a program that supports the U.S.
government’s objective:
► Enable U.S. federal agencies to use managed service providers
that enable cloud computing capabilities.
► The program is designed to comply with the Federal
Information Security Management Act (FISMA).
► It build’s on applicable US Laws and Regulations
► It build’s on US Standards and Guidance
► More info: www.fedramp.gov
10
w ww.MeetingSphere.se
FedRAMP Process – CSP perspective
► FedRAMP provides a
“streamlined avenue” for US
federal agencies to make use of
cloud service providers (CSPs)
► The ”independent” assessment
is paid for by the CSP.
► The CSP selects the 3rd party
assessment organization
(3PAO) from a list of accredited
3PAOs.
► FedRAMP provides all actors
with checklists, templates,
guidance, and requirements.
11
w ww.MeetingSphere.se
CSP and authorization model
► Cloud Service Provider
► IaaS – Infrastructure as a Service
► E.g. Amazon Web Services
► PaaS – Platform as a service
► E.g. MySQL
► SaaS – Software as a Service
► MeetingSphere
► Authorization model 3PAO and JAB
► 3PAO
12
w ww.MeetingSphere.se
FedRAMP – Document hierarchy
Policy Memo, released by
OMB - provides the direction
and high-level framework for
standing up the governmentwide cloud security program.
Baseline Security Controls document is based on the NIST
800-53 Security Control guidelines and includes additional
control enhancements to address cloud system specific
vulnerabilities.
Key Processes
are the three main
functions that
FedRAMP
performs during
operations.
CONOPS, Concept of Operations, provides an overview of
FedRAMP, the Operating Model and Key Processes.
Operating Model for FedRAMP is based on the
Policy Memo - identifies the key organizations
responsibilities for implementing the program and
a high-level description of the operational roles
and responsibilities.
Detailed Templates and Guidelines
are documents that provide templates
for forms and information required by
CSPs or 3PAOs through the
FedRAMP process phases and
detailed instructions for each of the
process areas.
13
w ww.MeetingSphere.se
FedRAMP - Governance
14
w ww.MeetingSphere.se
MeetingSphere - shared responsibility model
Customer
MeetingSphere administration
(users, permissions, authentication, data retention)
Responsible for security “in”
the MeetingSphere
Platform, Applications, Identity & Access
Management
Operating System, Network & Firewall
Configuration
Client side Data
Encryption & Data
Integrity Authentication
Compute
AWS Global
Infrastructure
Server-side Encryption
(File sytem and/or
data)
Storage
Database
Regions
Availability Zones
Network: Traffic
Protection (Encryption
/ Integrity / Identity)
Responsible for
security “in” the
Cloud
Networking
Edge
Locations
15
w ww.MeetingSphere.se
Responsible for
security “of” the
Cloud
FedRAMP - journey
16
w ww.MeetingSphere.se
FedRAMP - Reality check
► It makes life for agencies much easier
► Few BIG 3PAO
► Very few certifications by smaller 3PAO
► Huge incentive to “leverage” authorizations of
big players (Amazon)
► Compliance as small SaaS
► Possible at technical level leveraging AWS
► Valuable lessons for professionalization
► Hardly doable at the process level (guidelines
made for large hierarchical businesses)
► Only US businesses and personnel certifiable
► This is very much a process to drive
business towards the big US players
17
w ww.MeetingSphere.se
FedRAMP – the savior from heaven …
► Before
► Today
18
w ww.MeetingSphere.se
CCG Reference - Selection
19
w ww.MeetingSphere.se
Contact
Pierre.Wettergren@CCGEurope.com
20
w ww.MeetingSphere.se