Overview

With respect to cloud computing, one of the main sources of apprehension for decision makers is the overall risk to information security. Many believe that hosting applications and company proprietary data in the cloud increases the likelihood of attack and/or data loss. While a legitimate concern, often times more significant risks such as the ownership of intellectual property, e-discovery, and vendor lock-in dynamics are completely omitted from analysis. If not managed properly, cloud initiatives based on tactical yet specific business functions can lead to silos of information and "stovepipe" infrastructures that simply do not integrate with other systems. Cloud computing can actually amplify this effect by making data and applications non-portable; thereby increasing costs when real-time information must be shared across dissimilar systems.

COE Security LLC. cloud security assessments cover traditional information security risks as well as threats to business operations, thereby painting a complete risk analysis picture for both business and technical stakeholders.

Key Benefits

Provides a single, consistent security risk assessment and authorization that can be leveraged across agencies – an "approve once, and use often" approach

Establishes a common set of baseline security assessment and continuous monitoring requirements using NIST standards

Approves and makes available qualified, independent third party assessors, ensuring consistent assessment and accreditation of cloud solutions and based on NIST's proven conformity assessment approach

Shifts risk management from annual reporting under FISMA to more robust continuous monitoring, providing real-time detection and mitigation of persistent vulnerabilities and security incidents.

Methodology

Our security assessment involves the three phases.

Pre-visit Items

Prior to the actual on-site visit, Purposeful Clouds collects all existing and pertinent information. This could be the Cloud Strategy and Workshop Report from a Cloud Strategy Workshop, the Cloud Opportunity Assessment Report from a Cloud Opportunity Assessment, or equivalent value information collected by other means. If this information is not readily available, that will impact the required length of the Cloud Security and Compliance Assessment engagement.

COE Security also hold a Kick-off Call to establish the roles and responsibilities, logistics, schedules and high-level goals for the on-site visit.

During the on-site visit

The on-site session usually starts with:

• A short presentation covering the main security issues related to the Cloud and the transition to and from the Cloud.
• A review of the initial workloads currently targeted to move to the Cloud first, concentrating on the requirements for security for each workload.
• Discussion of your security concerns and policies, including:

o Compliance and regulatory concerns
o Internal security policies and procedures
o Existing infrastructures and policies for backup, disaster recovery, data life cycle management, and processing discovery orders

• A short explanation of how we intend to proceed with the data collection.
• A scheduling conversation to get the information necessary to satisfy the Objectives listed above based on availability of your personnel.

The majority of the on-site visit is spent in small groups capturing the required information. For each of the targeted workloads:

• Identify the physical location of all stored data, including backup and disaster recovery copies
• Identify servers and workstations involved
• Identify network infrastructure used
• Identify existing security posture that applies to this workload

Each mid-afternoon we have a quick review of what has been covered, what needs to be covered, and list any data collection issues so they can get addressed.

Post-visit

After the on-site visit, COE Security analyze the information provided and prepare the deliverables. We may have a few specific questions which we will ask via a scheduled conference call.