Cloud Security
NJVC, LLC Proprietary Data. Do Not Distribute

 NJVC® is an IT contractor supporting the Intelligence
Community and Department of Defense (DoD), and
specializes in providing IT solutions to customers with highly
secure requirements.
 NJVC has designed/implemented/maintained multiple data
centers for an IC agency for more than a decade, including
modernizing the data center environment from a legacy
stove-piped set of physical servers to a modernized cloud
architecture with a managed service framework.
 NJVC has hosted/migrated/transitioned more than 300
distinct mission systems or production entities over the past
five years. This continued work within the area of transition
systems between data center environments has provided
NJVC unique experience, and allowed us to establish a
proven, standard, scalable process to support any system
migrating between architectures.
 Steven R. Thomas, PMP
 NJVC Director, Technical Operations
 Chief Engineer on a large program for an IC agency
 Chair of the Engineering Review Board
2
Background
NJVC, LLC Proprietary Data. Do Not Distribute

3
Cloud security is an evolving area within the larger arena of cyber security.
Refers to a broad set of policies, technologies, and controls deployed to protect
data, applications, and the associated infrastructure of cloud architectures and
cloud environments
Cloud Security
The extensive use of virtualization in
implementing cloud infrastructure
brings unique security concerns for
missions, applications, or tenants
hosted within a cloud environment.
NJVC, LLC Proprietary Data. Do Not Distribute

Strategic Framework for Cloud Security
4
Assess
Strategic Objective 1
Plan
Strategic Objective 2
Transition
Strategic Objective 3
Sustain
Strategic Objective 4
Provide a strategic framework for secure mission operations within a cloud environment
 Assess the current
security state of your
environment and each
mission system
 Understand cloud
services and what
they provide
 Understand the
security issues/risks
present in the cloud
 Assess the level of
change that you are
facing moving to the
cloud
 Gather and analyze
the security
requirements for each
mission system
against cloud services
 Draw clear lines of
responsibilities for
security within the
cloud
 Identify and document
how each mission will
use cloud services,
including security
services
 Develop a transition
plan for moving to the
cloud that includes
security
 Maintain security
posture during
transition
 Verify all data is
secure and properly
accessible
 Test and verify all
security functions,
tools, and services are
in place and
performing as
expected
 Establish a
mechanism to
periodically audit all
security services
 Monitor and report
against security
related SLAs, metrics,
and performance
measurements
 Maintain certification
and accreditation of
all systems
 Require cloud service
providers to maintain
all DoD and
FedRAMP security
requirements
Mature
Strategic Objective 7
 Establish a total
security framework
that provides
“defense in depth”
 Data consolidation
 Automation of
security
 Correlation and
aggregation of all
data
 Generates actionable
intelligence
 Real-time view of
enterprise
Ensuring the cloud is secure
As of 09 Mar 2014
NJVC, LLC Proprietary Data. Do Not Distribute

 Many of the same security risks present
in non-cloud IT deployments are still in
play.
 Several new ones are introduced.
 Greater number of entry points and
input/output paths
 A single organization, department,
user, or application can threaten the
entire cloud
 Compromise the virtualization
software or "hypervisor”
 Increase in brute force attacks
 Insider threats now include outsiders
in multi-tenant clouds
5
The Non-Secure Cloud
Just because a cloud is built inside a secure facility, operates behind a firewall,
and traverse encrypted networks doesn't mean it is secure.
Assess
Strategic Objective 1
NJVC, LLC Proprietary Data. Do Not Distribute

Transitioning from a legacy physical, distributed IT environment to a cloud
environment fundamentally changes your security threats, security exposure,
security risk, and security posture.
Understanding the shared security model is one of the biggest hurdles with securing
cloud environments.
6
Changes in Security
A vulnerable service in a cloud presents
greater exposure and risk than the same
service in a standard server farm due to the
shared nature of cloud resources.
The bank robber Willie Sutton is reputed with
replying to a reporter's inquiry as to why he
robs banks by saying:
“Because that's where the money is."
Assess
Strategic Objective 1
NJVC, LLC Proprietary Data. Do Not Distribute

Security responsibilities for a cloud architecture fall into two broad categories
1. Responsibility for the cloud architecture or cloud service provider (CSP) (providing software,
platform, or infrastructure as a service)
 CSPs generally assume the responsibility to maintain/patch the foundational services,
networks, and operating systems (OS).
2. Responsibility for the data and mission systems/applications within the cloud
 Customers and/or consumers are often responsible for securing and patching the
application and data layers.
7
Cloud Security Responsibilities
Questions you should be asking
 Is security a stated service offering(s) and if so, what does that
service(s) provide?
 Is security embedded/included with other service offerings?
 What security-related DoD policies, directives, or processes are
followed and how are they implemented?
 Can service level agreements (SLAs) be established based on security
performance measurements?
 Is security-focused monitoring and reporting offered?
Plan
Strategic Objective 2
NJVC, LLC Proprietary Data. Do Not Distribute

Proper security services and functions must be part of your planning to ensure the
security of the missions systems within the cloud.
8
Cloud Security Services
 Identity management/privacy – Ensures all sensitive data is encrypted, and
controls access to information and resources
 Physical and personnel security – Ensures physical machines are
adequately secure and access to machines and data is restricted and tracked
 Application security – Provides
testing/acceptance procedures and ensures patch
management of applications/tools
 Business continuity/data recovery – Ensures
services can be maintained in case of a disaster
and that any lost data can be recovered
 Logs/audit trails – Ensures logs and audit trails
are produced, secured, and maintained for
purposes accreditation, security audits (CCRI),
root cause analysis, or forensic investigation
Plan
Strategic Objective 2
NJVC, LLC Proprietary Data. Do Not Distribute

Moving to a cloud environment is similar to moving
from one house to another.
As such, many of the same best practices should be
applied.
 Stop hoarding and de-clutter
 Do not move unnecessary applications or
missions to the cloud—decommission them
 Do not move things that are broken or damaged
 Do not move applications that have known
security problems. Fix your CAT 1 and CAT 2
security issues
 Change your locks once you move in
 Change all the default passwords and admin
passwords provided in the cloud
9
Transitioning to the Cloud
Transition
Strategic Objective 3
NJVC, LLC Proprietary Data. Do Not Distribute

 Determine if you can bring existing security
system to your new home
 Determine if existing and proven security
systems, tools, and processes can be used
within or integrated with the cloud
 Understand the crime in your new area
 Understand the known security threats
posed by your new cloud environment
 Do not leave anything unsecure while being
moved
 Do not drop or lessen your security posture
while applications or systems are
transitioning to the cloud
 Verify everything is safe once the move is
completed
 Make sure all your data and applications
are secure and functional once the
transition to the cloud is complete 10
Transitioning to the Cloud
Transition
Strategic Objective 3
NJVC, LLC Proprietary Data. Do Not Distribute

 Detection capabilities need to be cloud-specific
and provide near real time data to consumers.
 Authentication/authorization must be robust and
integrate with DoD identity management models
(CAC, PKI, etc.).
 Security sensors need to monitor both the
interior/exterior of the cloud and send alerts to
both the CSP and mission system owners.
 Operational capabilities, such as patch
management, must be constantly maintained and
allow for agile rapid deployments.
11
Government Clouds
Cloud environments should improve overall security levels and establish an
enhanced security posture that leverages agility and technology.
Sustain
Strategic Objective 4
NJVC, LLC Proprietary Data. Do Not Distribute

Agreements must be established between the CSP and consumer, such as
contracts, SLAs, and operation support agreements.
Agreements between the CSP and customer must address a number of areas.
12
Cloud Agreements
 Ownership/privacy of data – Multiple tenants,
organizations or commands may reside in the same
cloud
 Compliance – With all appropriate DoD and federal
regulations and directives
 Performance – Establish performance levels for
uptime, access, reporting, outages, etc.
 Recovery – Applications and/or tenant data recovery
times
 Security – Define all security at each level (access,
data, database, application, infrastructure, etc.)
Sustain
Strategic Objective 4
NJVC, LLC Proprietary Data. Do Not Distribute

All organizations and departments operating within a
cloud should
 Leverage the DoD and FedRAMP processes and
approved security authorization requirements as a
baseline when initiating, reviewing, granting, and
revoking security authorizations for cloud services
 Require CSPs to meet DoD and FedRAMP
requirements via contractual provisions
 Identify and report on cloud services being used
that do not meet DoD and FedRAMP requirements
13
Cloud Certification & Accreditation
The Federal Risk and Authorization Management Program (FedRAMP) provides a
standardized approach to security assessment, authorization, and continuous monitoring for
cloud products and services.
The DoD is going beyond FedRAMP.
Computer network defense service provider will manage the security data reporting between
DoD organizations and oversight agencies, like Cyber Command and DISA.
Sustain
Strategic Objective 4
NJVC, LLC Proprietary Data. Do Not Distribute

Cloud Security Maturity
 Consolidation – Data consolidation to improve
efficiency and unify security information provided across
the cloud
 Automation – Automation of security processes,
services, and tools to require less manpower; increase
response times to threats; and improve efficiency to
provide better service
 Collaboration – Remove the barriers of data, software,
or IT architecture to facilitate correlation and aggregation
of all data feeds to support defense in depth
 Intelligence – Generates easy to understand actionable
intelligence: to spur decisions by administrators and
operators
 Visibility – Maintain real-time view of enterprise,
including all connected devices and provide continuous
monitoring to meet continuous threats
14
Target to move
here
Mature
Strategic Objective 7
Security measures and security services provided by the cloud should NEVER constitute the
totality of your security model.
Approach security from a holistic point of view with a layered security “defense in depth”
posture against cyber threats
NJVC, LLC Proprietary Data. Do Not Distribute

Government as a Platform
 Government business model changes
from isolated systems to integrated
services.
 Data ownership, service agreements,
and governance of service processes
are key issues.
 Cloud implementation requires the
most focus on information assurance
and security.
 Need exists for better integrated
security and threat sharing across the
cloud boundaries.
 Security is the worst inhibitor of cloud
integration and deployment.
Think government as a platform—big-data-accessible, mission events, and
streaming service integration to serve mission needs
NJVC, LLC Proprietary Data. Do Not Distribute
15

NJVC, LLC Proprietary Data. Do Not Distribute
www.njvc.com
16