Yin Lipo: US Cloud computing Services security Review worth learning

Yin Lipo, chief engineer of the Electronic Science and Technology Information Research Institute of Industry and Information technology, said in an interview recently that the U.S. federal government's application and safety management of cloud computing services is well worth our reference.

Yin Lipo said that cloud computing because of its cost-saving, easy maintenance, flexible configuration has become a priority for Governments to promote the development of a service. The United States, Britain, Australia and other countries have issued relevant development policies, has planned to promote the government Department of Information systems to the cloud computing platform migration. But it should also be seen that the use of cloud computing services by government agencies poses security challenges to their sensitive data and to the security of important businesses. The US, as an advocate of cloud computing services, has launched a "cloud-first strategy" that requires a large number of federal government information systems to migrate to the "cloud" and, on the other hand, requires a security review of the cloud services provided to the federal government to ensure security.

Yin Lipo said the federal government's application and security management of cloud computing services has undergone four processes and phases.

First of all, from the "money to build systems" to "spend money to buy services", the cloud Computing strategy as the Guide to promote the federal government cloud computing security applications.

The Obama administration launched the Federal Cloud Computing Initiative in 2009, with the Executive Facilitation Committee and the Cloud Computing Advisory Committee under the Federal Chief Information Officer Committee, a cloud computing project management Office in the General Services Department, which established the federal cloud computing development goals and responsibilities and began to promote cloud computing applications. In 2010, the Federal Budget Administration released the 25-point implementation Plan for reforming federal Information Technology management, implementing the "cloud first" strategy, requiring the gradual migration of business systems to the cloud computing platform, and the reduction of 800 federal data centers by 2015. In the 2011, the United States issued the federal cloud computing strategy, to clear the federal government to the cloud computing migration of specific plans to create a secure cloud computing application environment. In the same year, the Department of Homeland Security developed a "safety perspective on cloud computing: Getting started with federal information technology managers", pointing out 16 key security challenges facing the federal government. The National Institute of Standards and Technology published the "Public Cloud computing Security and Privacy Guide" and the "Full Virtualization Technology Security Guide" two standards, the next step for the federal government to establish cloud computing Services Security Review system to do a good job of policy.

Second, from "who examines, who use" to "unified review, multi-use", risk management and review authorization as the core, the establishment of cloud computing services review System.

In 2011, the Federal Budget Administration issued the Chief information Officer memo, "cloud computing Environmental Information System Security Authority", officially launched the cloud computing "federal Risk and Authorization management Plan" (FedRAMP). According to the Federal Information Security Administration Act, the federal government's information system is subject to security assessment in the context of federal information system security management, with safety measures taken in accordance with the relevant standards. For the federal government departments to purchase cloud computing services, FedRAMP adopted by the Third-party assessment agencies in accordance with the relevant standards for cloud computing services Security risk assessment, FEDRAMP based on the evaluation results of the review, the cloud services through the review to give initial authorization. All federal departments can choose cloud computing services based on their own needs in the initial authorization list, achieve a unified review, efficient management of multiple use, and the federal government departments can share security assessment and review results, avoid duplication of assessment and review.

Third, the establishment of a special review body, the introduction of third-party evaluation Mechanism, the establishment of cloud computing security Management guarantee mechanism.

FedRAMP established a perfect security audit mechanism for cloud computing services, which defined the government role and responsibilities of cloud computing security management. First, the establishment of a leading decision-making body-joint delegation of authority, by the Ministry of Defence, Department of Homeland Security, General Services tripartite tripartite, responsible for the development of the federal government cloud computing Services safety Control baseline requirements, the approval of Third-party accreditation standards, the initial authorization of cloud computing services, etc. The second is to set up the FedRAMP project management Office, which is subordinate to the General Department, to be responsible for daily management safety Assessment, authorization, continuous supervision, etc., and to cooperate with the national Standards and Technology Research Institute on the capacity identification and day-to-day management of third party institutions Reporting security incidents; Third, the introduction of third-party evaluation Mechanism, THIRD-PARTY agencies must meet the needs of fedramp independence and technical requirements, the cloud computing services to perform an independent security assessment.

The paper focuses on the top design of the review, from "Prior examination" to "afterwards supervision", and establishes a series of standardized methods and procedures.

The federal government is focused on top-tier design for cloud computing security management, according to the Federal Information Security Administration Act as the legal basis, the federal information resources management as the policy basis, in the national standard "Federal Information systems and organizational security and privacy control" (SP800-53), based on the formation of a cloud computing security baseline requirements, And with the third party organization cognizance, cloud computing service review, cloud computing service continuous supervision three key links as the hand, has provided 10 dozen standardized template, the procedure and the Guide material, has established the Federal government Cloud Computing Service Security review system. At the same time, FedRAMP explicitly requested federal agencies to procure and use cloud computing services that meet security review requirements from June 2014 onwards. So far, FedRAMP has identified 27 third-party agencies involved in the security assessment of cloud computing services, and has passed security audits for 12 cloud computing services from 11 cloud computing service providers.

Yin Lipo said that the Obama administration, through the enactment of a package of strategic planning, policies and regulations, the standard guide, set up a cloud computing services review System and authorization mechanism, so that decentralized, repetitive, inefficient government cloud computing services system orderly, unified and efficient operation, it is worth China's reference.

First of all, continuously strengthen the Government and related to national security in the field of network security management. From the Clinton administration's National Information security Assurance procurement policy, to the Bush administration's Federal Information Security Administration Act and the federal agency's guidelines for the procurement of security and assessment products, and to the Obama administration's federal risk and authorization management plan for the Federal Cloud Computing service, the United States has always taken the "addition" , carrying out the network security examination of government information system, effectively guaranteeing the network security of its key department.

Secondly, the absolute authority of the cloud Computing Service Review management and coordination organization is the fundamental guarantee for the smooth implementation and implementation of various systems and standards. The Department of Defense, Department of Homeland Security, General services, as the United States Federal Supreme safety Decision-making and government service security agencies, all federal agencies have strong influence, coordination and leadership, a strong guarantee of the review of laws and regulations, policies and standards for the full implementation.

Third, the Cloud computing Services review policy, standards, is to standardize the cloud computing services review process, improve the efficiency of the basis of review. The perfect policy regulations and standard templates both provide the system guarantee for the federal Cloud Computing Service Security Review, strengthen the cloud computing service provider's approval degree to the examination result, and help to maintain the credibility of the review. At the same time, consistent standards also reduced duplication of review and increased the utilization of the results of the review.

Finally, pay attention to the continuous monitoring and evaluation of cloud computing service, and promote the security application of cloud computing service. By requiring cloud computing service providers to periodically submit the network security Self-Assessment report, the risk situation change report, as well as the development of network security Incident Response plan, and submitted to the third party to carry out independent security assessment, thus establishing the normal mechanism of cloud computing services supervision and management to ensure the security application of cloud computing services in the federal

(Responsible editor: Mengyishan)