FISMA Chronicles: FedRAMP, Inheritance and Key Controls

Part 2: FedRAMP, Inheritance and Key Controls

I am leading the FISMA project at Sonian, and we’re getting closer to achieving our first FISMA Moderate accreditation. For background on FISMA, read my first blog post on this subject.

With FISMA Moderate accreditation, Sonian will be able to manage non-defense government data. The accreditation is granted in the form of an “Authority to Operate (ATO)” bestowed upon a project by the government agency that will implement and utilize the product/service. A cyber security team within the government agency evaluates each project’s security documentation and gives the thumbs up or thumbs down. It’s an iterative process, that starts with extensive documentation, and audit, and government review and oversight. FISMA applies to both third party services purchased by the government, as well as internally developed and managed IT projects.

FedRAMP… Briefly

Currently, if a vendor wants to sell the same IT service to more than one government agency, FISMA requires an ATO from each agency, which adds time, complexity and cost to the procurement process. Historically, each agency has implemented and interpreted FISMA standards differently. The National Institute of Standards and Technology (NIST) devised the “FISMA Reference Architecture” for all agencies to follow, but in reality the local interpretation has varied. A “new and improved” accreditation standard is supposed to fix some of these issues. FedRAMP is a single umbrella guideline encompassing current FISMA rules, as well as updated rules that better align FISMA with technologies such as Software as a Service (SaaS) and cloud computing. When the legislation that created FISMA was drafted in 2002, SaaS and cloud computing were not on government technologist’s radar. FedRAMP is a modernization of FISMA, and also strives to streamline government IT purchasing, lower costs, and expedite project time lines. FedRAMP will benefit from FISMA’s first decade, so I am hopeful for an improved certification process when FedRAMP is officially ratified in about a year. There is already quite a bit known about FedRAMP and Sonian is working on a dual strategy to get FISMA Moderate for one agency, and then focus on FedRAMP for all other agencies.

Read more…

Posted on March 25th, 2012 in Amazon Web Services, Cloud Compute, Featured, FISMA Moderate | No Comments »

Amazon “Partnering” for Enterprise Cloud Success

GigaOM‘s Om Malik is reporting on a new business development partnership between Amazon Web Services and Eucalyptus Systems. Eucalyptus is the startup providing an open source implementation of the AWS cloud APIs. Eucalyptus allows customers to build their own “private” clouds with AWS API compatibility.

Smart move on Amazon’s part. Amazon’s amazing cloud success puts them in a unique position to maintain a commanding lead in public cloud infrastructure, and now with this partnership they have a great story to tell that bridges the gap between large-enterprise private clouds and their market-leading public cloud.

Enterprise cloud adoption success needs two crucial ingredients combined at the right inflection of market uptick. The first is applications and the second is a credible story how a “private cloud” can evolve to using public cloud resources.

Since Eucalyptus is the open source equivalent of the core AWS API’s, it seems natural and expected for Amazon to partner with the five year old Calif. firm. It’s also noteworthy that neither Amazon nor Eucalyptus want to characterize their partnership as a “hybrid cloud” play. Amazon probably feels that their ability to drive down costs will eventually attract every business to their cloud, over time. so partnering with the company that created the open source AWS API implementation is a great cloud on-ramp strategy.

As for applications, companies like Sonian are already proving that a public cloud is the best infrastructure to support an enterprise-focused SaaS service. Like Eucalyptus, Sonian is also a five year old cloud start-up.  The cloud makes it possible for Sonian to exist, while at the same time the cloud needs services like Sonian to solve a business pain point with an application built from the ground-up to use a public cloud.

It’s amazing what the “new” cloud-industry has accomplished in the past five years. Growth, innovation, and nothing less than a complete paradigm shift in Enterprise IT.

 

 

 

 

 

 

Posted on March 23rd, 2012 in Amazon Web Services, Cloud Compute, Featured | No Comments »

Stolen Macbook and iPads Re-affirms Cloud Backup Strategy

A recent computer theft highlights the critical differences between “backup” versus protecting local & cloud storage from identity theft.

I wasn’t planning to write about this topic for my weekly post, but then “life happens” and this subject is at the top of my mind. My hope is you will learn from my mistakes and save yourself a lot of grief.

Two weeks ago the family computer, a Macbook, a couple of iPads, and an iPod were stolen from my part-time residence. The detective, while dusting for fingerprints and examining the bent window frame where the thief(s) entered, muttered “typical B & E [breaking and entry,] smash and grab, you won’t see your stuff again unless we’re really lucky.” Unfortunately the burglar alarm wasn’t enabled because at the time of the robbery there was a fierce Santa Ana wind storm, and the over-sized glass windows, offering mountain views, flex with the wind and set off the motion detectors. The robbery took place during a quick run to the store and was probably in-progress when the car pulled back into the driveway. I know this because a pile of other stuff the robber was gathering remained in the middle of the kitchen floor, abandoned because of a sudden exit. If not for arriving at that time, more valuable stuff would have been stolen. A sliding door at the rear of the house was ajar, and police assume that was the exit path.

Event Timeline

Tuesday

10pm: In-progress robbery thwarted, police called

10:10pm – Police arrive and assess the crime scene. Fingerprint dusting, etc.

For about an hour in shock and figuring out what was stolen, and trying to repair the broken window to keep the wind out. Realizing all the computer equipment was gone and started to think about protecting the data.

Midnight – Police leave and ask for serial numbers so they can log the computer equipment into a database for pawn shops to check.

Read more…

Posted on March 20th, 2012 in Archiving, Cloud Compute | No Comments »

Only in the Cloud… Active and Passive Savings

File this one under “amazing but true.”

Today Amazon Web Services customers awoke to find their prices have been lowered for EC2, RDS and Elasticache.

All standard EC2 customers get a 10% discount. This is for doing absolutely nothing. Didn’t have to write more code, didn’t have to plea-with/strong-arm a sales rep, didn’t have to threaten to change vendors. This is the promise of the cloud. A system running on AWS yesterday now costs 10% less to run today.

For AWS customers who “meet Amazon in the middle” … i.e. “you do some work, Amazon does some work,” the savings are more dramatic. Reserved purchase reductions range from 37% to 41%. This is the other positive aspect of the cloud: As a cloud customer, if you are willing and capable to make changes in small increments, savings will add up. The cloud has a continuous history of price reductions in the form of new features and service derivatives. But in order to take advantage you have to write code. S3 Reduced Redundancy is a good example. It’s a flavor of S3 that has a lower price and lower durability. But it’s perfectly fine for storing objects that are less important. But you need to write code to take advantage of this storage class.

The cloud has the dual concepts of “passive savings” and “active savings.”

Posted on March 6th, 2012 in Amazon Web Services, Cloud Compute, Sonian | No Comments »

“Cloud Killed the (SaaS) Rock Star”

“Cloud Killed the (SaaS) Rock Star”…

… well, not literally, but definitely in a figurative sense.

The press release below is the all-points-bulletin heralding the cloud has “won.” Why do I say this? Because LiveOffice, a non-cloud SaaS start-up, couldn’t compete against the new generation of SaaS start-ups powered by true public cloud computing like Sonian.

 

 

LiveOffice was the rock star of SaaS archiving. Ten years in business and they deserve the credit as one of the pioneers to legitimize the SaaS market. When LiveOffice launched a decade ago, they had to operate their own data centers. (This is called “Co-located Powered SaaS.”) But during the past five years, the world changed underneath them. Usually, market dynamics cause this kind of disruption, but the SaaS archiving market size didn’t get smaller, rather it’s bigger than ever. What changed starting in 2007? The advent of the public cloud. Suddenly, any SaaS company running their own data center became vulnerable to competitors able to harness the cloud. This is the beginning of the cloud-powered SaaS era.

Seriously, I wish all the best to the LiveOffice team. Sonian and LiveOffice competed vigorously from 2008 to 2011. Symantec acquired a great team, and the fit between LiveOffice and Symantec makes a ton of sense, and it’s understandable why Symantec made the acquisition.

Although LiveOffice called themselves a “cloud archiving” company, that was stretching the truth. The cloud moniker is so overused at this point, the public is deceived into believing they are using a cloud service, when in fact, it’s really just re-packaging the same old SaaS with a new label.

Why did this Happen?

Operating a SaaS infrastructure on a pure cloud environment is vastly different compared to a co-located system; it’s the reason we’re going to see more of old-world SaaS companies change control or fade away. It will be exceedingly difficult to re-tool a co-located hosted SaaS business to use the cloud. Not impossible, but very difficult. The whole architecture would need to change. I say this having lived in both worlds — with the cloud battle-scars to prove it.

Read more…

Posted on March 4th, 2012 in Archiving, Cloud Compute, Commentary FWIW, email, Sonian | No Comments »

FISMA Chronicles: Prologue – Quick Immersion into a New World

In December 2002 the US Congress passed the Federal Information Security Management Act (FISMA).  FISMA requires each government agency to implement policies, procedures, and documentation for information security. This includes internal and external government-run systems, and systems provided by third-party providers.

A flourishing information security practices industry has developed in FISMA’s wake to help guide the government and vendors through the numerous, byzantine certification activities.

The FISMA mission statement is to:

Protect the Nation’s Critical Information Infrastructure

FISMA has three assessment levels and risk profiles.

  • Low – Procedures to manage public-facing government websites, such as data.gov
  • Moderate – Best practices for managing sensitive data and personal identifiable information such as credit card numbers, social security numbers, etc.
  • High – Strict policies for managing military, intelligence and classified information.

The majority of internal applications require FISMA Moderate. The moderate certification process is the focus of this series.

The moderate risk profile means addressing over three hundred controls ranging from information handling, physical media management and threat assessments. The hundreds of controls are categorized into the following “control families”:

  1. Access Control
  2. Awareness and Training
  3. Audit and Accountability
  4. Security Assessment and Authorization
  5. Configuration Management
  6. Contingency Planning
  7. Identification & Authentication
  8. Incident Response
  9. Maintenance
  10. Planning
  11. Personnel Security
  12. Risk Assessment
  13. System and Communication Protection
  14. System and Information Integrity

Many start-ups address the above in various levels of completeness, but may not necessarily have all the supporting documentation to prove compliance. For SaaS systems operating in a cloud environment, the challenge is to describe the control boundaries between the cloud provider and the application layer. For example FISMA requires a policy for physical media disposal. The app layer (i.e. the cloud customer) doesn’t have access to physical media in a cloud environment, so that control is the responsibility of the cloud provider and the app layer inherits the control.  Conversely, the cloud infrastructure has no control over the app layer, and the FISMA requirement to support two-factor web-app authentication is the responsibility of the app layer, not the cloud provider.

FISMA wasn’t designed for a world with cloud computing. It’s heritage back to 2002 is a world with hardware-centric design principles and best practices. Sonian and others are pioneering FISMA Moderate certification in a cloud environment.

Topics I will cover in upcoming issues of the FISMA Chronicles:

  • The impact cloud computing has on FISMA
  • How “agile” start-ups manage ongoing FISMA compliance requirements
  • FEDRamp is the next step to consistent FISMA-like accreditation

 

Image Credit: fismacenter.com

Posted on February 25th, 2012 in Amazon Web Services, Blog Series, Cloud Compute, Cloud Masters, Featured, FISMA Moderate, Sonian | No Comments »

Creating Differentiated IP in a Cloudy World

Increasingly, cloud-based start-up intellectual property is a mixture of proprietary technology and “IP” created by tuning open source modules to work on various cloud environments. This includes configuration settings, tuning parameters, architectural designs, automated deployment scripts and a best practices “run book.” The combination creates trade-secrets in the form of code and operational best practices for Amazon Web Services, IBM SmartCloud, Openstack and other clouds.

 

 

A fusion of recent meetings with investor audiences:

  • Investor: “What’s the secret sauce here?”
  • Cloud Start-Up CTO: “It’s a combination of open source and home built technology.” [Projects pretty diagram of all the platform components and their function.]
  • Investor: “What’s the protectable IP?”
  • Entrepreneur: “It’s not a single patentable idea. It’s a collection of best practices, proprietary code, and of course, open source.”
  • Investor: “What keeps a competitor from copying you?”
  • Lean Start-Up CTO: “Hard to say. We have five years accumulated experience that you can only get by living through five years of growing up with the modern public cloud.”
  • Investor: “How long would it take for someone else in their garage to build the same thing?”
  • Curious CTO: “Probably three years. A hypothetical team on the same mission will have about two years decreased learning experience compared to our journey. Do you have any other cloud-themed investments?”
  • Investor: “What’s the secret sauce here?”
  • Exasperated CTO: “I think we already covered this?”
  • Investor: “I’m still not getting it. What’s the proprietary IP?”
  • Frustrated CTO: “Let me try to explain. There is no off the shelf “playbook” or Cliff Notes for what we are doing in the cloud. Best practices are learned in real-time, just in time. Each cloud has it’s own unique operating characteristics. Think of each cloud having its own laws of physics. There are some similarities, but also many important differences. And understanding these differences determines success or failure.”
  • Investor: “I want to be part of this project. But I don’t quite get what’s special here, and what can keep competitors from catching up. Help me get to…. Yes.”
  • Enlightened CTO: “In the cloud, differentiated IP is created with the combination of proprietary code, open source, and tuning the entire system to work simultaneously on many cloud environments, and using one reference architecture. It’s our trade-secrets expressed as a system run-book and operational best practices for Amazon Web Services, IBM SmartCloud, Openstack and the the other clouds.”

 

 

Posted on February 23rd, 2012 in Blog Series, Cloud Compute, Cloud Masters | No Comments »

What do GitHUB and GrabCAD Have in Common?

During our last board meeting one of our directors mentioned a start-up he thought was interesting: GrabCAD. Awhile ago I had read about this company on Techcrunch, but since the company was in the CAD/CAM space I filed a note in a brain cell memory register “interesting company, but not something I need to follow closely.”

But a different thought took hold; Hmmm… GrabCAD is to the CAD/CAM professional the same way GitHUB is to the software professional. We’re witnessing the rise of start-ups that cater to “niche” audiences who create a certain kind of content as their prime means of professional affiliation. Don’t take offense to the term niche audience applied to software or CAD professionals. It’s just a way to say “not a mass audience” that is served by a general purpose content creation site like Tumblr, WordPress.com, etc.

GrabCAD targets the CAD/CAM professional with a CAD-specific sharing space augmented with a thin “social network layer.” Create a drawing, upload to GrabCAD, post a link “hey look what I created” and share, trade, and sell your work product. It’s not a place to generate generalized content (like Google Docs, ZoHo, or Office 365), but rather a sharing space for affiliated professionals that want to showcase “their wares.”

GitHUB is a content sharing system that targets the software professional. In this case, “content equals source code.” It’s really “social source code management” with a bunch of other goodies like wikis and pasties mixed in. Source code management has been around forever, but GitHUB makes it really easy to share and integrate code from various projects. Developers don’t actually write their code in GitHUB, they do that in their own developer environments, just like CAD professionals don’t use GrabCAD to create drawings.

In the software world, it is now common for developers to tout their GitHUB account URL as a living resume. You can imagine the CAD/CAM professional one day sharing links to their GrabCAD creativity just like software developers share their GitHUB awesomeness.

Catering to a large niche audience with a custom experience is a successful end-run around mass appeal social networks like Facebook. The core required features, such as file upload, link sharing, and comment curation exist in many platforms, from WordPress to Drupal, to Facebook. But a generic user experience will not suffice. GrabCAD speaks the language of the CAD industry. GitHUB does the same for the software industry.

There are other examples of this trend, although none as focused as GrabCAD or GitHUB:

  • Prezi and Slideshare for presentations, although not specifically targeted toward a specific profession.
  • Scribd for documents. But not targeted to a specific industry.
  • Disqus for comments? Would it be a stretch to cite Disqus for the professional commenter? Probably, but an interesting idea.
  • Basecamp for project managers.
  • Sortfolio for web designers.

I can imagine other industries ripe for this niche audience approach: legal (specialized documents), chemical (formulas), teachers (lesson plans), music (lyrics). Easy and clear content owner attribution will need to be resolved for some of these ideas to be successful.

I’m excited to see the next GrabCAD come to life. If you know any vertically aligned professions where content creation is the core work-product, scratch your entrepreneurial itch and create a niche audience user experience now.

 

Posted on February 22nd, 2012 in Commentary FWIW | No Comments »

New Cloud Rules: Replace Instead of Fix

Here’s an all too common scenario from the “cloud chronicles.” A virtual machine that has been operating just fine for days, and has 50 other identical twins with the same configuration, starts to exhibit problems. Slow virtual disk performance. Network brown-outs. Disconnecting and reconnecting within it’s functional cluster. Monitoring systems alert on degrading performance, and the knee-jerk response is to jump on the box (nee VM) and start to troubleshoot the issue. The problem is, spending any time troubleshooting an anomaly in the “cloud” is the wrong reaction. In the cloud, the first response, when a node starts to exhibit erratic behavior, should be to replace, not fix.

Replacing, instead of fixing, goes against the ingrained habits of over two decades of entrenched IT best practices. In the pre-cloud world, when real hardware was the base, we had to “fix IT” because replacing was too expensive and not practical. There was not an endless pile of spares lying about for a “replace IT” mindset.

But in the cloud, with, in theory, nearly infinite CPU, the remediation to an errant node should be to immediately replace, and move on.

Why Is This?

Because there are too many causes beyond our control at the OS level in a cloud environment. Think of the cloud like living in a high-rise building. Each unit in the building, just like each cloud customer, can have whatever interior they want, but there are also massive shared resources in the building. So while our interior may be a candidate for the next architectural digest cover, our neighbor could “kill our chill” with a too-loud stereo boom box. The cloud suffers from the noisy neighbor problem just like our theoretical high-rise. But in the cloud, we can choose to move and jump back into the random lottery for a new unit. We can’t change the building, but we can change the location within the building.

Of coure, you need the right cloud-centric architecture to be able to simply “replace IT” instead of “fix IT.” Having cloud-dexterity is critical to operating a successful cloud deployment.

The cloud requires us to “un-learn” the best practices of the past and embrace a new way of thinking about “break fix.” While replacing instead of fixing may seem wasteful, it’s really not. The time spent troubleshooting the random problem will not yield significant insights, and could be better spent focusing on more value-add projects. Usually after extensive diagnosis, the only recourse is to replace the node, since the original problem was an outlier.

You have just finished reading “New Cloud Rules: Replace Instead of Fix.” Please consider sharing a link to this post.

 

Posted on February 19th, 2012 in Amazon Web Services, Blog Series, Cloud Compute, Cloud Masters | 1 Comment »

Boston’s Emerging Cloud “Swagger”

This week is a “cloud-themed” double treat for me. I attended both Cloud Connect and the San Francisco Cloud Mafia meet-up. Cloud Connect has become an annual Sonian tradition. Sonian has been wrangling public cloud infrastructures for five years, and Cloud Connect is a great opportunity to “connect” with other cloud users and technology providers.

Ever since I heard about the first San Francisco Cloud Mafia event I have wanted to attend. The challenge was justifying a West Coast trip to coincide with the meet-up date. My fortunate luck that both events occurred the same week and within close physical proximity. Over 100 people attended Cloud Mafia last night to hear talks from AppFog, Loggly and New Relic. I was struck by the “electricity” in the air around this event. And the topic was more “nuts and bolts” about cloud management compared to the topics of the previous business-themed Cloud Mafia meet-ups.

Boston has many great “cloud” technology companies and enthusiastic individuals supporting the cause, but not as many compared to the activity in San Francisco and Silicon Valley. Sonian sponsors Monday’s in the Cloud for Boston-area cloud aficionados looking for their cloud fix. In addition, there are numerous “big data” and entrepreneurial events sponsored by MassTLC,  BostonInno, CloudInno and others at venues such as Microsoft NERD, Royal Sonesta Cambridge and Foley Entrepreneurial Center in Waltham, MA.

I’ve detected an emerging “Boston Cloud Swagger” throughout 2011 and increasing in 2012. More companies innovating in the cloud, solving interesting problems, and contributing to the home town technology eco-system. Even in my own presentations, meetings and blogging about Sonian’s cloud accomplishments, my articulation is that of “seasoned cloud veteran,” which reflects Sonian’s commanding lead in the cloud. It’s a swagger well earned through our cloud “trials and tribulations.”

There have been many comparisons between Boston and Silicon Valley start-up scenes. The basic sentiment of the past was there seemed to be more innovation occurring on the West Coast than here in the East. There are certainly more companies in the West, but Boston isn’t far behind with our own growing tech scene created by our universities and deep historical roots in innovation, especially for enterprise IT.

The West Coast does take the lead in number of gatherings where tech folks meet to share ideas. Boston feels more insular. The Valley’s weather provides more year-round opportunities and incentives to make time for meet-ups. Sometimes it’s hard to get motivated to head out, after a long day at the office, on a frigid February night to a tech meet-up. There has to be an anticipated reward for the effort.

I feel energized from last nights Cloud Mafia meet-up and will amplify that sentiment by contributing to Boston’s very own Cloud Swagger.

 

Posted on February 16th, 2012 in Cloud Compute | No Comments »

« Older Entries
Newer Entries »