Following the announcement of FedRAMP Accelerated on March 28, 2016, I spent a lot of time thinking about ways to improve the agility of regulatory frameworks in a cloud-centric world. I am excited by the potential of FedRAMP Accelerated, especially as it comes to the Capabilities Assessment, because I believe it is moving us in the right direction for regulation of the cloud. I was pleased to attend the CSA Federal Summit in Washington, DC on May 12 and to be invited to participate in the Visionary Panel, Meeting Regulatory Challenges for Cloud Security, where I had the opportunity to discuss the core principles Microsoft is driving toward to enable security, transparency, and agility for our cloud products.
Traditionally, regulation and policy lag innovation. One of the outcomes of the cloud revolution is the democratization of access to game changing computational power, without requiring billions of dollars of up front capital investment. By removing the capital expenditure barrier of entry, the cloud will significantly accelerate the pace of innovation; regulation and prescriptive policies will not be able to keep up.
I spend roughly half of my time meeting with customers and policy makers to talk about how innovations in Azure, necessary to support a hyperscale, multitenant cloud, changed fundamental assumptions about IT architecture. These conversations require a good bit of education and negotiation surrounding traditionally prescriptive security controls – like those documented in NIST SP 800-53 – and how the fundamental assumptions about IT architecture that went into the design of those controls have changed in the era of hyperscale.
In fact, given the pace of innovation inherent in cloud computing, the traditional certification and accreditation model that has worked for the last two decades will increasingly fall short, and ultimately demand a different approach. At that point, regulated industries and governments that have not found a way to evolve their frameworks will find themselves years behind the technology curve.
At Microsoft, we think the solution to this challenge is to change the way we approach requirements; more specifically, to shift our focus away from specific implementations and toward specific outcomes. As long as we continue to define how a security goal is met, we will lag, delay, and deny access to innovation. If we instead focus on what our security goals are, and delegate the how out to the technology innovators and security experts, we will harness the speed and power of the cloud in ways that will ultimately make us more secure.
What does an outcome-based world look like? I envision a framework where a government or industry sector identifies the 20/30/50 core security outcomes that matter to them, based on the risks they face and the goals they want to achieve. Cloud Service Providers (CSP) then identify methods of meeting those goals and identify metrics that can be used to demonstrate achievement. Most CSPs will likely begin with the existing prescriptive security control frameworks to architect their implementations. Over time, as CSPs remain anchored to these outcomes, the implementation details will be able to evolve with the changing tides of innovation. At Microsoft, we are already leading this charge. In future posts I plan to delve into greater details about how we approach traditional security challenges like monitoring, access control, and system health.
I foresee several advantages to an outcome-based world. Initially, I believe this helps with regulatory agility which ultimately unbounds innovation. At the same time, I strongly believe this paradigm change will improve security. As a long time information security consultant, auditor, program administrator, and cloud service provider I have spent a lot of my career in the implementation based world. In my experience, compliance in that world can become distracted by semantic debates over control wording or grammar exercises around paperwork, so much so that it loses sight of actual risk mitigation and security. In an outcome-based world, word choice and grammar lose meaning, and we focus instead on risk mitigation and achieving security goals.
Additionally, if we design our list of outcomes well, we also improve the ability to monitor near real-time security posture. As a CSP, Microsoft will be able to track metrics that illuminate our success around each of these outcomes, and provide our customers with dashboards that present those security health metrics for the security frameworks that our customers care about. This will allow our customers to have situational awareness regarding the risk of their data in the cloud, as represented by the core security outcomes that matter most to their industry or government.
During the Meeting Regulatory Challenges for Cloud Security panel, we discussed ways in which federal agencies can begin the process of moving toward outcome-based assessments, even in the era of implementation-based controls. I really enjoyed hearing the thoughts of my fellow panelists and the audience; they inspired me to write this post and begin a broader conversation.
FedRAMP Accelerated is leading us toward this new outcome-based world, which is why I believe that FedRAMP Accelerated will be a success. Microsoft worked with our peer hyperscale cloud providers to provide feedback on the FedRAMP Accelerated Capabilities Assessment. As part of that feedback we provided an initial list of 20 outcomes we recommended that FedRAMP focus on. I included our list below, in hopes of spurring further conversation around sound security principles and helping accelerate the pace of innovation.
|
Initial Capability Questions |
Applicable NIST Cybersecurity Framework |
1 |
Does the CSP have the capability to restrict access to resources to authorized personnel? |
Protect |
2 |
Does the CSP restrict access of administrative personnel in a way that limits the capability of individuals to compromise the security of the information system? |
Protect |
3 |
Does the CSP have the capability to maintain approved security configurations and detect deviations? |
Protect/Detect |
4 |
Does the CSP have the capability to detect, contain, and eradicate malicious software? |
Detect |
5 |
Does the CSP have the capability to transmit and store customer data using sufficiently strong encryption? |
Protect |
6 |
Does the CSP have the capability to detect and remediate system flaws in a timely manner based on risk posed to the system? |
Detect |
7 |
Does the CSP have the capability to identify and authorize users in a manner that cannot be repudiated and which sufficiently reduces the risk of impersonation? |
Protect |
8 |
Does the CSP have the capability to securely store audit data? |
Protect |
9 |
Does the CSP have the capability to perform after the fact, forensic investigations of suspected security incidents? |
Recover |
10 |
Does the CSP have the capability to detect unauthorized or malicious use of the system, including insider threat & external intrusions? |
Detect |
11 |
Does the CSP have the capability to train personnel on security awareness and role-based security responsibilities? |
Protect |
12 |
Does the CSP have the capability to account for the critical components – hardware and software – that comprise the system? |
Identify |
13 |
Does the CSP have the capability to ensure that ongoing maintenance and operation of the system does not degrade the system security posture? |
Protect |
14 |
Does the CSP have the capability to recover the system to a known and functional state following an outage, breach, or disaster? |
Recover |
15 |
Does the CSP have the capability to assess risk, track ongoing risk/remediation, and report risk posture on a regular basis? |
Identify |
16 |
Does the CSP have the capability to restrict physical system access to only authorized personnel? |
Protect |
17 |
Does the CSP have the capability to classify positions by risk and screen personnel based on those risk ratings? |
Protect |
18 |
Does the CSP have the capability to sanitize or destroy physical media prior to removal from the authorization boundary? |
Protect |
19 |
Does the CSP have the capability to notify customers and regulators of confirmed incidents in a timeframe consistent with all legal, regulatory, or contractual obligations? |
Respond |
20 |
Does the CSP have the capability to investigate and remediate suspected incident detections in a timely manner? |
Recover |
Thank you again for participating in this conversation. I look forward to your feedback on our proposed list and to continuing this conversation with the cloud security community.