Irs Safeguards Cloud Computing Notification Exhibit 16

8/10/2019 Irs Safeguards Cloud Computing Notification Exhibit 16

1/7

IRS Office of Safeguards Technical Assistance MemorandumProtecting Federal Tax Information (FTI) In a Cloud Computing n!ironment

September 2012 Update

Introduction As defined by the National Institute of Standards and Technology (NIST) !"loudcomputing is a model for enabling ubi#uitous con$enient on%demand net&or' accessto a shared pool of configurable computing resources (e g net&or's ser$ers storageapplications and ser$ices) that can be rapidly pro$isioned and released &ith minimalmanagement effort or ser$ice pro$ider interaction This cloud model promotesa$ailability and is composed of fi$e essential characteristics three ser$ice models andfour deployment models

*ecently the +ederal ,o$ernment has released the +ederal *is' and Authori-ation.anagement /rogram (+ed*A./) to account for the uni#ue security re#uirements

surrounding cloud computing +ed*A./ consists of a subset of NIST 00% securitycontrols targeted to&ards cloud pro$ider and customer security re#uirements

As agencies loo' to reduce costs and impro$e reliability of business operations cloudcomputing may offer promise as an alternati$e to traditional data center models 3yutili-ing the follo&ing cloud ser$ice models agencies may be able to reduce hard&areand personnel costs by eliminating redundant operations and consolidating resources"loud ser$ices offered by third party pro$iders are often tailored to pro$ide agencies&ith $ery precise en$ironments to meet their operating needs

An agency4s cloud implementation is a combination of a ser$ice model and a

deployment model NIST S/ 00%15 outlines the possible ser$ice models that may beemployed during a cloud implementation6

"loud Soft&are as a Ser$ice (SaaS) The capability pro$ided to the consumer is touse the pro$ider4s applications running on a cloud infrastructure The applicationsare accessible from $arious client de$ices through a thin client interface such as a&eb bro&ser (e g &eb%based email) The consumer does not manage or control theunderlying cloud infrastructure including net&or' ser$ers operating systemsstorage or e$en indi$idual application capabilities &ith the possible e7ception oflimited user%specific application configuration settings

"loud /latform as a Ser$ice (/aaS) The capability pro$ided to the consumer is to

deploy onto the cloud infrastructure consumer%created or ac#uired applicationscreated using programming languages and tools supported by the pro$ider Theconsumer does not manage or control the underlying cloud infrastructure includingnet&or' ser$ers operating systems or storage but has control o$er the deployedapplications and possibly application hosting en$ironment configurations

"loud Infrastructure as a Ser$ice (IaaS) The capability pro$ided to the consumer isto pro$ision processing storage net&or's and other fundamental computingresources &here the consumer is able to deploy and run arbitrary soft&are &hich


2/7

can include operating systems and applications The consumer does not manage orcontrol the underlying cloud infrastructure but has control o$er operating systems8storage deployed applications and possibly limited control of select net&or'ingcomponents (e g host fire&alls)

9rgani-ations ha$e se$eral choices for deploying a cloud computing model as definedby NIST in S/ 00%15 6

/ri$ate cloud The cloud infrastructure is operated solely for an organi-ation It maybe managed by the organi-ation or a third party and may e7ist on premise or offpremise

"ommunity cloud The cloud infrastructure is shared by se$eral organi-ations andsupports a specific community that has shared concerns (e g mission securityre#uirements policy and compliance considerations) It may be managed by theorgani-ations or a third party and may e7ist on premise or off premise

/ublic cloud The cloud infrastructure is made a$ailable to the general public or a

large industry group and is o&ned by an organi-ation selling cloud ser$ices :ybrid cloud The cloud infrastructure is a composition of t&o or more clouds

(pri$ate community or public) that remain uni#ue entities but are bound together bystandardi-ed or proprietary technology that enables data and application portability(e g cloud bursting for load balancing bet&een clouds)

3ased on NIST guidance industry best practices and the Internal *e$enue Ser$ice(I*S) /ublication 10; this memo pro$ides agencies guidance for securing +TI in acloud en$ironment These preliminary re#uirements are sub


3/7

1 Notification *e#uirement The agency must notify the I*S 9ffice of Safeguards atleast 5 days prior to transmitting +TI into a cloud en$ironment

2 @ata Isolation Soft&are data and ser$ices that recei$e transmit process or store+TI must be isolated &ithin the cloud en$ironment so that other cloud customers

sharing physical or $irtual space cannot access other customer data or applications

Ser$ice >e$el Agreements (S>A) The agency must establish security policies andprocedures based on I*S /ublication 10; for ho& +TI is stored handled andaccessed inside the cloud through a legally binding contract or Ser$ice >e$el

Agreement (S>A) &ith their third party cloud pro$ider

5 @ata ?ncryption in Transit +TI must be encrypted in transit &ithin the clouden$ironment All mechanisms used to encrypt +TI must be +I/S 150%2 compliantand operate utili-ing the +I/S 150%2 compliant module This re#uirement must beincluded in the S>A

@ata ?ncryption at *est +TI must be encrypted &hile at rest in the cloud Allmechanisms used to encrypt +TI must be +I/S 150%2 compliant and operateutili-ing the +I/S 150%2 compliant module This re#uirement must be included in theS>A

/ersistence of @ata in *elie$ed Assets Storage de$ices &here +TI has residedmust be securely saniti-ed andBor destroyed using methods acceptable by NationalSecurity AgencyB"entral Security Ser$ice (NSAB"SS) This re#uirement must beincluded in the S>A

; *is' Assessment The agency must conduct an annual assessment of the securitycontrols in place on all information systems used for recei$ing processing storingand transmitting +TI +or the annual assessment immediately prior toimplementation of the cloud en$ironment and each annual ris' assessment (orupdate to an e7isting ris' assessment) thereafter the agency must include the clouden$ironment The I*S 9ffice of Safeguards &ill e$aluate the ris' assessment as partof the notification re#uirement in C1

Security "ontrol Implementation "ustomer defined security controls must beidentified documented and implemented The customer defined security controls asimplemented must comply &ith /ublication 10; re#uirements

These re#uirements are e7plained in detail in the sections belo&

$% &otificationTo utili-e a cloud en$ironment that recei$es processes stores or transmits +TI theagency must meet the follo&ing mandatory notification re#uirements6


4/7

If the agency4s appro$ed Safeguard /rocedures *eport (S/*) is less than si7 yearsold and reflects the agency4s current process procedures and systems the agencymust submit the "loud "omputing Notification (see /ublication 10; ?7hibit 1 )&hich &ill ser$e as an addendum to their S/*

If the agency4s S/* is more than si7 years old or does not reflect the agency4scurrent process procedures and systems the agency must submit a ne& S/* andthe "loud "omputing Notification (see /ublication 10; ?7hibit 1 )

3efore the S/* has been updated &ith the information from the "loud "omputingNotification *e#uirements the I*S strongly recommends that a state agency planningon implementing a $irtual en$ironment contact the 9ffice of Safeguards atSafeguard*eportsDirs go$ to schedule a conference call to discuss the details of theplanned cloud computing implementation

$' ata Isolation

One of the most common compliance issues with FTI is data location. Use ofan agency-owned computing center allows the agency to structure itscomputing environment and to know in detail where FTI is stored and whatsafeguards are used to protect the data. In contrast, a characteristic of manycloud computing services is that detailed information a out the location ofan organi!ation"s data is unavaila le or not disclosed to the servicesu scri er. This makes it di#cult to ascertain whether su#cient safeguardsare in place and whether legal and regulatory compliance re$uirements are

eing met.

I*S /ublication 10; section recommends separating +TI from other information to

the ma7imum e7tent possible 9rgani-ing data in this manner &ill reduce the li'elihoodof unauthori-ed data access and disclosure If complete separation is not possible theagency must label +TI do&n to the data element le$el >abeling must occur prior tointroducing the data to the cloud and the data must be trac'ed accordingly through audittrails captured for operating systems databases and applications that recei$e storeprocess or transmit +TI The agency must be able to $erify &ith the cloud pro$ider at alltimes &here the +TI has tra$elled in the cloud and &here it currently resides

I*S /ublication 10; section E Audit & Accountability, states audit logs must enabletrac'ing acti$ities ta'ing place on the system I*S /ublication 10; ?7hibit E System

Audit Management Guidelines contains re#uirements for creating audit%related

processes at both the application and system le$els =ithin the application auditingmust be enabled to the e7tent necessary to capture access modification deletion andmo$ement of +TI by each uni#ue user This auditing re#uirement also applies to datatables or databases embedded in or residing outside of the application

$ Ser!ice *e!el Agreements and Contracts=hile the agency may not ha$e direct control o$er +TI at all times they ultimatelymaintain accountability &hile it is in the cloud and the ownership rights over the
mailto:[email protected]:[email protected]


5/7

data must e %rmly esta lished in the service contract to ena le a asis fortrust A Ser$ice >e$el Agreement (S>A) is a mechanism to mitigate security ris' thatcomes &ith the agency4s lac' of $isibility and control in a cloud en$ironment It isimportant that agencies enter into S>As &ith cloud pro$iders that clearly identify/ublication 10; security control re#uirements and determine &ho has responsibility

(pro$ider customer) for their implementation At a minimum S>As &ith cloud pro$idersmust include6

I*S /ublication 10; ?7hibit ; contract language

Identification of computer security re#uirements the cloud pro$ider must meet I*S/ublication 10; section E Computer System Security pro$ides the security controlre#uirements to include in agreements &ith third party cloud pro$iders

Identification of re#uirements for cloud pro$ider personnel &ho ha$e access to +TI All cloud pro$ider personnel &ith +TI access must ha$e a


6/7

must be certified to understand the agency4s security policy and procedures forsafeguarding I*S information prior to being granted access to +TI and mustmaintain their authori-ation to access +TI through annual recertification

$+ ata ncr"ption in Transit

I*S /ublication 10; re#uires encryption of +TI in transit The agency must ensure thatencryption re#uirements are included in contracts &ith third party pro$iders The I*Sdoes not ad$ocate specific mechanisms to accomplish encryption as long as they are+I/S 150%2 compliant and configured securely Additionally agencies must retaincontrol of the encryption 'eys used to encrypt and decrypt the +TI at all times and beable to pro$ide information as to &ho has access to and 'no&s information regardingthe 'ey passphrase

$, ata ncr"ption at RestIn a cloud en$ironment protection of data and data isolation are a primary concern?ncryption of data a rest pro$ides the agency &ith assurance that +TI is being properly

protected in the cloud NIST4s @raft Special /ublication 00%155 recommends !@atamust be secured &hile at rest in transit and in use and access to the data must becontrolled The I*S does not ad$ocate specific mechanisms to accomplish encryptionas long as they are +I/S 150%2 compliant and configured securely Additionallyagencies must retain control of the encryption 'eys used to encrypt and decrypt the +TIat all times and be able to pro$ide information as to &ho has access to and 'no&sinformation regarding the 'ey passphrase

$- Persistence of ata in Relie!ed AssetsIf a storage de$ice fails or in situations &here the data is mo$ed &ithin or remo$ed froma cloud en$ironment actions must be ta'en to ensure residual +TI is no longer

accessible The destruction or saniti-ation methods apply to both indi$idual de$ices thatha$e failed as &ell as in situations &here the agency remo$es data from the ""? orrelocates +TI to another en$ironment

The techni#ue for clearing purging and destroying media depends on the type ofmedia being saniti-ed Acceptable physical destruction methods &ould includedisintegration incineration pul$eri-ing shredding or melting *epurposed media mustbe purged to ensure no residual +TI remains on the de$ice As there are $ariedapproaches to&ards secure saniti-ation based on $endor specifications cloud pro$idersshould consult their data storage $endor to determine the best method to saniti-e theasset If the storage de$ice &ill no longer be in ser$ice the residual data must bepurged using Secure ?rase or through degaussing using a NSAB"SS appro$eddegausser The cloud pro$ider is re#uired to notify the agency upon destroying orrepurposing storage media The agency must $erify that +TI has been remo$ed ordestroyed and notify the I*S 9ffice of Safeguards of the destruction of storage media inthe agency4s annual Safeguard Acti$ity *eport (SA*)

$. Ris/ Assessment0 Agencies are re#uired to conduct a ris' assessment (or updatean e7isting ris' assessment if one e7ists) &hen migrating +TI to a cloud en$ironment


7/7

Subse#uently the ris' assessment must be re$ie&ed annually to account for changesto the en$ironment This implementation and an e$aluation of the associated ris'sshould be part of the ris' assessment The I*S 9ffice of Safeguards &ill e$aluate theris' assessment as part of the notification re#uirement in C1

$1 Securit" Control Implementation0 "loud pro$iders may designate selectedcontrols as customer defined +or customer defined security controls the agency mustidentify document and implement the customer defined controls in accordance &ith/ublication 10; Implementation of some controls may need to be done in partnership&ith the agency4s cloud pro$ider ho&e$er the agency has primary responsibility forensuring it is completed

The agency"s capa ility to test the functionality and security controlimplementation of a su system within a &&' is more limited than the a ilityto perform testing within the agency"s own infrastructure. (owever, othermechanisms such as third-party assessments may e used to esta lish a

level of trust with the cloud provider.References2

Additional information can be obtained through the follo&ing resources6

1 /ublication 10; Ta7 Information Security ,uidelines for +ederal State and >ocal Agencies Safeguards for /rotecting +ederal Ta7 *eturns and *eturn Information(http6BB&&& irs go$BpubBirs%pdfBp10; pdf )

2 +ederal *is' and Authori-ation .anagement /rogram (+ed*A./)(http6BB&&& gsa go$BportalBcategoryB102 ;1)NIST S/ 00%12 ,uide to Security for +ull Firtuali-ation Technologies , Ganuary

2011( http6BBcsrc nist go$BpublicationsBnistpubsB 00%12 BS/ 00%12 %final pdf )5 NIST S/ 00%15 The NIST @efinition of "loud "omputing September 2011(http6BBcsrc nist go$BpublicationsBnistpubsB 00%15 BS/ 00%15 pdf )NIST S/ 00%155 ,uidelines on Security and /ri$acy in /ublic "loud "omputing

@ecember 2011 ( http6BBcsrc nist go$BpublicationsBnistpubsB 00%155BS/ 00%155 pdf )
http://www.irs.gov/pub/irs-pdf/p1075.pdfhttp://www.gsa.gov/portal/category/102371http://csrc.nist.gov/publications/nistpubs/800-125/SP800-125-final.pdfhttp://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdfhttp://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdfhttp://www.irs.gov/pub/irs-pdf/p1075.pdfhttp://www.gsa.gov/portal/category/102371http://csrc.nist.gov/publications/nistpubs/800-125/SP800-125-final.pdfhttp://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdfhttp://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf

Irs Safeguards Cloud Computing Notification Exhibit 16

Documents

Transcript of Irs Safeguards Cloud Computing Notification Exhibit 16