Table of ConTenTs - Akamai...a globally-distributed, publicly-shared cloud services platform....
8
FedRAMP SM Helps Government Agencies Jumpstart their Journey to the Cloud Akamai White Paper FedRAMP Federal Risk Authorization Management Program
Transcript of Table of ConTenTs - Akamai...a globally-distributed, publicly-shared cloud services platform....
FedRAMPSM Helps Government AgenciesJumpstart their Journey to the Cloud
Akamai White Paper
FedRAMPFederal Risk Authorization Management Program
FedRAMP
FedRAMP 2
Table of ConTenTs
IntRoductIon 3
FedRAMP oveRvIeW 3
AKAMAI And FedRAMP 4
FedRAMP-ceRtIFIed AKAMAI coMPonentS And BoundARIeS 5
neXt StePS FoR GoveRnMent AGencIeS 7
FedRAMP 3
Introduction
In December 2010, the U.s. Chief Information officer (CIo) released “a 25-Point Implementation
Plan to Reform federal IT Management,” as part of a comprehensive effort to increase the
operational efficiency of federal technology assets. one element of the 25-Point Plan is for agencies
to shift to a “Cloud first” policy, which is being implemented through the federal Cloud Computing
strategy. Today, Government agencies are making inroads in shifting to the Cloud first policy, which
requires federal agencies to (1) implement cloud-based solutions whenever a secure, reliable,
and cost-effective cloud option exists; and (2) begin reevaluating and modifying their individual
IT budget strategies to include cloud computing.
still, there are challenges facing agencies as they make this shift. for example, some agency CIos have said that in spite of the stated security advantages of cloud computing, they are, in fact, concerned about moving their data from their data centers, which they manage and control, to outsourced cloud services. This trust gap needs to be addressed and the fedRaMP program provides a key pillar to help address that gap. fedRaMP, which has the goal of providing the “best in government” validation of cloud solution security controls, enables agencies to more swiftly move to leverage cloud based vendor solutions that comply with and participate in the fedRaMP process. fedRaMP facilitates the award of agency-specific approvals to operate (aTo’s), at a fraction of the time and cost normally required, for U.s. Government agencies and compliant Cloud service Providers.
as one of the initial Cloud service providers to receive a Provisional authority to operate (P-aTo) from fedRaMP, akamai encourages government agencies to learn how leveraging fedRaMP can help agencies save time and money, improve security and efficiency, and more quickly take advantage of the power of the Cloud.
FedRAMP Overview
fedRaMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a “do once, use many times” framework designed to save costs, time, and the personnel required to conduct agency security assessments.
The objective of fedRaMP is threefold:
1. ensure that information systems/services used government-wide have adequate information security;
2. eliminate duplication of effort and reduce risk management costs;
3. enable rapid and cost-effective procurement of information systems/services for federal agencies.
These objectives are designed to accomplish the following fedRaMP goals:
• accelerate the adoption of secure cloud solutions through reuse of assessments and authorizations;
• Increase confidence in the security of cloud solutions;
• achieve consistent security authorizations using a baseline set of agreed upon standards for cloud solution approval in or outside of fedRaMP;
• ensure consistent application of existing security practices;
• Increase confidence in security assessments;
• Increase automation and near real-time data for continuous monitoring.
FedRAMP 4
some of the major benefits of fedRaMP include:
• Increased re-use of existing security assessments across agencies;
• significant savings in terms of cost, time and resources – do once, use many times;
• Improved real-time security visibility;
• Increased uniformity in regards to risk-based security management;
• enhanced transparency between government and cloud service providers (CsPs);
• better trust, reliability, consistency, and quality in the federal security authorization process.
fedRaMP is the result of close collaboration with cyber security and cloud experts from Gsa, nIsT, DHs, DoD, nsa, oMb, the federal CIo Council and its working groups, as well as private industry. agencies or cloud service providers (CsPs) can initiate the fedRaMP assessment process. This process begins a security assessment using fedRaMP requirements (which are fIsMa compliant and based on the nIsT 800-53 rev3) and initiates a vendor/government collaboration coordinated via the fedRaMP PMo.
CsPs must implement the fedRaMP security requirements within their environments, and hire a fedRaMP approved third party assessment organization (3Pao) to perform an independent assessment and audit of the vendor’s cloud system. This results in the delivery of a security assessment package for review by appropriate stakeholders.
The fedRaMP Joint authorization board (Jab) reviews security assessment packages based on a prioritized approach and may grant a provisional authorization. federal agencies can leverage CsP authorization packages for review when granting an agency specific authority to operate (aTo).
Akamai and FedRAMP
akamai received a Provisional authority to operate (P-aTo) from the Joint authorization board (Jab) of the federal Risk and authorization Management Program (fedRaMP) on august 22, 2013. This is the first Jab P-aTo granted to a globally-distributed, publicly-shared cloud services platform. agencies can leverage akamai cloud services directly or use them to front-end other fedRaMP-compliant data center solutions. often referred to as “fedRaMP to the power of two,” this model offers a unique end-to-end fedRaMP-compliant solution that is designed to make it easier for U.s. government agencies to use shared cloud services in support of their computing initiatives. by taking this approach, Government agencies will dramatically increase their security posture, improve availability and provide unprecedented visibility and application access to the end user.
because our solution often serves as the ‘first touch’ for government agency constituents, akamai takes our commitment to fedRaMP very seriously. from customer facing services, content delivery solutions, and internal mechanisms used to manage and maintain the akamai Content Delivery network (CDn), everything our government customers use and need has been certified. The akamai boundary is the broadest set of offerings that fedRaMP has provisioned to date. We felt this commitment was crucial to ensure our government customers can leverage akamai solutions with confidence. akamai’s fedRaMP solutions have been certified and are part of the fedRaMP program of continuous monitoring.
Government organizations can trust the akamai Intelligent Platform™ as the foundation for their cloud computing projects. akamai enables agencies to move forward confidently with a ‘Cloud first’ strategy that improve the security, performance, and scale of their cloud based solutions. akamai has remained committed to serving public sector cloud solution needs, such as DnsseC, IPv6 and HIPaa compliance, and we continue to demonstrate that commitment with the award of our fedRaMP P-aTo.
As one of the initial Cloud service providers to receive a Provisional Authority to Operate (P-ATO) from FedRAMP, Akamai
encourages government agencies to learn how leveraging FedRAMP can help agencies save time and money, improve
security and efficiency, and more quickly take advantage of the power of the Cloud.
FedRAMP 5
FedRAMP-certified Akamai Components and Boundaries
Throughout the fedRaMP system security Plan (ssP) documentation and control responses, the use of the system name, akamai Content Delivery network (CDn), is inclusive of the system components and boundaries used to provide customer-facing services as well as akamai internal mechanisms used to manage and maintain the akamai CDn. both customer-facing services and akamai internal mechanisms that constitute the accreditation boundary are described in “akamai CDn ssP section 9.2” located in the fedRaMP repository.
Services provided by Akamai that meet the FedRAMP security requirements and have been granted an Authority to Operate by the Joint Authorization Board (JAB) include:
• Content Delivery: The akamai Intelligent Platform resolves end user requests for content using a massive server infrastructure with more than 140,000 servers deployed in more than 1,000 IsP networks in over 90 countries worldwide.
• Secure Content Delivery: Information protected by ssl/Tls is delivered from a dedicated, highly secure portion of the akamai CDn over HTTPs. The secure CDn was designed by akamai’s security experts to meet robust levels of physical, network, software and procedural security.
• NetStorage: akamai’s globally-distributed netstorage service is an alternative upload repository for customers that require on-demand scalability for their asset uploads. netstorage provides multiple petabytes of storage capacity and replicates files for effective scaling and high availability. files uploaded to netstorage are available for immediate HTTP(s) download by Internet users.
• On-Demand and Live Streaming HD Network: The akamai HD network leverages the tested and proven akamai Intelligent Platform. With this highly decentralized network deployed deep into regional and local IsP networks, video [is physically as close to consumers as possible] to enable fast video start-up times, high availability, and superior performance.
• Global Traffic Management Service: Global traffic management (GTM) can be combined easily with other akamai services to provide powerful and highly-available web delivery solutions. GTM offers different modules for traffic control in a variety of situations. all modules are built on a common fault-tolerant, globally-distributed name server infrastructure.
• Enhanced Domain Name System: akamai’s enhanced Domain name system (Dns) service provides enterprise websites with a robust, reliable, and scalable outsourced Dns solution designed to dependably direct end users to enterprise website applications. Using a secondary Dns approach, enhanced Dns makes it possible for enterprises to leverage a distributed network of Dns servers, while retaining their existing management and update processes for Dns zone administration. Customers using enhanced Dns can enable DnsseC.
• Luna Control Center: as the akamai customer portal interface, the luna Control Center offers flexible organization, interactive reporting and diagnostic tools to proactively research, troubleshoot, and resolve anomalies. accessed via HTTPs, customers can monitor activity, configure and administer akamai solutions, deploy and manage content, analyze business-critical information, resolve issues, plan events, and collaborate with the akamai team.
FedRAMP 6
The following Akamai internal mechanisms are also included in the Akamai CDN accreditation boundary:
• Key Management Infrastructure: The Key Management Infrastructure (KMI) is akamai’s standardized system for generation escrow, distribution, and access control for private information.
• Authgate: akamai’s authorization gateway, authgate, verifies that users are connected to the akamai corporate network. It also verifies that they are connected to a computer with an akamai certificate, have an ssH key that matches their identity, and can connect to the machine they wish to access.
• Alert Management System: The alert Management system (aMs) oversees akamai’s deployed networks in real- time and sends alerts to akamai’s network operations Control Center (noCC), which runs continuously. logs are stored for forensic purposes and are accessible via a reporting tool.
• Akamai’s Domain Name Servers: akamai operates a dynamic Dns that returns answers computed on the fly. a typical use is to return the IP address of a server that is assigned dynamically, given current conditions on the Internet.
• Network Operations Command Center: The noCC is distributed across three locations: bangalore, Cambridge and san Mateo. The akamai noCC enables proactive monitoring and troubleshooting of all servers in the global akamai network.
Akamai ContentDelivery Edge
Servers
Akamai SecureContent Delivery
Edge Servers
Akamai SecureEdgeComputing
Servers
Akamai Net Storage
Akamai Enhanced DomainName Servers
Akamai Luna Control Centerhttps://control.akamai.com
Akamai Domain Name Servers
Akamai Global TrafficManagement (GTM) Servers
Akamai StreamingEdge Servers
Akamai Content Delivery Network Accreditation Boundary
Akamai Content Delivery Network Accreditation Boundary
Public UserPublic User’s
Local Name ServerInternetISPs, Telecom Datacenters,Networks (Non Akamai)
CustomerAuthoritative Name Server
Customer Application Originor Hosting Provider
NOTE: Akamai Accreditation Boundary does NOT include ISPs, non-Akamai owned datacenters, or the Internet
Also included with FedRAMP accreditation boundary:- Akamai Internal Systems: KMI, Authgate, and AMS- Akamai NOCC
Akamai ContentDelivery Edge
Servers
Akamai SecureContent Delivery
Edge Servers
Akamai SecureEdgeComputing
Servers
Akamai Net Storage
Akamai Enhanced DomainName Servers
Akamai Luna Control Centerhttps://control.akamai.com
Akamai Domain Name Servers
Akamai Global TrafficManagement (GTM) Servers
Akamai StreamingEdge Servers
Akamai Content Delivery Network Accreditation Boundary
Akamai Content Delivery Network Accreditation Boundary
Public UserPublic User’s
Local Name ServerInternetISPs, Telecom Datacenters,Networks (Non Akamai)
CustomerAuthoritative Name Server
Customer Application Originor Hosting Provider
NOTE: Akamai Accreditation Boundary does NOT include ISPs, non-Akamai owned datacenters, or the Internet
Also included with FedRAMP accreditation boundary:- Akamai Internal Systems: KMI, Authgate, and AMS- Akamai NOCC
Akamai ContentDelivery Edge
Servers
Akamai SecureContent Delivery
Edge Servers
Akamai SecureEdgeComputing
Servers
Akamai Net Storage
Akamai Enhanced DomainName Servers
Akamai Luna Control Centerhttps://control.akamai.com
Akamai Domain Name Servers
Akamai Global TrafficManagement (GTM) Servers
Akamai StreamingEdge Servers
Akamai Content Delivery Network Accreditation Boundary
Akamai Content Delivery Network Accreditation Boundary
Public UserPublic User’s
Local Name ServerInternetISPs, Telecom Datacenters,Networks (Non Akamai)
CustomerAuthoritative Name Server
Customer Application Originor Hosting Provider
NOTE: Akamai Accreditation Boundary does NOT include ISPs, non-Akamai owned datacenters, or the Internet
Also included with FedRAMP accreditation boundary:- Akamai Internal Systems: KMI, Authgate, and AMS- Akamai NOCC
Akamai ContentDelivery Edge
Servers
Akamai SecureContent Delivery
Edge Servers
Akamai SecureEdgeComputing
Servers
Akamai Net Storage
Akamai Enhanced DomainName Servers
Akamai Luna Control Centerhttps://control.akamai.com
Akamai Domain Name Servers
Akamai Global TrafficManagement (GTM) Servers
Akamai StreamingEdge Servers
Akamai Content Delivery Network Accreditation Boundary
Akamai Content Delivery Network Accreditation Boundary
Public UserPublic User’s
Local Name ServerInternetISPs, Telecom Datacenters,Networks (Non Akamai)
CustomerAuthoritative Name Server
Customer Application Originor Hosting Provider
NOTE: Akamai Accreditation Boundary does NOT include ISPs, non-Akamai owned datacenters, or the Internet
Also included with FedRAMP accreditation boundary:- Akamai Internal Systems: KMI, Authgate, and AMS- Akamai NOCC
Akamai ContentDelivery Edge
Servers
Akamai SecureContent Delivery
Edge Servers
Akamai SecureEdgeComputing
Servers
Akamai Net Storage
Akamai Enhanced DomainName Servers
Akamai Luna Control Centerhttps://control.akamai.com
Akamai Domain Name Servers
Akamai Global TrafficManagement (GTM) Servers
Akamai StreamingEdge Servers
Akamai Content Delivery Network Accreditation Boundary
Akamai Content Delivery Network Accreditation Boundary
Public UserPublic User’s
Local Name ServerInternetISPs, Telecom Datacenters,Networks (Non Akamai)
CustomerAuthoritative Name Server
Customer Application Originor Hosting Provider
NOTE: Akamai Accreditation Boundary does NOT include ISPs, non-Akamai owned datacenters, or the Internet
Also included with FedRAMP accreditation boundary:- Akamai Internal Systems: KMI, Authgate, and AMS- Akamai NOCC
FedRAMP 7
Next Steps for Government Agencies
now that fedRaMP and cloud service providers are doing the heavy lifting in standardizing security assessments, authorization, and continuous monitoring for cloud products and services, government agencies can use the fedRaMP repository, review extensive documentation, and leverage the P-aTo designation to streamline their process for issuing agency specific aTos. fedRaMP serves as the baseline for initiating, reviewing, granting, and revoking security authorizations for cloud services in an efficient and robust manner.
federal agencies must use the baseline controls and accompanying fedRaMP requirements (templates, test cases, guidance) when leveraging assessments and authorizations or initiating assessments for cloud services.
Prior to procuring a new cloud service or conducting an assessment and authorization of an existing cloud service, check the fedRaMP repository to see if it already contains an assessment package for a cloud system an agency is using or might procure. If a cloud service is in the fedRaMP repository, federal agencies can then leverage the security assessment package to make their own risk-based decision regarding whether or not to use that cloud system.
If an agency selects a cloud service not listed in the fedRaMP repository, the agency must follow the fedRaMP approved security assessment process to grant an authority to operate (aTo). federal agencies may do this through initiating the process with the fedRaMP PMo and Jab or by completing the fedRaMP process within their respective agency.
once an agency has completed the assessment of the cloud service and granted an aTo, the agency must submit the completed security assessment package to the fedRaMP PMo for inclusion in the fedRaMP repository. The repository provides a central location of security assessment packages for cloud solutions meeting fedRaMP requirements that can be leveraged by other federal agencies.
Complete fedRaMP templates can be accessed at www.fedramp.gov
FedRAMP 8
©2015 akamai Technologies, Inc. all Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission is prohibited. akamai and the akamai wave logo are registered
trademarks. other trademarks contained herein are the property of their respective owners. akamai believes that the information in this publication is accurate as of its publication date; such information is subject
to change without notice. Published 01/15.
akamai is headquartered in Cambridge, Massachusetts in the United states with operations in more than 40 offices around the world. our services and renowned customer care enable businesses to provide an unparalleled Internet experience for their customers worldwide. addresses, phone numbers and contact information for all locations are listed on www.akamai.com/locations.
akamai® is a leading provider of cloud services for delivering, optimizing and securing online content and business applications. at the core of the company’s solutions is the akamai Intelligent Platform™ providing extensive reach, coupled with unmatched reliability, security, visibility and expertise. akamai removes the complexities of connecting the increasingly mobile world, supporting 24/7 consumer demand, and enabling enterprises to securely leverage the cloud. To learn more about how akamai is accelerating the pace of innovation in a hyperconnected world, please visit www.akamai.com or blogs.akamai.com, and follow @akamai on Twitter.
