Linking the Cloud to Continuous Monitoring

A Perfect Fit: Continuous Monitoring and Cloud Initiative

By , February 20, 2012.
Linking the Cloud to Continuous Monitoring

NIST information risk management evangelist Ron Ross sees continuous monitoring playing a vital role in securing cloud computing.

The Federal Risk and Authorization Management Program known as FedRAMP [see Feds Explain How FedRAMP Will Work] fits very nicely with continuous monitoring by allowing agencies to define good sets of security requirements for cloud computing providers, Ross says in an interview previewing a presentation he will make at the RSA Conference 2012 in San Francisco later this month.

See Also: Breaking Down Ease-of-Use Barriers to Log Data Analysis for Security

"When any federal information is moved to the cloud, we can be sure that the appropriate security controls are implemented on behalf of the cloud provider and their environment of operations," says Ross, a National Institute of Standards and Technology senior computer scientist who led a team that wrote the latest revision of NIST Special Publication 800-53, which will be unveiled at the security conference.

"The FedRAMP program," Ross says in the interview with Information Security Media Group, "integrates the continuous monitoring aspect of our new paradigm into the cloud service provider. Once those controls are deployed under the FedRAMP program and the cloud provider's environment, there will be a continuous data feed back to the federal agencies that are using those cloud services to make sure they can keep up with the security state of that cloud provider's systems over time. It is a very important effort. Not only do we help to save significant resources by having this notion of authorizing once and using many times, but it also allows us to get to that near real-time continuous monitoring approach that we think is so important for the future, especially with the kinds of threats that we are facing today."

Though the FedRAMP initiative is designed for federal agencies to vet cloud providers and assure their security, the concept behind it and other information risk management and continuous monitoring guidance could be applied to other types of governments such as local and state as well as to the private sector. "We write all of our standards and guidelines so they can be implemented on a voluntary basis by private sector organizations, and I happen to feel that a lot of the first principles, the best practices that come out of our standards and guidelines are very applicable to the private sector, because at the end of the day we're all using basically the same information technology," Ross says.

In the interview, Ross:

  • Defines continuous monitoring, and explains its importance to IT security.
  • Explains how continuous monitoring is integrated into the FedRAMP process.
  • Previews NIST's introduction of revision 4 of Special Publication 800-53, which includes new security and privacy controls [see NIST Guidance: More Emphasis on Privacy ].

Ross leads NIST's Federal Information Security Management Act compliance team. A graduate of the United States Military Academy at West Point, Ross served in a variety of leadership and technical positions during his 20-year career in the Army. During his military career, Ross served as a White House aide and as a senior technical advisor to the Department of the Army. He is a graduate of the Program Management School at the Defense Systems Management College and holds a master and Ph.D. in computer science from the United States Naval Postgraduate School.

Defining Continuous Monitoring

ERIC CHABROW: Please define continuous monitoring?

RON ROSS: Continuous monitoring is an approach that allows organizations to take ownership of this whole process of what we call authorization or the risk acceptance process. In essence, you decide what controls you want to deploy within your information system and the environment of operations where that system operates.

Follow Eric Chabrow on Twitter: @GovInfoSecurity

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE McCaul to Unveil Threat Info-Sharing Bill

A bill to be introduced by Rep. Mike McCaul would designate DHS's National Cybersecurity and...

Latest Tweets and Mentions

ARTICLE McCaul to Unveil Threat Info-Sharing Bill

A bill to be introduced by Rep. Mike McCaul would designate DHS's National Cybersecurity and...

The ISMG Network