Sign Kansas Travel Agency Agreement Secure

Document type sign travel agency agreement kansas secure

and is everyone having a great time so far this is a great event so again thank you for coming out today to the seventh annual Amazon Web Services public sector summit we're very excited we have a really great panel today to speak about the Department of Defense security governance and compliance this is our a track that we hold every year to talk to the defense community and share the stories from our customers and listen to some of the security best practices that we have available to our customers today so today we have a fantastic panel of cloud computing catalyst in the defense space the session is geared to learn how DoD customers today are adopting AWS utility cloud based services from the perspective of the mission owner our independent Assessor and worldwide public sector manager Amazon Web Services as we all know that public sectors requirements can be very rigorous especially in the defense community such compliance regimes such as the Department of Defense security cloud computing security guiding requirements has been made some Mason which has made some recent changes and we're gonna be talking about that today there's also a lot of things going out with a federal risk authorization management program FedRAMP we early we had an earlier session on FedRAMP accelerated and and how does that work with the DoD srg so we're gonna be talking about those topics today with our panelists and also hearing best practices lessons learned on how you can use AWS for your mission programs and if you're a partner how do you work with the defense community and what are some of the challenges that you're going through that perhaps you'll learn how to move past those challenges and work work closely with Amazon Web Services to addressing them so before we start I'd like to provide an introduction our guest panelist to my right here we have mark Fox marks Fox is Amazon Web Services worldwide public sector manager who works directly with our defense community mark has been instrumental in enabling our defense customers in using Amazon Web Services and is a graduate from the u.s. Naval Academy thank you Mark for joining us and next to mark we have Lieutenant Colonel retired Bob torch and he prefers for me to call him Bob Bob is the total ammunition management information systems known as famous project manager for the munitions divisions G 3 5 & 7 headquarters at the US Department of Army he holds a Master degree in the management in the from the Florida Institute of Technology and is a level 3 certified acquisition professional thank you Bob for joining us today and the next above we have Michael Carter the vice president of verus Group and is responsible for varus's groups FedRAMP and FISMA assessment advisory consortium as well as their cybersecurity automation and modernization and adaptive threat division service lines as part of this role he serves as the technical project lead for many of the FedRAMP engagements including being the first FedRAMP agency approved cloud service provider and the zone Web Services Michael holds a number of professional certifications and holds a bachelor's in business administration and computer information systems with James Madison University thank you all for joining us today so Bob a lot of people are going to be asking what is tameness and what does it do and why is it so important to your program well camus is the Army's munitions management capability it develops Army Ammunition requirements it prioritizes the requirements it allows units and organizations to manage those authorizations that are given them it Allah it provides for the forecasting of ammunition and the across the whole spectrum of munitions management the missiles mortars small caliber munitions everything that force would need and so it's also includes the the test munition so it's not just wartime munition or training or training munition it also includes things we do in the test community foreign ammunition and most importantly it allows soldiers to be able to request their ammunition and so soldiers request their ammunition online or digitally signing their request form and then sending it through their their chain of command for approval so you have a request or an approver to validator and they sign off on it with their electronic CAC signature and it gets routed to an ammunition supply point and that that ammunition supply point receives it bring it brings it into the warehouse system and they generate the the request for issue to the soldier as he shows up to pick up the ammunition the other key aspect of it is it does forecasting so we connect to the industrial base by sending what future requirements are back to the industrial base so they can then ship them to the locations where they're needed and at the time that they're needed Wow so I know you're an early adopter of moving to the cloud especially cloud computing technologies in the defense space how are you able to navigate culturally to Amazon Web Services brute force everything in the DoD and if you're in this room even though that it's a very big challenge to convince people and organizations that they've got to move forward well fortunately we had a senior executive in the army g3 who since moved over to another organization who saw that and he inspired directed commanded encouraged us to participate in a cloud migration pilot project and so we were one of the systems that was included in a dis six CIO pilot project and we moved we used that as the authority to move forward interestingly it was at the time that the contract vehicle we were recomputing the tamers contract and it was at that time we were just fortunate enough to be able to write the contract language into the contract that required cloud migration and and so we we've got that in there the contract was awarded to the hewlett-packard and they were the ones responsible for the for the migration of the the site to Amazon great so what type of research did you do you know as people looked at the cloud look what kind of what do you recommend for the research that you've done when you came to Amazon Web Services well well at the time that we that we were looking at this was 2014 and many in the community know that Amazon was the only one that had a PA at the time a provisional authorization that could be to our requirements so that's where there was only one choice for us but what we did do is we compared cost with we work with mitre and a couple of other organizations as part of this integrated process team and we cost it out you know what it would cost to go to dis and mil cloud what it would cost at all past what it would call another provider army own and what it would cost to go to Amazon and when we when we racked and stacked all the the dollars and cents it was clear that that Amazon's costs were much lower than mill cloud they were much lower than any other service provider could offer and so that's what we that's well that's how we ended up over at Amazon but mostly it was because Amazon was the only damn it down I mean and it's worked out very well there's been a paradigm shift in the security assessment process especially within the DoD community they went from the cloud security model and now it's the DoD cloud computing security security requirements guide a lot of folks kind of are trying to understand you know what is actually being accepted from the federal risk authorization management program in the new srg can you tell me what are the biggest misconceptions within the DoD space about srg sure so there's basically when you look at the FedRAMP program right now if I don't moderate or low level they're looking at hi there is some reciprocity being worked out between federate working out to it just the impact level 2 and then federal I would be dissin impact level for a little bit but when you go into the DoD compliance realm you're talking a lot more time a lot more just level of effort so FedRAMP at a moderate level is 325 controls when you go into level 4 you're adding an additional 35 go level 5 you add 9 more but those 35 controls are not light controls we're not talking a policy document you got to build you're getting into even more automation you're getting into some of the more Duty specific requirements this doesn't even select in any other low moderate high baselines so I think the just a level of effort to go through all that plus the time when you go into a FedRAMP and you get a FedRAMP ATO you then have to kind of start to clock with the dis over viewers because they're gonna end apparently review your package for the security requirements and that requires them to have a resource available to actually look at it they're gonna then ask questions that you're gonna have to get your Threepio to come in and basically back up what they tested then that ultimately gets pitched to the D saw group for the provisional authorization of Bob was talking about earlier so I would say just time and level of effort I mean federal itself is a large undertaking just to get into the DoD space above that I'm not saying it's the same as federal on your taking but there is additional steps you have to do so you mentioned a little for level five and level six you know what what are the differences and what does AWS already meet under this RG sure so level two is basically uncontrolled non-class information level four is control on class information and level five is as well the same thing the level five allows you to hold national security systems within the country so right now AWS has a level four authorization for gov cloud we're working on one for east-west we've tested it now kind of going through approvals and then we're also getting approaching the level five round for goth cloud as well how has the transition from the this special publication you know the risk management framework so DoD had their die cap and now they're going through RMF you know that risk management framework how does it help provide that assurance and governance around security of the cloud when you're talking to the DoD space sorry so the risk management framework it's all based on NIST controls more so from the civilian side unless you've been doing the DRM F transitions on the DoD side but it is giving that that baseline set of requirements when you're talking at DoD community they're used to seeing their their equipment they're used to granting their own throws a shion's they have to establish that level of trust with a provider like AWS so having this independent third-party assessment come in I mean we dig deep into all of our assessments we take the NIST RMF framework and basically we add a pen test we add credential scans to everything we do code reviews where applicable you are getting a more thorough assessment and ultimately your assessment reports where you can make that determination at that authorization stage of the our math framework great so this is for all the panelists we all understand as Sergey is a guidance but can you share some best practices and making risk-based decision so Bob from a mission owner perspective how did you do that you know because you I mean it's accepting our PA but then you also have to accept it for the program so what was the best practice is an approaches that you use to making that risk-based decision well I think that it's always important to be able to score and in looking at the analytics of it they're looking at a way to quantify the level of risk you're going to accept as a system owner so one of the one of the features that we are one of the requirements that I impose contractually on our contractor was to conduct static code analysis was to conduct dynamic analysis to make sure that my application itself was secure and was secure with some kind of rating so we needed to be able to rate the level of risk and so by using the scoring mechanisms in these software code tools we were able to draw some kind of inference into how secure we are I think that one of the other sort of best practices I think is to understand the SLA I understand it's it's a challenge to look at the AWS SLA because that we're just a small system owner and their SLA is almost non-negotiable but we what we look at that and it's it's very strong and I think it's important that system owners understand the level the SLA the service agreement that you're accepting by moving and by migrating to to Amazon that's fantastic and Michael from a third-party perspective what does it mean to make a risk-based decision so our job again and we're the independent third parties so we go in and basically test all the security controls that are in there conduct those scans we are going to then tabulate all those results into our security assessment report then from there you can dissect the report and figure out is it a false positive is it an operational requirement which is basically a risk based decision in the foam FedRAMP in space and from there we can work with database to identify those mitigating factors you know where is that finding in the infrastructure how many devices have that that actual failure like it is a certain plug-in from necess fails well how many devices an entire inventory so we have that ability once we go in and conduct the scans we know exactly how many hosts were actually included in that scan set and can come over those mitigating factors to then put in front of someone like Bob or his authorizing official to say based on me you know however many findings we have these are the ones we feel have enough mitigating factors to maybe downgrade it to give you that kind of ability to grant an authorization but then also put them into what we call an operational requirement which is where you're going to accept the risk and kind of continue on to grant your authorization or PA and community another thing Michael is one of the key documents that I knew from FedRAMP and also for the DoD SOG is the security assessment report and you provide briefings both to the joint authorization board and to the desaad what are some key components and the security assessment report that are valuable for the mission owner as they leverage that from a third-party assessment report sure so like Jim mentioned you know right now AWS has their ATO their initial idea was through HHS so we do HHS briefs on an annual basis on the DoD side we just recently did the D saw brief for their gov Cod package so basically getting in a room of you know anywhere between 20 to 50 people and you're presenting the package the findings that were there what's operational core just mentioned to allow them that insight - what how the security posture of the system really is and then from there you know we might pull up part of the saw I know when we do some of the HHS breeze will actually dissect the SAR so there's multiple tables in the SAR there's the findings table there's the false positive sections that you can outline they're just justifications for why something is a false positive in the case for how we test will go actually get evidence for the justification for the false positives also with the operational requirements we do the same thing there's a summary table and therefore priorities and remediation all of that gets basically translated from our SAR into the poem that Jen's team will then put together for the government agency but the goal is the SAR is supposed to be that one-stop-shop this is the summary there's an executive summary section breaks down a number of findings at each level high moderate low it then breaks it down even further to a number of high Marloes and each type of test so you got the pen test you got the scan each type of scan web database of OS if there's a source code review all that gets tabulated into that SAR so that authorizing official has everything in front of them to make that determination if they're gonna accept that risk and with the whole package and grant an authorization so I know that I hear some customers that will say well you know what kind of rigor does your third-party Assessor do I mean they do work with you they do how you guys are certified and what is your threshold to recommend AWS for and atm sure so I'll talk about our relationship first at AWS so we kind of have a little love-hate relationship y u like us in the planning stage during its it can be grueling grueling so but then when we wrap up and we go to brief I mean we're gonna brief it as a collective unit they're gonna brief their SSP all the documentation that they have their poems they write the poem and we briefed the assessment report but we all have to be on the same page or else the authorization official has no idea what exactly like who's right are they right are we right so it's been we've been doing this for four years now with Jen and her team we were I was involved in the initial authorization under HHS and you get to those meetings you do have to come as a collective unit my team I subdivide my team out so I have like Jen said in the bio description so I run the AWS Threepio assessment every year and then I have sub teams under me I have a scan team I have a pen test team and I have a control assessment team and within that we will then dissect each aspect of the actual FedRAMP assessment and it all gets correlated back up into a report and that's what's ultimately presented and when come to presentations it's normally me it's not me my lead tester from each group over in my pen test lead and that's how we show the collective unit together but we dive deep it's one of the things like my team I'll talk to my pen testers I'm big excited to test AWS I don't find anything that often but it is fun for them to test big-name clients so they kind of like raise their hand immediately when they find out they had AWS on the docket same with my team as well in the control assessment side just kind of going out seeing the culture I mean when you deal with you know a lot of people that do federal assessments came from the old FISMA government CNA background you know you deal with some government agencies and you ask them how many poems they have and they might say a thousand they might have you know five hundred highs when you're doing the federal space I mean it's basically zero highs like you you're not gonna have anything so they're very serious in how they take security and you get some cool technologies for AWS if they don't have something implemented immediate control it will build it you're not dealing with cots product they're buying they literally build the tool so it's kind of fun to go experience that and kind of dig into it that's why my team likes to kind of come out every year and do this and it's kind of an ongoing thing now we don't really ever end potato yes always test so I really like the perspective here of where Bob's you know you shared best practices you know how you came to AWS you know looking at it from a mission owner changing your contract language and then asked adding on these Keith initiatives such as filets are important to consider that leveraging a cloud provider like AWS that has a professional authorization so we talked about you know the acquisition part we talked about SLA as we talked about the security authorization Michael talking about the whole security assessment report and that whole process another topic that comes a lot within the DoD community is the cloud access point cap everyone's smiling up here I hope it's good so Bob what is the function of the cloud access point and how does the cap fit into the DoD secure cloud computing architecture everyone talking about I'll speak for DISA just a little bit the the cloud access point is its it sort of serves as a conduit to protect the dodn't the DoD network from outside forces so it does it has the the break and inspect features within there to do the security but it's required for system owners that are impact level four to connect through the cap and what also is in there is the internet access point and and it basically has the whole security stack that that is keeping me from infecting the doulton be sitting at Amazon probably well very very secure that's for sure but it's it's been a it's been a challenge to to work through the connection process it's it's very tedious there's been many meetings we're still not connected we're close we're discussing the CND requirements now and we're implementing the CND but it is extremely challenging for and even we're and again we're in the pilot phase okay so I'm a system owner perspective you know we've moved our application over to Amazon but we're not connected to the cap and so while we have the architecture that we're going to use for production that's all tuned and ready to go it's optimized with load balanced and all ready to go I'll gear it up but we're not using production data so we're not using real army data that we're using that we were maintaining still in the Pentagon so once that connection to the cap occurs and we go through that we get our ia TT our initial authorization to test then we will begin testing the connectivity to through the cap but but once quite simply what it is is it's just simply protects the doulton and it serves as a conduit for system owners to connect to the donee thank you sue mark I know you work with many customers on this can you describe the onboarding process for connecting to the cab yes so there's a few things and some of the gets into best practice for the customers that are out there and there's a few familiar faces in the room that have been through the process and various phases and fits and starts at times you know first thing is have the srg out in front of you read through it you're not going to get to it in one sitting it's a multiple thing multiple evenings that will put you to sleep but you need to get through there get your arms on the srg there's other documentation that's out there on the DISA security portal so the IAS e dot DISA dot mil that's a security portal there's a cloud section that's in there and there's plenty of documentation to include the srg old versions new versions online versions downloadable versions but other best practice guides as to how to get to the commercial cloud and to Bob's point if you're a level 4 and above you're gonna have to leverage the cap the other thing you can do that I'll kind of go back to the best practices piece of it is don't just go I'm in the UT mission owner and I want to get to cloud provider a and kind of start down that path it needs to be a multi-pronged approach there's a lot of education needs to happen upfront even and with the cap is and how it operates depending upon the CSP that you're utilizing what is the methodology that has been used to connect the CSP so from an Amazon perspective it leverage leverage is a handful of our services so how do you do obvious point how do you extend the dote and how do you connect the dote into a cloud provider for us it's a service that's referred to as Direct Connect and from there you then get into the way that your virtual private cloud your VPC needs to be architected and configured and how it connects to it so there's a lot of things that will happen the other piece that's again a bit of a foot stomp is don't pull in your authorizing official your CN DSP these other prerequisites or ultimate gonna have to approve it don't pull them in at the last minute the earlier the better that you can engage with them and in most cases now again if this is a primary adopt mill audience the people who were in that approval chain it won't be the first time they've heard of and the more that they can hear it the more that they can see it the more that they can get comfortable with what Varys dies what AWS does understanding that shared security responsibility model which oh by the way is not the same every single time so depending upon which Amazon services you're using that line of demarcation of what we are going to take care for you that are in some of the controls that the various folks understand what controls are shared controls and then which controls completely belong to the end customer the better off you're going to be it's not identical every single time so it is a journey to get through that process again one of the first things that's going to have to happen is a BCA and you talked about getting through that process that in and of itself is not a short easy process you've got to compare your cloud provider or providers to mil cloud that's out there and what's interesting I'll give you just sort of a simple metric that's in there you know just for storage for example in mil cloud it's 54 cents a gigabyte to store something that would be equivalent to object storage in AWS that typically cost around 3 cents and at first people will get a little bit infatuated with that and go wow amazoness you know in a tenth less expensive than the other but the reality is there are other things that you have to do there are things that are included in that 54 cents in Gig number that are not necessarily just included in that core 3 cents from Amazon so we were talking in the back before if you have an architecture and you're operating it in the cloud there are other shared security services and we refer to them off in its HP ss8 cast things like this it still have to be done so that three sense model or whatever the cost is it looks like it may be a ten to one ratio it is gonna go up it's not going to go up to where it's very close but it is gonna go up so you need to look at those things upfront and be seeing as well and then the connection parts of it the ports and protocols piece of it what are you ultimately connecting in the cloud to the doulton that process requires there's an ITT component to that there is the C and D SP at which I think the terminology is changing from a computer network defense to cyber defense protector I get my acronyms confused and that is so important and it's one of the biggest challenges for you folks out there today to have a C and D SP t r2 Bret says I'm in I am the one that will monitor that connection port Amos as an example to the cloud without that the cap the security tools that are there to protect the doulton there's no one listening watching and being able to react to them so again reach out early and often and in fact there's a separate event that's happening here in town right now with some of my counterparts with a handful of the CND providers just because of that the more they know and understand the better off you guys's mission customers are going to be to get to that final in the burden the burden is on the system owner so the burden for the getting obtaining that security service is on the system owner nobody's going to go out there and hand that to you so that's something that the system owners as part of the migration process have to be engaged the other piece to close that out and we've had some of the mill depths have started to go down the path a Navy has done it where how do you deal with instant response in the cloud that's ultimately going to have to be part of what goes into your ATA package I know that mr. Miller Dao for the Navy side would not sign off on an Amazon specific but a since you would have been in old days because they're doing the transition from Dai kept RMF which is a dye cap Mac too sensitive ato for eight of us without going through the tabletop exercises and incident respond instant response so either do it yourself reach out to those folks to look and leverage of what they've done that is inheritable information that could be copied and potentially improved upon as well those are great points you know you talk about I mean I think one in the security assurance realm I think it's very important from the get goes to bring the security team in early look at the architecture and understand the SOG and talk about how are we gonna make this happen because if we know that the target is this then we can come up with an effective solution that's bringing all the right key stakeholders in the beginning so those are great points mark thank you they can in their becoming your biggest supporter once they get through sort of this education process where at first they're gonna be very standoffish that's their nature in general which or somebody got there from the compliance security is out of the house over time they end up becoming the biggest proponents absolutely so mark who owns the caff architecture so today the cap architecture there is one cap architecture that DISA has so the DISA has stood up their cap without getting too deep into it it essentially DISA looked at it as a mandate and unfunded mandate that came about from the CSM eventually made it into the srg but a cap has to exist for for and above DISA didn't have people or funding to go out and build a cap so they did they looked out and I said well okay we have the IEP s which the IEP s perform a very similar function if you think of the doulton as a ring and internet access point comes out through the world by web it's there to protect the doulton from things that happen in the web so wait a second clouds out in the web let's do that the problem is when bad things are happening out in the web at times DoD will cut off the IEP and if a customer like this as an application that is mission critical in varying degrees does want to be cut off so that was part of the reason to look at an alternative way as opposed to using IPS to come up with a cap well there were these things and they still exist today that are called nipper net federated gateways or NF GS there's a couple of them that DoD DISA has utilize one out of San Antonio I think the others in Ohio but they are using as the egress point to connect to the cloud providers so DISA has that set up they have one I believe it's been run here to Virginia where it hits the amazon network you're out in Ashburn area where we have a large amount of infrastructure so it's on our network and then that will backhaul over our network out for level four to the Gov fob region which physically resides out in Oregon and then they're trying to have a second connection it will come out of Ohio so that's the cap that DISA has there's another cap that the Navy has stood up they've essentially said we have a data center in Charleston we have the requisite security stack that is at the nfg it's the same security stack that protects an application whether it is sitting in the Navy data center in Charleston or whether it is sitting outside of the data center in a commercial cloud provider so they have a security stack that's necessary for the cap and then they have gone and just like DISA acquired commercial connectivity from Charleston again that gets up to Ashburn they're also looking at alternative sites either in the Northern California area at one point in time there was we talk about connecting to Kansas City for make' tour the new Marine Corps folks out here but I believe that state to an East Coast West Coast model so there are two existing caps today once you DISA one through Navy I would say I'm looking at the counterparts here that work with Army Navy Air Force and others that every one of the services are contemplating should I could I what would be required for me to stand up my own cap whether it's a large program or PEO because the cost for the individual cap itself are essentially the infrastructure itself if you're going to get physical security appliances and then the connectivity from a handful of providers that have been approved to go ahead and do that it's not a significant cost and as you put more applications in the cloud that cost is getting shared across the board but there's a lot of pressure to have more caps to have the caps that exist today to be Enterprise already the bandwidth to handle multiple payments and much larger applications than that and it's still one of the few remaining big rocks big hurdles that's out there for DoD is to get the cap Enterprise ready very good thank you for sharing that some work we also get a quite a bit of questions regarding physical and logical separation in the defense community how would you advise the customer how to achieve that in DoD so it kind of goes to what we were talking about here on the 3psi with various you have your impact levels to think of things that are public is eg so dot mil all of us here can log in right now on our phones or laptops or iPads and hit ISC just about mil that's a level 2 system level four systems I'm going to be like Bob has their sensitive information and they're the r cui information there's some pick your acronym reason that data is not publicly available and accessible so that's generally gonna be for and and if you think of two four five and six across the board there is generally a bell curve out there how much is out there but the peak of that bell curve around level for applications fewer Level 5's if you have one you know it and then level six on the secret side is a different animal but the difference between four and five is a higher degree in those nine additional controls of physical separation that's required so at level four and again the guys seen here know me know I want to draw a picture of a server that has got n number of virtual machines that are on it and Bob's army application might be a virtual machine on their Netflix might be on there Amazon might be on their Pinterest might be on their pick whoever could be on that same physical infrastructure for level five that is not allowed level five says it has to be federal customers not state local not edu anybody else in a way I sort of describe it is it's not mills and Govs have to be on there so how do we an AWS allow and recommend customers to get the degree of physical separation required to get to level five this will be part of the discussions that we're having right now but DISA that will ultimately go up to the D saw think of the world in the cloud is broken to primary is compute and storage generally so on the storage side and anything that is in motion or at rest we say this regardless of the level whether it's 2 or 4 or anything else encrypt encrypt encrypt do it even when you're not mandated to do it and speaking to the dot mil audience or if you will you control the keys there are ways that you can use encryption that Amazon provides and that might be sufficient at some point down the road but for today or people's level of acceptances control your own keys so anything stored is encrypted which essentially means that it might have started as level 4 or 5 or 6 but if it's encrypted and NSA has backed this up that data is ciphertext and essentially can be treated as level 2 that's the storage can learn the storage component of it on the compute side when you turn on in Amazon server ec2 for the folks in the room that know that one of the check box options that you have is to get dedicated tenancy so back to that server think of it as a floor in the hotel room here and you don't know who your neighbors are and it could be anybody that's running in that Amazon region when you go to the level 5 recommendations you will check off a dedicated instance or a dedicated host just some software implications that were good for you you own that entire server there is no one else on the floor of your hotel if you will you do pay a premium for that it's not significant it's a one-time price for the entire region whether you're running one or a thousand servers and you pay about a 10 percent premium on the hourly rate so if it's a 50 cents an hour server the server might go to 55 cents an hour and you're gonna pay a couple dollars more per hour for the entire region to do that so a combination of physical separation at the compute layer and it's actually a higher degree of separation than you would normally get where it's okay to be Army Navy Air Force DHS whoever when you do dedicated instancing on that server it's just camus and his account it's not even anybody else in the army so it's a significant degree of physical separation and then encryption on the other side of it so those two components we believe would give us the mechanism get to a level five and potentially even higher in some areas that sounds great and also another thing that comes up a lot is data spillage how how have other DoD customers address data's village that you've worked with yes I think it goes back to the previous comment which is look at what you do today take your current plan as to how do you deal with data spillage and typically there's this fun process that we go through and we kind of laugh at ourselves and the folks that are the forensics people that do a data spill it's where a lot of what they do today is that I'll call it somewhat of a legacy model where they want to come into the data center they want to get that piece of hardware physically isolated ultimately probably take it out and take it back to a forensics lab and getting them over the hump of realizing that you're not coming into the data center I've been here five and a half years and Steve hurt us I've never been in an Amazon data center I have no reason or right to go into Bob data center or anybody else that's a security risk the ways that people do forensics and the cloud are actually more ways similar to what they do today shy of the physical aspect of pulling that server back into the lab with that that was part of the previous comment that the Navy had gone through they had to go through the process of bringing all the constituents together who were impacted and affected and have a role when an incident occurs being a spillage and they said okay let's tabletop it the incident just occurred whether it was a classified document was put in here or whatever may have happened and it was a lot of what what do we do first so they had to march through that process in the cloud we have responsibilities the customers have responsibilities at the end of the day what they have found out generally speaking is that they can do more from a forensic sense and response standpoint a little bit differently than the ability to what they had to do in traditional whether it's an on-premise model so they can get through it it's not something that anyone should be scared or worried about it's a little bit different and at the end of it people coming at it out everyone okay I actually can do more than what I had done before but again I'm gonna be able to stay home in some ways and do this remotely not have to the data center so we talked about three critical areas right now we talked about cap we talked about data spillage we talked about you know authorizations and also physical and logical separation you know what are some services that are available to customers our DoD customers to help them navigate through these best practices bar so that's a long one your list probably should have had that and sitting in front of me the services that are gonna support that go everything from the simplest which is I've got to do my BCA so I've got to forget a cost model so for those of you to go through and use the AWS simply monthly cactus simple monthly calculator all right what is this thing gonna cost me and you know we joke it's called the simple monthly calculator it's always simple after you've done it about six or seven times I mean right so those you do have to go through there right and Bob you guys probably have leaned on myself my peers that have done it day in and day out we will go to you and make sure did you remember to put the a cache server in there did you put this thing in there and they know by the way it only has to be a very small micro server at times and it's only gonna cost you five cents an hour but make sure you have it in here so that's an easy best practice the other one gets into specific security services that AWS has and whether it's turning on cloud trails or other services like that and I'm going to re-emphasize the word services because it actually makes our life very tough Amazon calls everything that's in the portfolio when you go into the console a service ec2 is a service s3 as a service cloud trails as a service I didn't realize that the reason we call them services is it has some tax implications but you call your products but many of these things that are called services are in fact really product features or enhancements many of them don't have cost implications to them you enable them you turn them on so if you're gonna do cloud trails and get the logs of everything that happens in the cloud everything is an API call we don't charge you to turn it on we are gonna ask you where do you want to send the logs we're gonna say you put them in s3 now you put them in s3 we're gonna hold them and we're going to charge it 368 what it may be but still very low cost to do that one of the problems that we have is that many of these things that our security services that have potentially positive implications on the security posture are not within the boundary of what has been pre-approved so part of me wants to say you can't use them which is a bad thing but the reality of it is and again I wish there were some a or in here and we do talk to them about this is even though a service is not within the boundary of what Varys has looked at and ultimately going through the D SOG and as an accredited on that piece of paper the boundary says ec2 EBS s3 etc it doesn't mean you can't use it it means that you're gonna have to have a discussion early and often with your authorizing official to say hey there's this other new security service that amazon has and if I turn this thing on I'm gonna be able to increase my security posture there isn't anything to inherit to put into your ATO package so that AO and the team we're gonna have to look at it a little bit deeper and we're working with DISA they are open to looking at a given service to say is it really a service as in their term a CSO a cloud service offering which means it must go through the sausage grinder or is it really a feature or enhancement and as long as they understand it and that's what it is they may be able to put that in the boundary so if you've got some comments on some of those specifically they've come up yeah so in our authorization package we did USC so SN golf-club each of them have the five core services ec2 EBS V PC I am in s3 that's in both of them we've recently tested over redshift is also in u.s. east-west so that's part of the boundary so we're testing redshift and Gough called now we are rolling out testing for glacier cloud watch cloud trail cloud formation SNS SWF SQS Kinesis and then we did tests and documents in a package not for approval dynamodb EMR redshift the my sequel oracle and if re in the first batch the other RDS is part of it the other one hard yes sorry too many acronyms to try to remember yeah so hopefully by the end of the year all these stuff will be rolled in and kinda has to go through the various approvals but fro you can tell your own AO is that all those are in the process of being assessed by us it's gonna be a busy summer for my team but that's okay we'll get through it yeah oh yeah and I think the point there is many of those services here at it off they are true csos the RTS there's a services that need to go through the full assessment but some of the other ones that are on the security side that are really more features and again we'll continue to kind of work on that want to try to push let's say does it really have to go through there or can we make it easier for people to enable these things that are security related services earlier having to go through the full Threepio process right and it goes back to the whole risk-based decision that we talked about so you know we're down to a couple of seconds here but before we go up I'd like to ask Bob you know he talked about you know the cap and that also being like an Enterprise Service so what is your plan about common services and do you plan on using the armies or planning to use your own well the Army has a responsibility to provide the common services they're just not ready to do that yet but I'm ready to receive them and have been for quite some time and so we keep pinging them during these IPRs but they're there Netcom has got the responsibility they're working on it they're going to get there they've got the architectures that they've proposed during the last sessions but what I've decided to do and I guess I'll mention it here is that we've decided to use another organization and so we will use another organization until such a time the army can provide that service to us and so I hope to be able to use this service to be able to connect to the cap because the the connection Authority relies upon having the Sandy the network defense pieces in place and our our network defense is kind of RIBA a robust I think I've mentioned it to some of the folks in here before about you know we're using in addition to AWS we've got the Akamai out in front of us as well and providing the site shield and Web Application Firewall and providing other services like our catalog on feature comes from Akamai so I think together with those with our CMD that we're going to be provided another organization I'm going to bring that to my a oh and say look we we've got the best we can be in order to open us up to be able to use and we'll see what she says parade well no I really think we have some really great pointers here especially talking about our authorization the whole process the kind of rigor that our independent sesor does on AWS so that the DoD mission owner understands the security of AWS the level of effort that is required as well as the different types of requirements such as cap also understanding physical and logical separation and then also understand your acquisition you know and making those risk-based decisions to move Ward you're going to have to get the right key stakeholders in the room so that you know what your target is everybody understands what you're trying to accomplish so thank you for coming today and sharing your story and best practices let's let's give them a hand thank you all right if you have questions for our panelists they'll be right over here to the left of me and you can come up and line by line and they'll be able to speak with you thank you you