From Misconceptions To Failure - Security And Privacy In The US Cloud Computing FedRAMP Program

Presented at DeepSec 2013 „Secrets, Failures, and Visions“, Unknown date/time (Unknown duration)

In our previous analysis of the "Cloud Computing (CC)" we have concluded that CC is a generally misleading, marketing-driven idea born out of the need to utilize hosting services which became overly-abundant post Internet Bubble. Well-known CC models are useless, and in a case of so named "community cloud" models it amounts to little more than legal nonsense. In case of implementation of high level complex regulations like EU General Data Protection Regulation (GDPR), CC is not only useless, but by being misleading, it creates a dead-end situation where it is not possible to identify how exactly privacy will be protected in an Internet-based distributed computing environment. However, regardless of numerous concerns expressed by information security professionals over CC services, US government developed the FedRAMP program and got funding for moving all federal information systems into a "cloud". As we identified, all "cloud" misconceptions have successfully made it into FedRAMP documents. What should we expect from such a large scale experiment? What will be the result of the "cloudization" - wasting tax payers' money and a few people getting some political gain capitalizing on public inability to distinguish between new technology and technological opportunism? Or will it be the next technological step forward advancing our ability to move and process data wherever we want? To understand what will happen and to prevent selling to the world yet another failure as an achievement, we need to go deep in the analysis of fundamental US government documents and draw our conclusion based on thorough analysis and known facts. While the rule "garbage in - garbage out" has been proven on numerous occasions, we need to do that again considering all what is known as "cloud computing" and what US federal government plans to implement. Then we can answer whether we will get new technology protecting privacy or very costly garbage.

Presenters:

• Mikhail A. Utin - Rubos, Inc.
  Mikhail A. Utin completed his basic engineering education in 1975 in Computer Science and Electrical Engineering. Career in Russia included working for several research and engineering organizations. Doctorate / PhD in Computer Science (1988) from then Academy of Science of the USSR. From 1988 to 1990 founded information technology company and successfully worked in emerging Russia's private sector. Had several USSR patents and published numerous articles. Immigrated in the US with family in 1990 to escape from political turmoil and hoping for continuing professional career. Worked in the US in information technology and information security fields for numerous companies and organizations including contracting for US government DoN and DoT. Together with colleagues formed private company Rubos, Inc. for IT security consulting and research in 1998. The company is a member of ISSA New England chapter. (ISC)2 certified professional for seven years. Published articles on Internet and in professional journal, and a reviewer of articles submitted to (ISC)2 Information Security Journal: A Global Perspective. Current research focus on information security governance, regulations and management, and the relationship between regulations, technology, business activities and businesses' security status. Most of the research is pioneering work never discussed by the information security community.

Links:

• https://deepsec.net/archive/2013.deepsec.net/speaker.html#PSLOT118

Similar Presentations:

• DEF CON 19 (2011) / Bulletproofing The Cloud: Are We Any Closer To Security?
• BSidesDC 2019 / Cloud Forensics Workshop and CTF Challenge
• Texas Cyber Summit 2019 / BT-1050 Shining a Light on Shadow IT in the Cloud