by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
GCN : October 2012
10 GCN OCTOBER 2012 • GCN.COM Whatever an agency decides to put in the cloud, it will have to make decisions about the level of security and the types of controls it requires. Although the Federal Risk and Authori- zation Management Program (FedRAMP) is intended to ensure a minimum level of secu- rity as measured at one point in time, one size will not fit all. "I don t think all (cloud service providers) will be equal just because they get FedRAMP approval," said Dave Svec, a principal at Veris Group. Agen- cies will have to do due diligence when selecting from among certified providers. There are a handful of basic questions that should be con- sidered in selecting a provider: What is the level of security required for the services being moved to the cloud? Publicly available websites and services generally do not require the same level of security as mis- sion critical applications and data. But they still can contain sensitive personal informa- tion and data. Knowing what activities will be hosted in the cloud and the required level of security provides a starting point for assessing potential service providers. What kind of cloud do you want? It could be a public cloud provided by a third party, it could be a private cloud provided by the agency for itself and other agencies, or some type of hybrid. A public cloud can o er greater savings by eliminating many upfront costs, but private or hybrid clouds can o er greater control and closer manage- ment in exchange for the capital expense of the necessary hard- ware and software. Most cloud service provid- ers today are focusing first on customized government-specific environments for their govern- ment customers, with less attention to mixed-use environ- ments for government and pri- vate sector customers, said Veris Group principal Douglas Greise. An evolving service model is what Greise calls a community cloud, in which a primary service provider can acquire platform, infrastructure and software services from other providers. Where does the cloud begin and end? Understanding the boundaries of the cloud are important, but they can be less clear than in a data center you run for yourself. What's the physical environ- ment? This covers a number of very basic questions. Where is the data stored within the data center? Where is the data center located and who is operat- ing it? Is there redundancy for resiliency, load balancing and recovery? What kind of security archi- tecture is used? This includes a host of issues that can go beyond FedRAMP baselines, depending on the level of secu- rity required for your operations. What's the status of the secu- rity operations center? The SOC could be managed by the service provider for its entire cloud resources and tenants, or it could be managed by the ten- ant for monitoring only its own activities and resources. What configuration and update process is followed? The service provider should have in place a mature process for testing and rolling out patches and security updates, and for managing con- figuration and changes accord- ing to NIST and other baselines. How to pick a secure cloud provider [datapoint] As the deadline expired on September 30th for enabling IPv6 on government public- facing services such as websites, more than half of agencies had made no progress in the transition, according to statistics from the National Institute of Standards and Technol- ogy.At the same time, another deadline is steadily approaching: The disappearance of new IPv4 addresses. On Sept. 14, the RIPE European and Mid-East Internet registry became the second of five Regional Internet Registries to begin allocating its final block of IPv4 addresses, triggering more stringent policies for doling out the remaining address- es. The Asia-Pacific registry reached that landmark last year, and the North American registry expects to reach it next August. The advice to agencies is simple and obvious: Begin enabling IPv6 now. IPv4 is not going away any time soon and the millions of IPv4 addresses now in use will continue to work for the foreseeable future. But as more IPv6 addresses come into use, websites and other online resources not enabled for the new protocols could become unavailable to users of the new addresses or find themselves isolated behind chokepoints created by translation and tunneling services. "You don t want to wait until the last minute," advises Cricket Liu, vice president of architecture at Infoblox. Deadlines aside, managing IPv6 as well as IPv4 on a network requires additional tools and skills and agencies will need time to gain expertise before the volume of IPv6 tra c --- now miniscule --- begins to grow. Completed USG IPv6 enabled domains Agencies asleep at the wheel as IPv6 deadline passes 55% No progress 34% In progress 11% Operational Source: NIST @ http://usgv6-deploymon.antd.nist.gov/snap-all.html [BrieFing]