Analyzing Weak Areas of the Federal Cloud Security Program presented at DerbyCon 2014

by Vinny Troia,

Summary : As businesses continue to move their infrastructure to the cloud, FedRAMP has become the standard compliance program by which companies measure the security of their cloud provider. FedRAMP, the Federal Risk and Authorization Management Program, is a derivative of FISMA, and based on a slimmed-down version of the NIST 800-53 (rev3) controls. FedRAMP is becoming the growing standard among large enterprise moving to the cloud because of the stringent security control requirement and ongoing Continuous Monitoring required to maintain accreditation on a monthly basis.
This presentation will discuss the monthly, quarterly, and annual Continuous Monitoring requirements, my personal pain points in having successfully gone through the process, a discussion of the programs pitfalls and shortcomings, and what areas penetration testers and organizations need to look out for.