I like the name given by one of the commenter’s on blog.scottlowe.org; it describes the traffic route in the following VXLAN example diagram

Note that even though the Windows-based workload inside the VXLAN segment now resides on a completely separate VTEP (ESXi 2, in this case), the traffic from the Linux-based workload outside the VXLAN segment continues to move through VSE 1. That’s because VSE 1 is still the Layer 3 default gateway for the IP subnet inside the VXLAN segment. Therefore—and this is where I was wrong earlier—Layer 3 connectivity is not broken, but it does have to “horseshoe” across to the other data center and then back again, as illustrated above. This is the classic traffic pattern that we see with other overlay technologies, like OTV.

From Bruce Schneier’s blog an unverified story about breaking into banks and then asking them to pay for consulting. Warning, this is generally considered illegal (due to lack of formal pre-authorization) and could easily lead to arrest.

Spoiler alert: Women are characterized as emotional, unstable and irrational. Men are characterized as cool under pressure and smooth. So the story is clearly embellished from a particular bias.

Also strange is how the story starts out bold on technology attacks, to a point of being unsatisfactorily vague and boastful (I expected him next to say he also was in the special forces and has traveled to Mars), but then shifts into a physical assessment description that is laden with pre-authorization, deniability and constant worry to prove their innocence.

The recently appointed Federal Chief Information Officer, Steven VanRoekel, serving the U.S. Office of the President, has formally launched FedRAMP with a memorandum issued today called “Security Authorization of Information Systems in Cloud Computing Environments” (PDF).

Note the use of “shall”:

d. Each Executive department or agency shall:

i. Use FedRAMP when conducting risk assessments, security authorizations, and granting ATOs for all Executive department or agency use of cloud services;

ii. Use the FedRAMP PMO process and the JAB-approved FedRAMP security authorization requirements as a baseline when initiating, reviewing, granting and revoking security authorizations for cloud services; (For all currently implemented cloud services or those services currently in the acquisition process prior to FedRAMP being declared operational, security authorizations must meet the FedRAMP security authorization requirement within 2 years of FedRAMP being declared operational.)

iii. Ensure applicable contracts appropriately require CSPs to comply with FedRAMP security authorization requirements;

iv. Establish and implement an incident response and mitigation capability for security and privacy incidents for cloud services in accordance with DHS guidance;

v. Ensure that acquisition requirements address maintaining FedRAMP security authorization requirements and that relevant contract provisions related to contractor reviews and inspections are included for CSPs;

vi. Consistent with DHS guidance, require that CSPs route their traffic such that the service meets the requirements of the Trusted Internet Connection (TIC) program; and

vii. Provide to the Federal Chief Information Officer (CIO) annually on April 30, a certification in writing from the Executive department or agency CIO and Chief Financial Officer, a listing of all cloud services that an agency determines cannot meet the FedRAMP security authorization requirements with appropriate rationale and proposed resolutions.

FedRAMP has a different definition of security than the standard NIST Special Publication 800-53 (as amended), Recommended Security Controls for Federal Information Systems and Organizations. It also differs from the Consensus Audit Guidelines (CAG), which I explained in detail recently at the ISACA-SF conference: “Risks and Controls in Cloud Computing”, and also last June on the Focus Roundtable Podcast: “FISMA Clouds in 2011: Fact or Fiction?”. For example, look at NIST SP 800-53 moderate requirements for Configuration Management – Baseline Configuration:

Risk Assessment – Vulnerability Scanning is another good example

I mapped all 170 or so controls because I found many unaware of the deltas. I’m still using CAG 2.3 but 3.0 was released a couple months ago. The theory, of course, is that the list of controls selected for FedRAMP is based on a risk model/assessment specific to cloud. The memo basically applies to all things cloud in the U.S. Federal space.

This memorandum is applicable to:

a. Executive departments and agencies procuring commercial and non-commercial cloud services that are provided by information systems that support the operations and assets of the departments and agencies, including systems provided or managed by other departments or agencies, contractors, or other sources;

b. All cloud deployment models (e.g., Public Clouds, Community Clouds, Private Clouds, Hybrid Clouds) as defined by NIST; and

c. All cloud service models (e.g., Infrastructure as a Service, Platform as a Service, Software as a Service) as defined by NIST.

And it gives four deadlines:

• 30 days – CIO Council will publish the FedRAMP security controls derived from NIST SP 800-53
• 60 days – concept of operations (CONOPS) will be published
• 90 days – security experts appointed from the DHS, DOD, and GSA will publish a charter with governance model
• 180 days – FedRAMP PMO will provide FedRAMP operational capability

It looks to me as though “currently implemented cloud services or those services currently in the acquisition process” are being granted two and a half years before they shall use FedRAMP as described in this memo. In other words, Federal agencies have 180 days to start acquiring cloud services (to qualify for the two year exception) or cloud services acquired after June 2012 shall use FedRAMP.