Electrosoft Services Inc.
Sarbari Gupta has been active in the information security industry for over twenty years as an entrepreneur, executive, manager, consultant, system architect, researcher, and software engineer. She has broad base of knowledge and experience in the areas of identity management, public key infrastructure, secure transactions, and system and network security. She has a B.Tech degree in Electronics from IIT, Kharagpur, INDIA, and MS and PhD degrees in Electrical Engineering from the University of Maryland, College Park. She holds the CISSP, CISA and CAP certifications.
She has helped to write several NIST standards and guidelines including FIPS 201 (Personal Identity Verification of Federal Employees and Contractors), Special Pub 800- 63-1 (Electronic Authentication Guideline) and Special Publication 800-128 (Security Configuration Management Guideline).
Dr. Gupta has authored over twenty technical papers/presentations in refereed conferences and journals, and holds four patents in areas of cryptographic key recovery and penetration analysis. She has participated in many standards activities, and has served as author/editor of ISO hashing standards and Open Group CDSA standards.
Through a case study, we describe the challenges and lessons learned in conducting a FedRAMP-based FISMA Assessment and Authorization (A&A) of a cloud offering. The target cloud service is an Infrastructure As a Service (IaaS) offering that will be made available to federal organizations government-wide through a GSA vehicle.
The major take-ways from this session are as follows:
a) Gain a better understanding of the challenges in interpreting the NIST SP 800-53 Rev 3 controls within a cloud infrastructure offering;
b) Understanding ways to delineate the boundaries between the controls (and parts of controls) that are the responsibility of the cloud infrastructure provider versus the end customer who implements information systems on the cloud infrastructure; and
c) Understanding the scalability benefits of authorizing the cloud infrastructure once and reusing the A&A artifacts for authorization of multiple customer information systems riding on the same cloud infrastructure.4