CLOUD-BASED CUSTOMER EXPERIENCE MANAGEMENT

SOLUTIONS FOR GOVERNMENT AGENCIES

Opportunities and Challenges of Certifying Cloud-Based

Solutions for U.S. Federal Government Civilian Agencies

©2009 RightNow Technologies. All rights reserved. RightNow and RightNow logo are trademarks of www.rightnow.com
RightNow Technologies Inc. All other trademarks are the property of their respective owners. 9007
CLOUD-BASED CUSTOMER EXPERIENCE MANAGEMENT
SOLUTIONS FOR GOVERNMENT AGENCIES

TABLE OF CONTENTS
Introduction .......... 1

Cloud Computing Fundamentals .......... 3

How We Approached C&A .......... 3

Challenges We Faced in Working Through Our C&A .......... 4

Lessons Learned in Working Through The Challenges .......... 5

Conclusion .......... 7

Authors .......... 9

About SecureForce .......... 9

About RightNow Technologies .......... 9

www.rightnow.com
 INTRODUCTION
RightNow Technologies
RightNow is a provider of cloud-based customer experience management solutions that
help consumer-centric organizations deliver exceptional customer experiences across the
web, social networks, and contact centers. Founded in 1997, RightNow is headquartered
in Bozeman, Montana, employs more than 800 people, and with more than eight billion
customer interactions delivered, RightNow is the customer experience fabric for nearly
2,000 organizations around the globe. RightNow is listed on the NASDAQ under the
symbol RNOW. Over 170 public sector clients, including nearly every US cabinet level
agency, Army, Marines, Air Force, members of the Intelligence Community and DoD, rely
on RightNow CX to deliver real-time information, when and where it’s needed.
RightNow CX, the Customer Experience Suite
RightNow CX is a total customer experience solution for consumer-centric organizations
serious about enabling superior interactions across web, social, and contact center
touchpoints. RightNow’s customer experience solutions give agencies the ability to
coordinate disparate resources, including people and technology, across the organization
to develop, rapidly execute, and manage a comprehensive customer experience strategy.
RightNow CX applications address the three experiences that matter most (see diagram
below), ensuring a seamless multi-channel (web, voice, chat, etc.) experience, regardless of
the number or type of customer interactions initiated.

RightNow Government Cloud

To serve its U.S. Federal Government customers, RightNow has built a dedicated private
cloud infrastructure from the ground up to provide enhanced security and satisfy regulatory
compliance requirements. Deployed in a Tier 4 datacenter, the RightNow Government

1
www.rightnow.com
Share This
 Cloud offers logical separation of tenants and other controls necessary to provide the
security, high availability, and redundancy equivalent to our commercial offering. The
Government Cloud has been designed to satisfy the control requirements for the National
Institute of Standards and Technology (NIST) 800-53 “moderate” baseline. Control
implementation and compliance status has been independently verified and documented by
a third party.

SECUREFORCE
SecureForce, LLC (SecureForce) is a Washington, DC Metro area based
cybersecurity firm that has extensive experience supporting the U.S. Government.
SecureForce has provided security engineering, Certification and Accreditation
(C&A), security assessment, and security operations support to a broad customer
base, including Federal Civilian agencies, the Department of Defense, and the
Intelligence Community. SecureForce has performed numerous C&As leveraging
the processes outlined in NIST 800-37, NIACAP, DIACAP and DCID 6/3.
RightNow and SecureForce have partnered to ensure government compliance
requirements are integrated throughout the lifecycle of the RightNow Government
Cloud offering and a comprehensive C&A package is developed for each product
release.

The Demand for Cloud Computing

We have seen an increasing demand for cloud computing resources to be made available
in all enterprises globally. Very recently, the demand and interest for cloud computing
resources in the Federal Government has increased tremendously. Increasingly, there is a
need to offer cloud-based services to the Federal Government that have historically only
been available to the private sector.
The Goal of this Document
RightNow and SecureForce have spent the last year and a half working through the
complexities of certifying a cloud computing infrastructure against the moderate baseline of
the NIST 800-53 control framework. Throughout this process we have identified a number
of security controls that were not written with a cloud computing environment in mind.
In this document we provide some insight into the high-level challenges that we have
faced throughout this process, along with some of our findings, to raise the visibility for
other cloud computing vendors who may be thinking about providing services to the
Federal Government. We’ve also positioned this document to provide cloud computing
buyers lessons learned with the goal of increasing awareness of the obstacles associated with
performing C&A in the cloud.
..........

2
www.rightnow.com
Share This
 CLOUD COMPUTING FUNDAMENTALS
In accordance with the NIST Definition of cloud computing (http://csrc.nist.gov/groups/
SNS/cloud-computing/), cloud-based services can be offered via one of three service models.

Infrastructure Cloud (IaaS)

Infrastructure services in the cloud. This type of cloud vendor will typically provide the
processing, storage, and network infrastructure. Examples of IaaS vendors are:
·· Amazon EC2 and S3
·· OpsSource
·· Rackspace
Platform Cloud (PaaS)
Cloud providers in this category typically provide either an application development
platform, or a raw operating environment from which to house your applications. Vendors
in the platform cloud could, in theory, be utilizing IaaS from another vendor underneath
the covers. Examples of PaaS vendors are:
·· Microsoft Azure
·· Boomi
·· Google App Engine
Application Cloud (SaaS)
SaaS vendors are providing an actual application to their customers, typically delivered via
web technologies such as Web 2.0 or smart client technology. SaaS vendors could, in theory,
be utilizing both a PaaS vendor for delivery of their service and an IaaS vendor for the
underlying infrastructure. Examples of SaaS vendors are:
·· RightNow Technologies
·· Concur
·· MessageLabs

HOW WE APPROACHED C&A

RightNow recognizes that meeting Federal Information Security Management Act (FISMA)
compliance is a cost of doing business with the Federal Government. Furthermore,
RightNow acknowledges the expectation of the government that vendors should be
responsible for demonstrating FISMA compliance within their product offerings in order
to establish the chain of trust as part of the implementation of the NIST Risk Management
Framework (RMF). Through the partnership with SecureForce, RightNow has taken the
initiative to demonstrate the required trustworthiness and address FISMA compliance head-on.
Given the RightNow Government Cloud is a multi-tenant environment, we anticipated
that certification boundaries would become blurry and controls would become harder to
satisfy. In order to address all aspects of the cloud offering, a flexible yet comprehensive
approach to addressing C&A within the cloud was required. Based upon the most common
customer use cases and data types, the Federal Information Processing Standard (FIPS) 199
system categorization for the Government Cloud was determined to be moderate. To
ensure consistent documentation and assessment of controls across tenants, the certification
3
www.rightnow.com
Share This
 boundary was determined to include all infrastructure components as well as the baseline
application. The Government Cloud C&A package is built upon the NIST RMF and
includes the following artifacts:

Artifact Notes
System Security Plan (SSP) Consistent with NIST SP 800-18
Security Assessment Report Consistent with NIST SP 800-53A
Risk Assessment Report Consistent with NIST SP 800-30
Plan of Actions and Milestones (POA&M) Maintained by RightNow

For each subsequent product version the C&A package is updated and made available
to new customers or to existing customers that are upgrading to that version. For those
customers that have extensive customizations that extend product functionality, an
addendum to the C&A package for their product version must be developed to capture any
non-compliant controls and potential risks that may be introduced via the customizations.

CHALLENGES WE FACED IN WORKING THROUGH OUR C&A

C&A is a complex process made more difficult when applied to a multi-tenant, cloud-
based offering. The three most pressing issues we faced during the C&A of the Government
Cloud were:
1) Multi-tenancy: Some NIST SP 800-53 controls and NIST SP 800-53A control
assessment objectives were not written to address multi-tenancy or data co-mingling. As a
result, this created some difficulty when assessing common controls applicable to the entire
environment. Ultimately, those controls were fully documented in the SSP then assessed
against the “spirit of the law” (i.e. does the control satisfy the control assessment objective
while maintaining adequate isolation between customer instances?).
2) Hybrid Control Identification and Ownership Determination: While the majority of
applicable security controls are the responsibility of the outsourced provider, some controls
also require decision or action by the government customer. These types of controls in
which there is shared responsibility between the vendor and the government are known
as known as hybrid controls. Examples of hybrid controls include incident response and
contingency planning where both the government and the vendor would be required
to have policies and procedures in place and the policies and procedures in use by the
government may be common for all systems within their inventory. Hybrid controls and the
customer-specific responsibilities for meeting control assessment objectives are identified in
both the SSP and SAR.
3) Lack of System and Control Documentation: The security architecture and concept
of operations of the Government Cloud was not sufficiently documented to provide the
necessary context for non-RightNow personnel to fully understand the Government Cloud
architecture and operations in order to determine control adequacy and robustness. Having
a fully documented security architecture and concept of operations is essential to ensuring
complete transparency and establishing the necessary chain of trust between the vendor
and the government customer. As part of the C&A process, the security architecture and
concept of operations were documented in the SSP.
4
www.rightnow.com
Share This
 LESSONS LEARNED IN WORKING THROUGH THE CHALLENGES
Multi-Tenancy
Most cloud computing vendors in the SaaS space, including RightNow, offer a solution
that is multi-tenant. Multi-tenancy presents a number of challenges, outlined above, in an
environment that is to be certified and accredited. Here is a summary of the key lessons that
we learned during our C&A.

No context of cloud computing

While multi-tenant environments are not explicitly prohibited, many of the controls in
the NIST SP 800-53 framework assume a single-tenant installation. Because agencies have
become familiar with these controls, many of the Information Assurance (IA) professionals
and Authorizing Officials that we’ve worked with were initially very reluctant to housing
their data in a multi-tenant environment.
RightNow and SecureForce have been able to overcome this reluctance and provide a
high degree of assurance regarding the effectiveness of control implementation by clearly
outlining the security engineering decisions that RightNow made early-on to logically
separate clients from one another. Throughout the C&A process, careful attention was
paid to clearly detailing the technical steps taken to logically separate customers from
one another in such a way that the risk of co-mingling of data on the same physical
infrastructure and the likelihood of cross-organizational operational impact are minimal.
System categorization must be based upon high watermark
It was also recognized early-on that in a multi-tenant environment, the system as a whole
would need to be certified and accredited at a FIPS 199 impact categorization that was
commensurate with the highest level that any single potential client could require. This
is due to the fact that a large number of the controls that are documented and audited
are common controls that involve all of the underlying infrastructure components that
are shared in a multi-tenant environment. Consequently, any cloud computing vendor
who intends to run a multi-tenant environment would need to certify at the “high water
mark”, determined by the highest feasible impact categorization of any single tenant of the
infrastructure.
Of course, this means that tenants that do not have an explicit requirement for a higher
level impact categorization get to take advantage of the increased operational and security
controls that are in place. Not only does this provide them with an extra level of assurance
in their cloud computing vendor, but it allows them the flexibility to grow into system
requirements that are beyond the scope of their original deployment.
Consistent and repeatable processes are required
Consistent and repeatable processes should be part of any mature cloud computing vendor’s
operational practices. The NIST 800-53 control framework requires policies and procedures
be developed for all three classes of controls—technical, operational, and management. The
application of consistent and repeatable processes can be difficult and is further complicated
when being applied to a multi-tenant cloud computing environment.

Automation is key to cloud computing

Automated and repeatable processes must be tightly integrated throughout all components
of the environment to maintain the integrity and security of the cloud computing platform
5
www.rightnow.com
Share This
 and to ensure quality provisioning of elastic, on demand, services.
RightNow has developed a comprehensive management system which automates commonly
performed tasks throughout the Government Cloud, including the infrastructure, platform,
and application. RightNow achieves operational excellence, while maintaining a robust
security posture, in a complex multi-tenant environment by directly controlling all aspects
of the Government Cloud.
Change management approval process is mandatory
In any computing environment, there will inevitably be some processes which cannot
be automated. Those processes which cannot be automated require thorough review and
approvals to ensure that operational risk is reduced as much as possible, without losing the
ability to be flexible.
We have implemented a change management and tracking process that allows the operators
of the environment to propose changes to the environment. These proposals are reviewed by
appropriate engineering resources and approved by management multiple times per week.
This level of frequency allows us to be responsive to customer demands in a constantly
evolving environment.
Version control is taken to a new level
The ability to run multiple versions of the application (SaaS level) of the cloud computing
environment is driven primarily by the mission criticality of the application use case.
Having a system that allows the tenants a choice in version and upgrade schedule is one of
the many unique value propositions that RightNow provides. Maintaining a large number
of versions in a production environment requires robust logical separation of tenants from
one another. Only through robust logical separation can the integrity of the environment be
maintained despite the disparity in service functionality and patch levels between tenants.

6
www.rightnow.com
Share This
 CONCLUSION
Suggestions
To address common concerns related to cloud computing, guidance should be developed
that addresses the application of the NIST 800-53 control framework to a cloud computing
environment. Particular attention should be paid to explaining the risks associated with
multi-tenancy and the types of controls and countermeasures that may be put in place
to effectively enforce and monitor logical separation, and their ability to mitigate the
associated risks. Additionally, the guidance should address those hybrid controls that may
be common across the cloud computing environment (i.e. common for all tenants) as well
as those controls where the responsibility for control implementation should be shared
between the vendor and the government. We are aware that NIST is presently developing
guidance on cloud computing and we look forward to reviewing and providing feedback on
the initial public draft.
Considerations
Vendors should be aware that:
·· Government customers are required to conduct C&A of their systems prior to
operation and are required to monitor the system on a continuous basis thereafter.
·· Government customers expect the vendors to support the C&A process; therefore,
C&A is a mandatory requirement for doing business with the government.
·· Government customers expect complete transparency into cloud computing offerings
in order to ensure all aspects of the offering (e.g. 3rd party vendors and services) meet
the necessary control requirements and do not weaken the chain of trust.
·· Hybrid controls exist where there may be shared responsibility between the vendor
and government.
·· Security engineering should be tightly integrated throughout the lifecycle of cloud
computing offerings so that security requirements are fully understood and a
risk management program is in place to balance security against operational and
functional requirements.
Government customers should be aware that:
·· Many vendors have never dealt with C&A and are not fully educated on the
requirements for complying with FISMA. Contracts should clearly identify the
applicable NIST 800-53 controls and enhancements and the vendor’s responsibility
to ensure they are satisfied.
·· NIST guidelines do not fully address cloud computing. Applicable controls must be
assessed within the given context of their environment.
·· Hybrid controls exist where there may be shared responsibility between the vendor
and government.
·· Mature cloud computing vendors should be able to demonstrate that security
engineering principles are tightly integrated throughout the lifecycle of their
offerings, that security requirements are fully understood, and a risk management
program is in place to balance security against operational and functional
requirements.

7
www.rightnow.com
Share This
 Chain of Trust
Transparency is a key factor in developing trust with cloud computing consumers. If the
chain of trust has fewer links, the service will ultimately be easier to secure and control,
thereby facilitating:
·· Auditing
·· Reporting
·· Accountability
Cloud computing vendors who have direct control over all three cloud service models will
have a distinct advantage for providing transparency as well as addressing the numerous
controls and policies necessary to achieve compliance and accreditation. Very little finger
pointing can take place in an environment where a single vendor is responsible from end to
end.
Summary
In going through the FISMA certification and accreditation process, we found several things
particularly challenging:
·· Multi-tenancy: clarity and guidance needs to be provided to help define and control
multi-tenant environments
·· Hybrid controls: standards need to be updated to accommodate that some controls
may be applicable across multiple layers of infrastructure, with different responsible
parties at each layer
·· Lack of system and control documentation: this is an area that vendors just need to
be prepared to address
We suggest that the FISMA guidelines be updated to provide clarity in the first two issues
noted above and would welcome the opportunity to provide direct feedback in these areas
to those who are responsible for writing/amending the guidelines.
There have been some changes made recently to NIST 800-37 (revision 1) that will make a
unified standard and methodology easier to achieve over the long term. However, we feel
that these changes do not yet directly address the areas that we’re suggesting above.

8
www.rightnow.com
Share This
 AUTHORS
Ben Nelson
CISO & Director, IT Services
RightNow Technologies

Stefen Smith, CISSP-ISSEP

Chief Technology Officer
SecureForce

ABOUT SECUREFORCE
SecureForce is passionate about cyber security. We are comprehensive in our approach to
providing end-to-end security solutions using state-of-the-art technologies supplemented
with constantly evolving knowledge and expertise. Our methods are singularly focused on
removing the threat of cyber exploitation. Located in Washington, DC, SecureForce has
the proven credentials to assess, architect, engineer, certify, accredit, and operate the security
infrastructure of the largest government agencies and corporations located in the U.S. and
abroad.

ABOUT RIGHTNOW
RightNow (NASDAQ: RNOW) delivers the high-impact technology solutions and services
organizations need to cost-efficiently deliver a consistently superior customer experience
across their frontline service touchpoints. Approximately 1,900 corporations, government
agencies, and institutions worldwide depend on RightNow to achieve their strategic
objectives and better meet the needs of those they serve. RightNow is headquartered in
Bozeman, Montana.
For more information, please visit www.rightnow.com.
RightNow is a registered trademark of RightNow Technologies, Inc. NASDAQ is a
registered trademark of the NASDAQ Stock Market.
Contact us today to find out how we can help you create the best possible customer
experience for your customers.

Our solutions:
RightNow CX RightNow Social Experience RightNow Engage
The Customer Experience Suite

RightNow Web Experience RightNow Contact Center Experience RightNow CX Cloud Platform

Be social with us:

RightNow.com Twitter Facebook

YouTube LinkedIn RightNow Blog

9
www.rightnow.com
Share This