Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
©2009 RightNow Technologies. All rights reserved. RightNow and RightNow logo are trademarks of www.rightnow.com
RightNow Technologies Inc. All other trademarks are the property of their respective owners. 9007
CLOUD-BASED CUSTOMER EXPERIENCE MANAGEMENT
SOLUTIONS FOR GOVERNMENT AGENCIES
TABLE OF CONTENTS
Introduction .......... 1
Conclusion .......... 7
Authors .......... 9
www.rightnow.com
INTRODUCTION
RightNow Technologies
RightNow is a provider of cloud-based customer experience management solutions that
help consumer-centric organizations deliver exceptional customer experiences across the
web, social networks, and contact centers. Founded in 1997, RightNow is headquartered
in Bozeman, Montana, employs more than 800 people, and with more than eight billion
customer interactions delivered, RightNow is the customer experience fabric for nearly
2,000 organizations around the globe. RightNow is listed on the NASDAQ under the
symbol RNOW. Over 170 public sector clients, including nearly every US cabinet level
agency, Army, Marines, Air Force, members of the Intelligence Community and DoD, rely
on RightNow CX to deliver real-time information, when and where it’s needed.
RightNow CX, the Customer Experience Suite
RightNow CX is a total customer experience solution for consumer-centric organizations
serious about enabling superior interactions across web, social, and contact center
touchpoints. RightNow’s customer experience solutions give agencies the ability to
coordinate disparate resources, including people and technology, across the organization
to develop, rapidly execute, and manage a comprehensive customer experience strategy.
RightNow CX applications address the three experiences that matter most (see diagram
below), ensuring a seamless multi-channel (web, voice, chat, etc.) experience, regardless of
the number or type of customer interactions initiated.
1
www.rightnow.com
Share This
Cloud offers logical separation of tenants and other controls necessary to provide the
security, high availability, and redundancy equivalent to our commercial offering. The
Government Cloud has been designed to satisfy the control requirements for the National
Institute of Standards and Technology (NIST) 800-53 “moderate” baseline. Control
implementation and compliance status has been independently verified and documented by
a third party.
SECUREFORCE
SecureForce, LLC (SecureForce) is a Washington, DC Metro area based
cybersecurity firm that has extensive experience supporting the U.S. Government.
SecureForce has provided security engineering, Certification and Accreditation
(C&A), security assessment, and security operations support to a broad customer
base, including Federal Civilian agencies, the Department of Defense, and the
Intelligence Community. SecureForce has performed numerous C&As leveraging
the processes outlined in NIST 800-37, NIACAP, DIACAP and DCID 6/3.
RightNow and SecureForce have partnered to ensure government compliance
requirements are integrated throughout the lifecycle of the RightNow Government
Cloud offering and a comprehensive C&A package is developed for each product
release.
2
www.rightnow.com
Share This
CLOUD COMPUTING FUNDAMENTALS
In accordance with the NIST Definition of cloud computing (http://csrc.nist.gov/groups/
SNS/cloud-computing/), cloud-based services can be offered via one of three service models.
Artifact Notes
System Security Plan (SSP) Consistent with NIST SP 800-18
Security Assessment Report Consistent with NIST SP 800-53A
Risk Assessment Report Consistent with NIST SP 800-30
Plan of Actions and Milestones (POA&M) Maintained by RightNow
For each subsequent product version the C&A package is updated and made available
to new customers or to existing customers that are upgrading to that version. For those
customers that have extensive customizations that extend product functionality, an
addendum to the C&A package for their product version must be developed to capture any
non-compliant controls and potential risks that may be introduced via the customizations.
6
www.rightnow.com
Share This
CONCLUSION
Suggestions
To address common concerns related to cloud computing, guidance should be developed
that addresses the application of the NIST 800-53 control framework to a cloud computing
environment. Particular attention should be paid to explaining the risks associated with
multi-tenancy and the types of controls and countermeasures that may be put in place
to effectively enforce and monitor logical separation, and their ability to mitigate the
associated risks. Additionally, the guidance should address those hybrid controls that may
be common across the cloud computing environment (i.e. common for all tenants) as well
as those controls where the responsibility for control implementation should be shared
between the vendor and the government. We are aware that NIST is presently developing
guidance on cloud computing and we look forward to reviewing and providing feedback on
the initial public draft.
Considerations
Vendors should be aware that:
·· Government customers are required to conduct C&A of their systems prior to
operation and are required to monitor the system on a continuous basis thereafter.
·· Government customers expect the vendors to support the C&A process; therefore,
C&A is a mandatory requirement for doing business with the government.
·· Government customers expect complete transparency into cloud computing offerings
in order to ensure all aspects of the offering (e.g. 3rd party vendors and services) meet
the necessary control requirements and do not weaken the chain of trust.
·· Hybrid controls exist where there may be shared responsibility between the vendor
and government.
·· Security engineering should be tightly integrated throughout the lifecycle of cloud
computing offerings so that security requirements are fully understood and a
risk management program is in place to balance security against operational and
functional requirements.
Government customers should be aware that:
·· Many vendors have never dealt with C&A and are not fully educated on the
requirements for complying with FISMA. Contracts should clearly identify the
applicable NIST 800-53 controls and enhancements and the vendor’s responsibility
to ensure they are satisfied.
·· NIST guidelines do not fully address cloud computing. Applicable controls must be
assessed within the given context of their environment.
·· Hybrid controls exist where there may be shared responsibility between the vendor
and government.
·· Mature cloud computing vendors should be able to demonstrate that security
engineering principles are tightly integrated throughout the lifecycle of their
offerings, that security requirements are fully understood, and a risk management
program is in place to balance security against operational and functional
requirements.
7
www.rightnow.com
Share This
Chain of Trust
Transparency is a key factor in developing trust with cloud computing consumers. If the
chain of trust has fewer links, the service will ultimately be easier to secure and control,
thereby facilitating:
·· Auditing
·· Reporting
·· Accountability
Cloud computing vendors who have direct control over all three cloud service models will
have a distinct advantage for providing transparency as well as addressing the numerous
controls and policies necessary to achieve compliance and accreditation. Very little finger
pointing can take place in an environment where a single vendor is responsible from end to
end.
Summary
In going through the FISMA certification and accreditation process, we found several things
particularly challenging:
·· Multi-tenancy: clarity and guidance needs to be provided to help define and control
multi-tenant environments
·· Hybrid controls: standards need to be updated to accommodate that some controls
may be applicable across multiple layers of infrastructure, with different responsible
parties at each layer
·· Lack of system and control documentation: this is an area that vendors just need to
be prepared to address
We suggest that the FISMA guidelines be updated to provide clarity in the first two issues
noted above and would welcome the opportunity to provide direct feedback in these areas
to those who are responsible for writing/amending the guidelines.
There have been some changes made recently to NIST 800-37 (revision 1) that will make a
unified standard and methodology easier to achieve over the long term. However, we feel
that these changes do not yet directly address the areas that we’re suggesting above.
8
www.rightnow.com
Share This
AUTHORS
Ben Nelson
CISO & Director, IT Services
RightNow Technologies
ABOUT SECUREFORCE
SecureForce is passionate about cyber security. We are comprehensive in our approach to
providing end-to-end security solutions using state-of-the-art technologies supplemented
with constantly evolving knowledge and expertise. Our methods are singularly focused on
removing the threat of cyber exploitation. Located in Washington, DC, SecureForce has
the proven credentials to assess, architect, engineer, certify, accredit, and operate the security
infrastructure of the largest government agencies and corporations located in the U.S. and
abroad.
ABOUT RIGHTNOW
RightNow (NASDAQ: RNOW) delivers the high-impact technology solutions and services
organizations need to cost-efficiently deliver a consistently superior customer experience
across their frontline service touchpoints. Approximately 1,900 corporations, government
agencies, and institutions worldwide depend on RightNow to achieve their strategic
objectives and better meet the needs of those they serve. RightNow is headquartered in
Bozeman, Montana.
For more information, please visit www.rightnow.com.
RightNow is a registered trademark of RightNow Technologies, Inc. NASDAQ is a
registered trademark of the NASDAQ Stock Market.
Contact us today to find out how we can help you create the best possible customer
experience for your customers.
Our solutions:
RightNow CX RightNow Social Experience RightNow Engage
The Customer Experience Suite
RightNow Web Experience RightNow Contact Center Experience RightNow CX Cloud Platform
9
www.rightnow.com
Share This