- Cloud Security Alliance

advertisement
NIST Cloud Computing Program
NIST Cloud Computing Program Highlights & Next Steps
NIST Mission:
To promote U.S. innovation and industrial
competitiveness by advancing
measurement science,
standards, and
technology
in ways that
enhance economic
security and improve
our quality of life
©Robert Rathe
Secure Cloud 2012, May 10, 2012
Robert Bohn, Cloud Computing Program Manager
NIST Cloud Computing 1Program
Unchanged: NIST Cloud Computing Program
Goal…
Accelerate the federal government’s adoption of cloud
computing*
– Build a USG Cloud Computing Technology Roadmap which focuses on the
highest priority USG cloud computing security, interoperability and
portability requirements
– Lead efforts to develop standards and guidelines in close consultation and
collaboration with standards bodies, the private sector, and other
stakeholders
* REF http://www.cio.gov/documents/Federal-Cloud-Computing-Strategy.pdf
NIST Cloud Computing 2Program
2
REVISITING NIST CLOUD COMPUTING PROGRAM (PHASE 1)…
INITIATIVE TO BUILD A USG CLOUD COMPUTING TECHNOLOGY ROADMAP
May
2010
S
T
T
Outreach & Fact finding with
USG, Industry, SDOs
E
Evaluate past models &
lessons learned
G
I
Define fresh approach
to support secure &
effective USG cloud
computing adoption,
C
NIST
CC
Definition
April
2011
NIST CC
Forum &
Workshop II
NIST CC
Forum &
Workshop I
R
A
Nov
2010
prioritize interoperability,
portability, & security
requirements, collaborate,
more quickly respond to
operational needs
Nov
2011
NIST CC
Forum &
Workshop III
Launch CC Strategic
Program
Initiate Stakeholder
Meetings
Collaboratively define
working group scope &
resources
Refine Plan
NIST CC
Forum &
Workshop IV
Execute CC Strategic
program
Continue Stakeholder
meetings
Integrate results
into tactical
priorities
Complete
1st draft
USG Cloud
Computing
Technology
Roadmap
How to build a USG Cloud Computing
Technology Roadmap
1. Define
Target USG
Cloud
Computing
Use Cases
2. Define
Neutral Cloud
Computing
Reference
Architecture &
Taxonomy
Tactical efforts
NIST Cloud Computing 3Program
Interagency
Report
3. Generate
Roadmap –
Translate
Requirements
& Identify Gaps
Assess
Results &
Replan
3
Volume I - Highlights
USG Cloud Computing Technology Roadmap
requirements* - high priorities to further USG Cloud
Computing Technology Adoption:
Requirement 1: International voluntary consensus based
interoperability, portability and security standards
Requirement 2: Solutions for high priority Security
Requirements
Requirement 3: Technical specifications to enable development
of consistent, high quality Service Level Agreements
Requirement 4: Clearly and consistently categorized cloud
services
Requirement 5: Frameworks to support seamless
implementation of federated community cloud
environments
Requirement 6: Technical security solutions which are decoupled from organizational policy decisions
Requirement 7: Defined unique government regulatory
requirements, technology gaps, and solutions
Requirement 8: Collaborative parallel strategic “future cloud”
development initiatives
Requirement 9: Defined and implemented reliability design
goals
Requirement 10: Defined and implemented cloud service metrics
*relationship to interoperability, portability, and security 4
guidance, standards, & technology highlighted in roadmap
NIST Cloud Computing 4Program
•
Summary of USG
target business use
case templates &
initial set
Cloud Provider
Cloud
Broker
Cloud
Consumer
Service Layer
Cloud
Service
Manage
SaaS
PaaS
Cloud
Auditor
Securit
y
Audit
Privacy
Impact
Audit
Business
Support
IaaS
Resource
Abstraction and
Control Layer
Provisio
ning/
Configur
ation
Physical
Resource
Hardware
Layer
Portabili
ty/
Interoper
ability
Perfor
mance
Audit
Service
Intermed
iation
ment
Privacy
• NIST Cloud Computing
Reference Architecture
(& Taxonomy) SP 500-292
Sept 2011
Security
Volume II - Highlights
Facility
Cloud Carrier
• SAJACC technical
use case
spec 1
spec 2
summary
…
Community Outreach
Specifications
Use Cases
Case 1
Case 2
…
Validation Exercises
Spec 1
Spec 2
…
Spec n
Test 1
Test 2
…
Test n
Existing Standards
Working Groups
information
NIST Cloud Standards Portal
Use Cases
Validated
Specifications
Reference
Implementations
• Cloud Computing
standards
Standards
Standards Roadmap SP
Development
Organizations
500-291 July 2011
standards & gap analysis
• High Priority Security Requirements - challenges,
requirements overview, risk mitigation measures
• Other related work - Reliability Research in
Cloud-based Complex Systems Koala –
SLA taxonomy,
NIST Cloud Computing 5Program
Service
Aggregat
ion
Service
Arbitrag
e
6
We have practical opportunities to leverage our efforts … one
is identifying complementary efforts the NIST Roadmap refers
to as Priority Action Plans
... leverage Priority Action Plans (PAPs) selected for
self-tasking by Cloud Stakeholder Community
Assess & Track: USG CC High Priority
Requirements met by Priority Action Plans
Strategic Program
(continue phase 1 activities and…)
How to build a USG Cloud Computing
Technology Roadmap
1. Define
Target USG
Cloud
Computing
Business Use
Cases
2. REFINE &
APPLY Neutral
CC Reference
Architecture &
Taxonomy
priorities
risks
obstacles
3. UPDATE Cloud
Computing
Technology
Roadmap –
Translate
Requirements
& Identify Gaps
Vendors
map
services
USG Cloud
Computing
Technology
Roadmap
(self-tasked by NIST and other CC stakeholders)
Rqmt 1: International consensus interoperability,
security, portability standards
Rqmt 2: Solutions for High Priority Security
requirements
Rqmt 3: Technical Specifications to enable high quality
SLAs
…….
Rqmt 10: Defined and Implemented cloud service
metrics
Integrate results into tactical priorities
Measure Results
NIST Tactical Program
NIST Cloud Computing Program
USG Cloud Computing Technology Roadmap requirements - high
priorities to further USG Cloud Computing Technology Adoption:
Encourage standards & compensate with Service
Level Agreements to require demonstration of
data/system portability between providers
Requirement 1: International voluntary consensus based
interoperability, portability and security standards
(interoperability, portability, and security standards)
Requirement 2: Solutions for high priority Security Requirements
(security technology)
Request that cloud service vendors map their
offerings to a common reference (i.e. NIST
Reference Architecture) so that it is easier to
compare services
Recommended
Priority Action
Plans are tactical
as well as
strategic
• Examples of
Priority Action
Plans & interim
solutions to apply
while cloud
solutions are
maturing
Define unique
USG/mission/sector/business
Requirements (e.g. 508
compliance, e-discovery, record
retention)
Requirement 3: Technical specifications to enable development of
consistent, high quality Service Level Agreements
(interoperability, portability, and security standards and
guidance)
Requirement 4: Clearly and consistently categorized cloud services
(interoperability and portability guidance and technology)
Requirement 5: Frameworks to support seamless implementation
of federated community cloud environments
(interoperability and portability guidance and technology)
Requirement 6: Technical security solutions which are de-coupled
from organizational policy decisions (security guidance,
standards and technology)
Requirement 7: Defined unique government regulatory
requirements, technology gaps, and solutions
(interoperability, portability and security technology)
Requirement 8: Collaborative parallel strategic “future cloud”
development initiatives (interoperability, portability, and
security technology)
Requirement 9: Defined and implemented reliability design goals
(interoperability, portability, and security technology)
Requirement 10: Defined and implemented cloud service metrics
(interoperability and portability standards)
7
NIST Cloud Computing 7Program
NIST COMPUTING PROGRAM TIMELINE (PHASE 2)
S
Nov
2011
June
2012
NIST CC
Forum &
Workshop IV
NIST CC
Forum &
Workshop V
8
Nov
2012
T
R
A
T
E
G
I
Analyze Phase
1 working
group & project
results
Complete
1st draft
for public
comment
USG Cloud
Computing
Technology
Roadmap
Version 1
SP 500-293
C
NIST CC
Forum &
Workshop VI
Initiate NIST CC Program Phase II
Integrate & track USG
Technology Roadmap Priority
Action Plans (PAPs) with
external stakeholders
Re-Assess
Progress &
Phase 2 Plan
USG Cloud
Computing
Technology
Roadmap
Version 2
Integrate results into tactical priorities
Measure Results
Tactical efforts
Public & Federal Standards & Technology working groups
Standards liaison, FedRamp & other technical advisory, Guidance, Koala
NIST Cloud Computing Special Pubs
Planned NIST Cloud Computing Special Pubs
Guidelines on Security and Privacy …… 800-144
Definition of Cloud Computing …………..800-145
CC Synopsis & Recommendations……. .800-146
CC Standards Roadmap …………………500-291
CC Reference Architecture…………….. .500-292
USG CC Technology Roadmap Draft.... 500-293
•Challenging Security Requirements for US Government CC Adoption
•Revised USG CC Technology Roadmap .... 500-293
1. Vol I High-priority requirements to Further USG Agency CC Adoption
2. Vol II Useful Information for Cloud Adopters
3. Draft Vol. III Technical Considerations for USG CC Deployment Decisions
NIST Cloud Computing Program
9
Goals for RA/Tax Public WG
• Goal 1 - Requirement 3: Address “Technical Specifications
for High-Quality Service-Level Agreements”
• Goal 2 - Requirement 5: Address “Frameworks to Support
Federated Community Clouds”.
• Goal 3 - Requirement 10: Address “Defined &
Implemented Cloud Service Metrics”.
• Goal 4 -Advanced Actor Analysis - To further the
discussion on the roles of and interactions of cloud
computing actors (consumer/auditor/broker/carrier).
• Goal 5 - Develop an in-depth study on security and RA
mapping. (Collaborative with CC Security WG)
NIST Cloud Computing Program
10
GOAL 1: R3 - Technical Specifications for High-Quality
Service-Level Agreements & PAPs
Cloud SLAs represent a negotiated service contract between two parties that specifies
what cloud service will be provided to the customer. This requirement must be
met to ensure:
– key elements required for cloud services (warranties, guarantees, performance metrics,
etc.) are not left out of the SLA and therefore rendered unenforceable,
– common terms and definitions are used within the SLAs to avoid costly
misunderstandings between parties,
– to create an environment which allows agencies to objectively compare competing
services.
PAPs
Develop a controlled and standardized vocabulary of cloud SLA terms
and definitions.
Ensure consistency in guidance and policy regarding SLA relevant
terms and definitions.
Develop a cloud SLA Taxonomy to ensure the complete specification
of key cloud computing elements that need to appear in an SLA.
NIST Cloud Computing Program
2012-periodically
2012-periodically
2012-periodically
Draft Master Service Taxonomy
NIST Cloud Computing Program
Draft SLA Cloud SLA Taxonomy
NIST Cloud Computing Program
13
GOAL 2: R5- Frameworks to Support Federated
Community Clouds & PAPs
•
The case in which a Community Cloud deployment is not implemented in an
environment (private/public cloud) that accommodates the entire community,
there is a need to define and implement mechanisms to support the governance
and processes that enable federation and interoperability between different cloud
service provider environments to form a general or mission-specific federated
Community Cloud.
• PAPs
Define federated Community cloud requirements and scenarios. 2012-2014
Identify how Hybrid Cloud and Cloud Broker elements described in the cloud Reference Architecture
can be leveraged and harmonized. 2012-2013
Present analysis of GRID communities’ applicability to federated cloud communities, including
technology, trust infrastructure, & governance. 2012-2013
All stakeholders -- assess Intercloud efforts (e.g., Standards Developing Organizations) for
applicability. 2012-2013
NEW: Document current usage patterns and projected near-term trends in grid and cloud
architectures with attention to tools used for effective support of federated user communities.
NIST Cloud Computing Program
14
GOAL 2: R5- Current Activities
•
•
•
•
Developing SOW, project plans
Invitation to the Grid communities to participate
Collaboration Tools: Supplemental Wiki.
Identify, assemble and make available prior Grid community
documents
NIST Cloud Computing Program
15
GOAL 3: R10 - Defined & Implemented Cloud
Service Metrics & PAPs
•
In utility industries, the notion of units of measurement is fundamental to buying
and selling service. However, in the case of cloud computing service delivery,
which uses a utility model, IT resources are supplied as abstracted services, often
characterized as Infrastructure as a Service or Platform as a Service. Abstracted
services can be set to run fast or slow, to be small or large, and to be as reliable as
desired (subject to underlying technology constraints). Service consumers pay for a
“quantity” and a "quality" of the service, which is metered by a cloud computing
system. Consumers need to be able to precisely specify and receive services.
• PAPs
Specify and Standardize the Units of Measurement for cloud services,
seeking public comment and collaboration.
2012-2013
In parallel, incorporate Cloud Service Units of Measurement consistently
in Service-Level Agreements.
2012-2013
NIST Cloud Computing Program
16
GOAL 3: R10 - Areas of Concentration & Deliverables
Areas of Concentration
•
Specify and normalize a small set of existing units of measurement for cloud
services
•
Define the cloud service measurement space, need atomic service units.
•
The integration of normalized Units of Measurement for cloud services to SLAs.
Deliverables
•
Draft specification of the cloud service measurement space.
•
Template for listing and organizing Cloud Services Units of Measurement.
•
List of non-exhaustive Cloud Services Units of Measurement (existing or new) and
normalization methods.
•
Report of study of Units of Measurement successfully defined and used for the IT
industry (i.e. network, storage, database etc...)
•
List of Cloud Services Units of Measurement relevant for SLAs.
NIST Cloud Computing Program
17
GOAL 4: Advanced Actor Analysis
•
The current NIST Reference Architecture document is very focused on the roles and
responsibilities of the cloud provider. The four other roles were not studied to a similar depth.
Therefore, inclusions of a fuller description of their responsibilities and the activities/functions
they will perform is necessary to attain a more complete description in the NIST RA. For example,
cloud carrier may provide additional services that are needed by the Cloud Consumer and Cloud
Provider.
Milestones
•
•
•
Expansion of Cloud Consumer / Auditor / Broker Roles & Responsibilities
Generate the relevant definitions
Discussion of actor interactions
2/2012
3/2012
4/2012
Deliverables
•
Analysis document
NIST Cloud Computing Program
5/2012
18
GOAL 5: Security RA that supplements NIST RA
(Collaborative with CC Security WG)
•
Develop a Security RA that supplements the NIST RA.
•
The approach - leverage on the CSA’s Reference Architecture to design a Security Reference
Architecture for Cloud Computing.
Public IaaS – initial exercise
•
Milestones
•
•
•
•
•
•
INITIAL DRAFT:
INTERNAL REVIEW
ADDRESS COMMENTS & PUBLIC DRAFT
PUBLIC REVIEW
PROCESS & ADDRESS COMMENTS
FINAL DOCUMENT
4/2012
5/2012
6/ 2012
7/ 2012
8/ 2012
9/ 2012
Deliverables
•
•
•
Internal draft
Public draft
Final document
NIST Cloud Computing Program
4/2012
6/2012
9/2012
19
NIST invites you to collaborate with us on
Cloud Computing!
US Federal Cloud Computing references: www.cio.gov
Public NIST cloud web site: http://www.nist.gov/itl/cloud/
Cloud Computing Forum & Workshop V: June 5-7, 2012: Washington, DC
Contacts:
Dawn Leaf: Senior Executive for Cloud Computing dawn.leaf@nist.gov
Robert Bohn: Cloud Computing Program Manager robert.bohn@nist.gov
United States Department of Commerce
National Institute of Standards and Technology
Information Technology Laboratory
100 Bureau Drive Stop 2000
Gaithersburg, MD 20899-2000
Tel: (301) 975-4090, cloudcomputing@nist.gov
NIST Cloud Computing Program
Download