Add to collection(s) Add to saved
  1. Business
  2. Management

PDF - Cloud Security Alliance

advertisement 
Cloudy with Showers of
Business Opportunities and
and
a
Good
Chance
of
NIST
Security and Accountability
Not All Clouds are Equal – Can You Tell the Difference?
Security and Privacy Controls for Cloud-based Federal
Information Systems
Dr. Michaela Iorga,
Senior Security Technical Lead for Cloud Computing
Co-Chair, Cloud Security WG
Co-Chair, Cloud Forensics Science WG
May, 2015
The World is changing…
2
Many Shades of Cloud Views….
SECURITY VIEW
CLOUD VENDOR’S
VIEW
BUSINESS
VIEW
Security & Privacy may mean different
things to different people…
Army
Navy
Marines
4
Slide courtesy of Bill Murray, AWS, Amazon
Air Force
Balancing Cloud Benefits and Risks …
… is not easy but it
can be done.
•
•
•
•
•
Reduce Capital Cost
Improve Business Agility
Increase Productivity & Collaboration
Increase Competitiveness
Lower Staff Cost
•
•
•
•
•
Preserve Security Posture
Improve Security
Minimize Business Risk
Increase Availability
Preserve Privacy
NIST Risk Management Standards
•
•
•
•
•
•
•
•
Standards for Security Categorization of Federal Information and Information
Systems (FIPS 199); Feb 2004
Guide for Mapping Types of Information and Information Systems to Security
Categories (SP 800-60 Rev. 1); Aug 2008
Minimum Security Requirements for Federal Information and Information
Systems (FIPS 200); Mar 2006
Security Considerations in the System Development Life Cycle (SP 800-64 Rev.
2); Oct 2008
Guide for Applying the Risk Management Framework to Federal Information
Systems: A Security Life Cycle Approach (SP 800-37, Rev. 1); Feb 2010
Managing Information Security Risk: Organization, Mission, and Information
System View (SP 800-39); Mar 2011
Guide for Conducting Risk Assessments (SP 800-30 Rev. 1); Sep 2012
Security and Privacy Controls for Federal Information Systems and
Organizations (SP 800-53 Rev. 4); Apr 2013
Other Related NIST Special Publications
•
•
•
•
7
Performance Measurement Guide for Information Security (SP 800-55 Rev. 1);
Jul 2008
Contingency Planning Guide for Federal Information Systems (SP 800-34 Rev.
1); May 2010
Information Security Continuous Monitoring for Federal Information Systems and
Organizations (SP 800-137); Sep 2011
Computer Security Incident Handling Guide (SP 800-61 Rev. 2); Aug 2012
New NIST Special Publications (Drafts)
• DRAFT Systems Security Engineering: An Integrated Approach to Building
Trustworthy Resilient Systems (SP 800-160 Draft); May 12, 2014
• DRAFT Supply Chain Risk Management Practices for Federal Information
Systems and Organizations SP 800-161 (Second Draft); Jun. 3, 2014
• NIST SP 500-299: NIST Cloud Computing Security Reference Architecture (draft)
• NIST SP 800-173: Guide for Applying the Risk Management Framework to
Cloud-based Federal Information Systems; work in progress
• NIST SP 800-174: Security and Privacy Controls for Cloud-based Federal
Information Systems; work in progress
NIST Cloud Computing Security Reference
Architecture
(NIST SP 500-299)
DRAFT
NIST Cloud Publications Page:
http://www.nist.gov/itl/cloud/publications.cfm
NIST CC Security Reference Architecture - Approach
NIST Security Reference Architecture – formal model
NIST Security Reference Architecture – security components
Mapping
components to
architecture
NIST Reference Architecture
TCI Reference Architecture
+
NIST CC Reference Architecture (SP 500-292)
with Cross Cutting Concerns shown
Cloud
Cloud
Consumer
Consumer
Cloud
Cloud Auditor
Auditor
Cloud
Cloud Provider
Provider
Cloud
Orchestration
Service
ServiceLayer
Layer
SaaS
SaaS
Cloud
Cloud Broker
Broker
Cloud
Cloud Service
Service
Management
Management
Business
Business
Support
Support
PaaS
PaaS
Service
Service
Intermediation
Intermediation
IaaS
IaaS
Security
Security
Audit
Audit
Privacy
PrivacyImpact
Impact
Audit
Audit
Performance
Performance
Audit
Audit
Cloud
Cloud
Consumer
Consumer
Resource
ResourceAbstraction
Abstraction
and
and
Control
ControlLayer
Layer
Physical
PhysicalResource
ResourceLayer
Layer
Hardware
Hardware
Provisioning/
Provisioning/
Configuration
Configuration
Service
Service
Aggregation
Aggregation
Portability/
Portability/
Interoperability
Interoperability
Service
Service
Arbitrage
Arbitrage
Facility
Facility
Cloud
Cloud Carrier
Carrier
Cross Cutting Concerns: Security, Privacy, etc
NIST Security Reference Architecture – formal model
11
NIST
CSA
NIST SWG leverages Cloud Security
Alliance’s Enterprise Architecture
(before: Trusted Cloud Initiative Reference Architecture)
https://cloudsecurityalliance.org/wp-content/uploads/2011/11/TCI-Reference-Architecture-1.1.pdf
NIST Security Reference Architecture
– security components -
14
Consumer’s ITOS
S&RM
S&RM
Consumer’s S&RM
Provider’s S&RM
Provider’s S&RM
Provider’s S&RM
Consumer’s BOSS SCs
Provider’s ITOS SCs
Provider’s ITOS SCs
Organizational
OrganizationalSupport
Support
Provider’s BOSS SCs
Broker’s ITOS SCs
Broker’s ITOS SCs
Broker’s BOSS SCs
Provider’s Infrastrct SCs
Provider’s Physical Sec
Carrier’s S&RM SCs
Carrier’s ITOS SCs
Carrier’s BOSS SCs
NIST Security Reference Architecture
– Security Index System Security Index System
NIST Security Reference Architecture
– Aggregated Security Index System – Heat Map
ISO/IEC based CC Security Reference Architecture
ISO/IEC Security Reference Architecture – security components
ISO/IEC Security Reference Architecture – formal model
Mapping
components to
architecture
ISO/ICE Reference Architecture
RMF2C + methodology
TCI Reference Architecture -> functional capabilities
+
OUR APPROACH IS MODULAR – YOU CAN SUBSTITUTE COMPONENTS
E.g. ISO/IEC based CC Security Reference Architecture -
ISO/IEC Security Reference Architecture – formal model
ISO/IEC Security Reference Architecture – security components
Mapping
components to
architecture
RMF2C + methodologyProprietary Set of Components/capabilities
ISO/ICE Reference Architecture
+
YOUR OWN SET OF
COMPONENTS
OR
USE CSA’s CCM !!
CCM vs. NIST SRA /CSA Enterprise Architecture
Cloud Security Alliance
Trusted Computing Initiative - Reference Architecture
https://research.cloudsecurityalliance.org/tci/
20
SP 500-299: Cloud Security Reference Architecture
RMF2C + Methodology
“Guide for Applying Risk
Management Framework
to Cloud-based Federal
Information Systems”
NIST SP 800-173
HELPS SELECT BEST-FITTING
CLOUD ARCHITECTURE
Guide for Applying Risk Management
Framework to Cloud-based Federal
Information Systems
NIST SP 800-173
- work in progress -
Learn how to build trust &
how FedRAMP or STAR can help..
Why Do We Fear
the Clouds ?
Searching For an Answer
N
O
I
T
A
NIST: Research – Challenging Security Requirement
for the USG Cloud Adoption, (whitepaper)
MeriTalk:
USER’s
DATA
L
E
R
1.... If I like it, it's mine.
2.... If it's in my hand, it's mine.
3.... If I can take it from you, it's mine.
4.... If I had it a little while ago, it is mine.
5.... If it's mine, it must never appear to be yours in any way.
6.... If I'm doing or building something, all the pieces are mine.
7.... If it looks just like mine, it's mine.
8.... If I saw it first, it's mine.
9.... If you are playing with something and you put it down, it automatically becomes mine.
10.... If it is broken, it's yours.
T
O
N
T
S
U
R
L
I
U
B
R
T
D
T
S
U
Trust & Trustworthiness (NIST SP 800-39*)
“Trust is an important concept related to risk management. How organizations
approach trust influences their behaviors and their internal and external trust
relationships. […] The reliance on IS services results in the need for trust
relationships among organizations”*
① Validated Trust. One organization obtains a body of evidence regarding the actions of
another organization and uses that evidence to establish a level of trust with the other
organization.
② Direct Historical. The track record exhibited by an organization in the past is used to
establish a level of trust with other organizations.
③ Mediated Trust. An organization establishes a level of trust with another organization
based on assurances provided by some mutually trusted third party.
④ Mandated Trust. An organization establishes a level of trust with another organization
based on a specific mandate issued by a third party in a position of authority.
⑤ Hybrid Trust. An organization uses one of the previously described models in
conjunction with another model(s).
*NIST SP 800-39: Managing Information Security Risk; Organization, Mission, and Information System
View
Consumer’s Level of Control & SP 800-37 RMF
SaaS
RMF2C
RMF
RMF
RMF2C
RMF
PaaS
RMF
RMF
RMF2C
You manage
IaaS
Stack image source: Cloud Security Alliance specification, 2009
Trustworthiness requires visibility into Provider’s practices and risk/information
security decisions to understand risk tolerance. But level of trust can vary & the
accepted risk depends on the established trust relation.
NIST’s Work – Helps Consumer Deal With an
Iceberg Architecture
NIST SP 800-173:
Cloud-adapted Risk Management Framework
RMF
RMF
consumer
nsumer
co
Risk Management Framework (SP 800-37 Rev1) :
Step 1: Categorize Information System
Step 2: Select Security Controls
Step 3: Implement Security Controls
Step 4: Assess Security Controls
Step 5: Authorize Information System
Step 6: Monitor Security Controls
(Repeat process as necessary)
Cloud-adapted Risk Management Framework
(SP 800-173, draft):
Step 1: Categorize: System to be migrated
Step 2: Select: Security Requirements, perform
a Risk Assessment & select Security Controls
Step 3: Identify: best-fitting Cloud Architecture
Implement Cloud-based solution
Step 4: Assess Service Provider(s) & Controls
Step 5: Authorize Use of Service
Step 6: Monitor Service Provider [on-going, near-realtime ] (Repeat process as necessary)
RMF2C
CRMF
RMF2C
CRMF
SP 500-299
RMF
RMF
provider
provider
Stack--image
imagesource:
source:Cloud
CloudSecurity
SecurityAlliance
Alliance
Stack
specification,2009
2009
specification,
Applying Risk Management Framework to Cloud-based
Federal Information Systems
RMF
mer
RMF2C
RMF2C
consu
RM
F
provid
er
Stack - image source: CSA specification, 2009
Risk Management Framework (SP 800-37 Rev1) :
Step 1: Categorize Information System
Step 2: Select Security Controls
Step 3: Implement Security Controls
Step 4: Assess Security Controls
Step 5: Authorize Information System
Step 6: Monitor Security Controls
(Repeat process as necessary)
Cloud-adapted Risk Management Framework
(SP 800-173, draft):
Step 1: Categorize: System to be migrated
A&A
A&Aor
orC&A
C&A
Step 2: Select: Security Requirements, perform
Authoritiesprovide
provide
a Risk Assessment & select Security Controls Authorities
aastandardized
standardized
Step 3: Identify: best-fitting Cloud Architecture
approach
approachto
tosecurity
security
Implement Cloud-based solution
assessment
assessmentor
or
Step 4: Assess Service Provider(s) & Controls
certification
certificationand
and
Step 5: Authorize Use of Service
authorization..
Step 6: Monitor Service Provider [on-going, near-real-authorization..
time ] (Repeat process as necessary)
Applying Risk Management Framework to
Cloud-based Federal Information Systems
(NIST SP 800-173)
DR
DE AF
VE T
L O UN
PM D E
EN R
T
SP 800-173
Cloud-adapted Risk Management
Framework
Applying Risk Management Framework to Cloudbased Federal Information Systems
SaaS
CRMF
CRMF
You manage
1. Follows NIST RMF (SP 800-37 Rev1) structure
2. Discusses the impact of cloud computing
architecture (deployment model & service type),
and cloud characteristics
IaaS (multi-tenancy,PaaS
resource-pooling, elasticity, etc.) on
“Information System Boundary”.
3. Discusses the notion of TRUST in a
cloud ecosystem, and introduces the notion
of TRUST BOUNDARY
4. Introduces the “Security Conservation
Principle” & “Privacy Conservation
Principle”
Applying Risk Management Framework to Cloud-based
Federal Information Systems
Step 1 : Categorize Federal Information System
Step 2 : Select: Security Requirements, perform a Risk Assessment & select Security Controls
deemed necessary.
Step 3 : Identify best-fitting Cloud Architecture &
Implement cloud-based solution
SaaS
PaaS
SaaS Boundary
IaaS
PaaS Boundary
IaaS Boundary
Ecosystem Orchestration Boundary
Cloud Deployment Boundary
Cloud-adapted Risk Management Framework –cont.
Step 4: Assess Service Provider(s) & Broker (if applicable)  leverage FedRAMP P-ATOs
or Agency-ATOs, or assess the controls  build necessary TRUST that the residual
risk is acceptable
Step 5: Authorizea Use of Service  negotiate SLAs & Security SLA
User-data Boundary
Us
e
Da r
ta
User-data Boundary
t
r-Da
Use dary
n
Bou
Step 6: Monitor Service Provider(s) (on-going, near- real- time); Repeat process as necessary
Security and Privacy Controls for
Cloud-based Federal Information
Systems
NIST SP 800-174
- work in progress -
Controls allocation matters …
Controls’ Allocation Matters …
PaaS
SaaS
You manage
IaaS
Stack image source: Cloud Security Alliance specification, 2009
Provider’s implemented baseline
Consumer’s additional needs
33
Clouds are not identical …
even when implementing same baseline controls
PaaS
SaaS
You manage
IaaS
Stack image source: Cloud Security Alliance specification, 2009
34
A & A baseline
A&A
A&Aor
orC&A
C&AAuthorities
Authorities
provide
provideaastandardized
standardized
approach
to
approach tosecurity
security
assessment
or
assessment orcertification
certification
and
authorization.
and authorization.
Security and Privacy Controls for Cloud-based Federal Information
Systems (*Cloud Overlay*)
NOW: Identifying SP 800-53 Security and Privacy Controls for Cloud Capabilities
Audit Planning
Reviewed
Low (Capability
implementation)
Reviewed
Moderate (Capability
implementation)
Reviewed
High (Capability
implementation)
AC-1, AC-2, AC-3, AC- AC-2(1), AC-2(2), AC- AC-2(11), AC-2(13), AC- 8, AC-17, AC-18, AC- 2(3), AC-2(4), AC-2(5), 6(3), AC-6(7), AC-6(8),
19, AC-20
AC-2(7), AC-2(9), AC- AC-18(4), AC-21(2)
2(10), AC-2(12), AC-4,
AU-1, AU-2, AU-3, AU- AC-4(21), AC-5, AC-6, AU-13,
12, AU-6, AU-9,
AC-6(1), AC-6(2), AC6(5), AC-6(9), ACCM-3(1), CM-5(1), CMAT-1, AT-2, AT-3
6(10), AC-10, AC-11, 5(3), CM-5(4), CM-6(2),
AC-11(1), AC-12, AC- CM-8(4)
CM-1, CM-2, CM-3, CM- 17(9), AC-18(1), AC4, CM-5, CM-6, CM-7, 19, AC-19(5), ACMA-4(3)
CM-8, CM-10, CM-11 20(1), AC-20(2), AC-21
AU-2(3), AU-3(1),
PE-2(3), PE-3(1), PEIA-1, IA-2, IA-2(1), IA-4,CM-2(1), CM-2(3), CM- 6(4)
IA-5, IA-5(1), IA-6, IA- 2(7), CM-3 (2), CM-5,
7, IA-8
CM-6, CM-7(2), CMPS-4(2), PS-6(3)
7(5), CM-8(1), CMMA-1, MA-2, MA-3, MA- 8(3), CM-8(5),
RA-5(4), RA-5(6), RA4, MA-5
IA-5(4), IA-5(6), IA5(10)
MP-1, MP-2, MP-4, MP- 5(7),
5, MP-6,
MA-3(3), MA-5(1)
SC-3, SC-7(8), SC-7(10),
PE-1, PE-2, PE-3, PE-6 MP-5(4)
SC-7(11), SC-7(14), SCPL-1, PL-4
PE-4, PE-5, PE-6(1)
7(15), SC-7(18), SCPS-1, PS-2,PS-3, PS-4, PL-4(1)
7(21), SC-24
PS-5, PS-6, PS-7
RA-5(1), RA-5(2), RARA-1, RA-2, RA-3, RA-55(5)
SI-7(10), SI-10(5)
SC-2, SC-4, SC-7(5),
SC-1, SC-7, SC-8, SC- SC-7(7), SC-8(1), SC12, SC-13, SC-15, SC- 10, SC-18, SC-23, SC28, SC-39
28(1)
SI-3(1), SI-3(2), SI4(4), SI-7, SI-10, SI-16
PM
Controls
Low (info protection)
Moderate (info protection)
High (info protection)
AC-1, AC-2, AC-3, AC-8, AC- AC-2(1), AC-2(2), AC-2(3), AC-2(11), AC-2(13), AC17, AC-18, AC-19, AC-20
AC-2(4), AC-2(5), AC-2(7), 6(3), AC-6(7), AC-6(8),
AC-2(9), AC-2(10), ACAC-18(4), AC-21(2)
AT-1, AT-2, AT-3
2(12), AC-4, AC-4(21), AC5, AC-6, AC-6(1), AC-6(2), AU-13,
AU-1, AU-2, AU-3, AU-6, AU- AC-6(5), AC-6(9), AC9, AU-12
6(10), AC-10, AC-11, AC- CM-3(1), CM-5(1), CM11(1), AC-12, AC-17(9), 5(3), CM-5(4), CM-6(2),
CM-1, CM-2, CM-3, CM-4,
AC-18(1), AC-19, ACCM-8(4)
CM-5, CM-6, CM-7, CM-8,
19(5), AC-20(1), ACCM-10, CM-11
20(2), AC-21
MA-4(3)
AU-2(3), AU-3(1),
IA-1, IA-2, IA-2(1), IA-4, IA-5,
PE-2(3), PE-3(1), PE-6(4)
IA-5(1), IA-6, IA-7, IA-8
CM-2(1), CM-2(3), CM2(7), CM-3 (2), CM-5, CM- PS-4(2), PS-6(3)
MA-1, MA-2, MA-3, MA-4,
6, CM-7(2), CM-7(5), CMMA-5
8(1), CM-8(3), CM-8(5),
RA-5(4), RA-5(6), RA5(10)
MP-1, MP-2, MP-4, MP-5,
IA-5(4), IA-5(6), IA-5(7),
MP-6
MA-3(3), MA-5(1)
SC-3, SC-7(8), SC-7(10),
MP-5(4)
SC-7(11), SC-7(14), SCPE-1, PE-2, PE-3, PE-6
PE-4, PE-5, PE-6(1)
7(15), SC-7(18), SCPL-4(1)
7(21), SC-24
PL-1, PL-4
RA-5(1), RA-5(2), RA-5(5)
SC-2, SC-4, SC-7(5), SC- SI-7(10), SI-10(5)
PS-1, PS-2,PS-3, PS-4, PS-5, 7(7), SC-8(1), SC-10, SCPS-6, PS-7
18, SC-23, SC-28(1)
SI-3(1), SI-3(2), SI-4(4), SIRA-1, RA-2, RA-3, RA-5
7, SI-10, SI-16
SC-1, SC-7, SC-8, SC-12,
SC-13, SC-15, SC-28, SC-39
SI-1, SI-2, SI-3, SI-4, SI-5, SI12
Security and Privacy Controls for Cloud-based Federal Information
Systems (*Cloud Overlay*)
Security and Privacy Controls for Cloud-based Federal Information
Systems (SP 800-174) & CSA’s STAR
SP 500-299
+
FedRAMP
NIST SP 800-53 R4
Overview of NIST’s Current & Future Work
SP 500-299
SP 800-174
SP 800-173
Guide to Applying Risk
Management Framework to
Cloud-based Federal
Information Systemd
Security and Privacy
Controls for Cloud-based
Federal Information
Systems
1.Identify Security Controls
2. Provide Implementation Guidance
3. Provide Assessment Guidance
Security SLA
Security Metrics
Cloud Computing Service
Metrics Description
Security
Intelligence
&
Continuous
Monitoring
Questions?
Thank you !
Additional Information
NIST Cloud Home Page:
http://www.nist.gov/itl/cloud
NIST Cloud Computing Collaborative Twiki:
http://collaborate.nist.gov/twiki-cloud-computing/bin/view/CloudComputing/CloudSecurity
39
Related documents
Slide - People
Slide - People
Jordan University of Science and Technology Abstract: Authors
Jordan University of Science and Technology Abstract: Authors
Cloud Computing - Lutheran Services in America
Cloud Computing - Lutheran Services in America
Abstract
Abstract
Lisa Neal-Graves, Director Technology Insights, Intel
Lisa Neal-Graves, Director Technology Insights, Intel
Cisco Video Strategy - Distributed Computing Industry Association
Cisco Video Strategy - Distributed Computing Industry Association
Document
Document
MSc Internet and Database Systems
MSc Internet and Database Systems
Download
advertisement