Cloudy with Showers of Business Opportunities and NIST … · Cloudy with Showers of Business...
Transcript of Cloudy with Showers of Business Opportunities and NIST … · Cloudy with Showers of Business...
May, 2015
NIST
Cloudy with Showers of Business Opportunities and
and a Good Chance of Security and Accountability
Dr. Michaela Iorga,Senior Security Technical Lead for Cloud Computing
Co-Chair, Cloud Security WGCo-Chair, Cloud Forensics Science WG
Not All Clouds are Equal – Can You Tell the Difference?Not All Clouds are Equal – Can You Tell the Difference?Security and Privacy Controls for Cloud-based Federal Security and Privacy Controls for Cloud-based Federal
Information SystemsInformation Systems
4Security & Privacy may mean different things to different people…
Navy Army
Marines Air ForceSlide courtesy of Bill Murray, AWS, Amazon
Balancing Cloud Benefits and Risks …
… is not easy but it can be done.
• Reduce Capital Cost• Improve Business Agility• Increase Productivity & Collaboration• Increase Competitiveness• Lower Staff Cost
• Preserve Security Posture• Improve Security• Minimize Business Risk• Increase Availability• Preserve Privacy
NIST Risk Management Standards
• Standards for Security Categorization of Federal Information and Information Systems (FIPS 199); Feb 2004
• Guide for Mapping Types of Information and Information Systems to Security Categories (SP 800-60 Rev. 1); Aug 2008
• Minimum Security Requirements for Federal Information and Information Systems (FIPS 200); Mar 2006
• Security Considerations in the System Development Life Cycle (SP 800-64 Rev. 2); Oct 2008
• Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (SP 800-37, Rev. 1); Feb 2010
• Managing Information Security Risk: Organization, Mission, and Information System View (SP 800-39); Mar 2011
• Guide for Conducting Risk Assessments (SP 800-30 Rev. 1); Sep 2012
• Security and Privacy Controls for Federal Information Systems and
Organizations (SP 800-53 Rev. 4); Apr 2013
• Standards for Security Categorization of Federal Information and Information Systems (FIPS 199); Feb 2004
• Guide for Mapping Types of Information and Information Systems to Security Categories (SP 800-60 Rev. 1); Aug 2008
• Minimum Security Requirements for Federal Information and Information Systems (FIPS 200); Mar 2006
• Security Considerations in the System Development Life Cycle (SP 800-64 Rev. 2); Oct 2008
• Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (SP 800-37, Rev. 1); Feb 2010
• Managing Information Security Risk: Organization, Mission, and Information System View (SP 800-39); Mar 2011
• Guide for Conducting Risk Assessments (SP 800-30 Rev. 1); Sep 2012
• Security and Privacy Controls for Federal Information Systems and
Organizations (SP 800-53 Rev. 4); Apr 2013
7
• Performance Measurement Guide for Information Security (SP 800-55 Rev. 1); Jul 2008
• Contingency Planning Guide for Federal Information Systems (SP 800-34 Rev. 1); May 2010
• Information Security Continuous Monitoring for Federal Information Systems and Organizations (SP 800-137); Sep 2011
• Computer Security Incident Handling Guide (SP 800-61 Rev. 2); Aug 2012
Other Related NIST Special Publications
• DRAFT Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems (SP 800-160 Draft); May 12, 2014
• DRAFT Supply Chain Risk Management Practices for Federal Information Systems and Organizations SP 800-161 (Second Draft); Jun. 3, 2014
• NIST SP 500-299: NIST Cloud Computing Security Reference Architecture (draft)• NIST SP 800-173: Guide for Applying the Risk Management Framework to
Cloud-based Federal Information Systems; work in progress• NIST SP 800-174: Security and Privacy Controls for Cloud-based Federal
Information Systems; work in progress
New NIST Special Publications (Drafts)
NIST Cloud Computing Security Reference Architecture
(NIST SP 500-299)
DRAFT
NIST Cloud Publications Page: http://www.nist.gov/itl/cloud/publications.cfm
NIST CC Security Reference Architecture - Approach
+
Mapping components to
architecture
NIST Reference Architecture TCI Reference Architecture
NIST Security Reference Architecture – formal model NIST Security Reference Architecture – security components
NIST CC Reference Architecture (SP 500-292)
with Cross Cutting Concerns shown
Cloud ConsumerCloud Consumer
Cloud ProviderCloud Provider
Cloud Service Management
Cloud Service Management
Cloud CarrierCloud Carrier
Cloud AuditorCloud Auditor
Cloud Consumer
Cloud Consumer
Provisioning/ConfigurationProvisioning/Configuration
Portability/Interoperability
Portability/Interoperability
SecurityAudit
SecurityAudit
Privacy Impact Audit
Privacy Impact Audit
Performance Audit
Performance Audit
Business Support
Business Support
Physical Resource LayerPhysical Resource Layer
HardwareHardware
FacilityFacility
Resource Abstraction and Control Layer
Resource Abstraction and Control Layer
Service LayerService Layer
IaaSIaaS
SaaSSaaS
PaaSPaaS
Cloud Orchestration
Cross Cutting Concerns: Security, Privacy, etc
Cloud BrokerCloud Broker
Service Intermediation
Service Intermediation
Service Aggregation
Service Aggregation
Service ArbitrageService
Arbitrage
NIST
CSA
https://cloudsecurityalliance.org/wp-content/uploads/2011/11/TCI-Reference-Architecture-1.1.pdf
NIST SWG leverages Cloud Security Alliance’s Enterprise Architecture (before: Trusted Cloud Initiative -
Reference Architecture)
Organizational SupportOrganizational Support
14
Provider’s BOSS SCsProvider’s BOSS SCs Broker’s BOSS SCsBroker’s BOSS SCs
Provider’s ITOS SCsProvider’s ITOS SCs Broker’s ITOS SCsBroker’s ITOS SCs
Provider’s ITOS SCsProvider’s ITOS SCs Broker’s ITOS SCsBroker’s ITOS SCs
Provider’s Infrastrct SCsProvider’s Infrastrct SCs
Provider’s Physical SecProvider’s Physical Sec
Consumer’s BOSS SCsConsumer’s BOSS SCs
Consumer’s S&RMConsumer’s S&RM
Consumer’s ITOSConsumer’s ITOS
S&RMS&RM
S&RMS&RM Provider’s S&RMProvider’s S&RM
Provider’s S&RMProvider’s S&RM
Provider’s S&RMProvider’s S&RM
Carrier’s BOSS SCsCarrier’s BOSS SCsCarrier’s ITOS SCsCarrier’s ITOS SCsCarrier’s S&RM SCsCarrier’s S&RM SCs
ISO/IEC based CC Security Reference Architecture
+
Mapping components to
architecture
ISO/ICE Reference Architecture TCI Reference Architecture -> functional capabilities
ISO/IEC Security Reference Architecture – formal model ISO/IEC Security Reference Architecture – security components
RMF2C + methodology
OUR APPROACH IS MODULAR – YOU CAN SUBSTITUTE COMPONENTSE.g. ISO/IEC based CC Security Reference Architecture -
+
Mapping components to
architecture
ISO/ICE Reference Architecture Proprietary Set of Components/capabilities
ISO/IEC Security Reference Architecture – formal model ISO/IEC Security Reference Architecture – security components
RMF2C + methodology
YOUR OWN SET OF COMPONENTS
OR USE CSA’s CCM !!
20
https://research.cloudsecurityalliance.org/tci/
Cloud Security Alliance Trusted Computing Initiative - Reference Architecture
SP 500-299: Cloud Security Reference Architecture
RMF2C + Methodology
“Guide for Applying Risk Management Framework
to Cloud-based Federal Information Systems”
NIST SP 800-173
HELPS SELECT BEST-FITTING CLOUD ARCHITECTURE
Guide for Applying Risk Management Framework to Cloud-based Federal
Information SystemsNIST SP 800-173 - work in progress -
Learn how to build trust & how FedRAMP or STAR can help..
NIST: Research – Challenging Security Requirement for the USG Cloud Adoption, (whitepaper) MeriTalk:
Why Do We Fear the Clouds ?
Searching For an Answer
1.... If I like it, it's mine.2.... If it's in my hand, it's mine.3.... If I can take it from you, it's mine.4.... If I had it a little while ago, it is mine.5.... If it's mine, it must never appear to be yours in any way.6.... If I'm doing or building something, all the pieces are mine.7.... If it looks just like mine, it's mine.8.... If I saw it first, it's mine.9.... If you are playing with something and you put it down, it automatically becomes mine.10.... If it is broken, it's yours.
USER’s
DATA
NO TRUST RELATION
BUILD TRUST
*NIST SP 800-39: Managing Information Security Risk; Organization, Mission, and Information System View
Trust & Trustworthiness (NIST SP 800-39*)
① Validated Trust. One organization obtains a body of evidence regarding the actions of another organization and uses that evidence to establish a level of trust with the other organization.
② Direct Historical. The track record exhibited by an organization in the past is used to establish a level of trust with other organizations.
③ Mediated Trust. An organization establishes a level of trust with another organization based on assurances provided by some mutually trusted third party.
④ Mandated Trust. An organization establishes a level of trust with another organization based on a specific mandate issued by a third party in a position of authority.
⑤ Hybrid Trust. An organization uses one of the previously described models in conjunction with another model(s).
“Trust is an important concept related to risk management. How organizations approach trust influences their behaviors and their internal and external trust relationships. […] The reliance on IS services results in the need for trust relationships among organizations”*
Consumer’s Level of Control & SP 800-37 RMF IaaS PaaS SaaS
You
man
age
Stack image source: Cloud Security Alliance specification, 2009
RM
F
RM
F
RM
FRM
F2C
RM
F2C
RM
F2C
Trustworthiness requires visibility into Provider’s practices and risk/information security decisions to understand risk tolerance. But level of trust can vary & the accepted risk depends on the established trust relation.
RM
F RM
F
Risk Management Framework (SP 800-37 Rev1) :Step 1: Categorize Information SystemStep 2: Select Security Controls Step 3: Implement Security Controls Step 4: Assess Security Controls Step 5: Authorize Information SystemStep 6: Monitor Security Controls (Repeat process as necessary)Cloud-adapted Risk Management Framework (SP 800-173, draft):Step 1: Categorize: System to be migratedStep 2: Select: Security Requirements, perform a Risk Assessment & select Security ControlsStep 3: Identify: best-fitting Cloud Architecture Implement Cloud-based solutionStep 4: Assess Service Provider(s) & ControlsStep 5: Authorize Use of ServiceStep 6: Monitor Service Provider [on-going, near-real- time ] (Repeat process as necessary)
SP 500-299
NIST’s Work – Helps Consumer Deal With an Iceberg Architecture
CR
MF
CR
MF
RMFconsumer
RMFprovider
Stack - image source: Cloud Security Alliance specification, 2009
NIST SP 800-173: Cloud-adapted Risk Management Framework
RM
F2C R
MF2
C
RMFconsumer
RMFprovider
Stack - image source: Cloud Security Alliance specification, 2009
Risk Management Framework (SP 800-37 Rev1) :Step 1: Categorize Information SystemStep 2: Select Security Controls Step 3: Implement Security Controls Step 4: Assess Security Controls Step 5: Authorize Information SystemStep 6: Monitor Security Controls (Repeat process as necessary)Cloud-adapted Risk Management Framework (SP 800-173, draft):Step 1: Categorize: System to be migratedStep 2: Select: Security Requirements, perform a Risk Assessment & select Security ControlsStep 3: Identify: best-fitting Cloud Architecture Implement Cloud-based solutionStep 4: Assess Service Provider(s) & ControlsStep 5: Authorize Use of ServiceStep 6: Monitor Service Provider [on-going, near-real- time ] (Repeat process as necessary)
RM
F2C
RM
F2C
RMFconsumer
RMF
provider
Stack - image source: CSA specification, 2009
Applying Risk Management Framework to Cloud-based Federal Information Systems
A&A or C&A Authorities provide a standardized approach to security assessment or certification and authorization..
A&A or C&A Authorities provide a standardized approach to security assessment or certification and authorization..
Applying Risk Management Framework to Cloud-based Federal Information Systems
SP 800-173
Cloud-adapted Risk Management Framework
DRAF
T UN
DER
DEVE
LOPM
ENT
(NIST SP 800-173)
CR
MF
CR
MF
IaaS PaaS SaaSYo
u m
anag
e
Applying Risk Management Framework to Cloud-based Federal Information Systems
1. Follows NIST RMF (SP 800-37 Rev1) structure2. Discusses the impact of cloud computing architecture (deployment model & service type),and cloud characteristics (multi-tenancy,resource-pooling, elasticity, etc.) on“Information System Boundary”.
3. Discusses the notion of TRUST in a cloud ecosystem, and introduces the notion of TRUST BOUNDARY4. Introduces the “Security Conservation Principle” & “Privacy Conservation Principle”
SaaS Boundary
PaaS Boundary
PaaS
SaaS
Step 1 : Categorize Federal Information SystemStep 2 : Select: Security Requirements, perform a Risk Assessment & select Security Controls deemed necessary. Step 3 : Identify best-fitting Cloud Architecture & Implement cloud-based solution
Applying Risk Management Framework to Cloud-based Federal Information Systems
IaaS Boundary
IaaS
Ecosystem Orchestration Boundary
Cloud Deployment Boundary
Cloud-adapted Risk Management Framework –cont.
Step 4: Assess Service Provider(s) & Broker (if applicable) leverage FedRAMP P-ATOs or Agency-ATOs, or assess the controls build necessary TRUST that the residual risk is acceptableStep 5: Authorize Use of Service negotiate SLAs & Security SLA
Step 6: Monitor Service Provider(s) (on-going, near- real- time); Repeat process as necessary
Use
r-d
ata
Bo
un
dar
y Use
r D
ata
User-Data
Boundary
Use
r-d
ata
Bo
un
dar
y
Security and Privacy Controls for Cloud-based Federal Information
SystemsNIST SP 800-174 - work in progress -
Controls allocation matters …
Controls’ Allocation Matters…IaaS PaaS SaaS
You
man
age
Stack image source: Cloud Security Alliance specification, 2009
33
Provider’s implemented baseline Consumer’s additional needs
Clouds are not identical … even when implementing same baseline controls
IaaS PaaS SaaS
You
man
age
Stack image source: Cloud Security Alliance specification, 2009
34 A & A baseline
A&A or C&A Authorities provide a standardized approach to security assessment or certification and authorization.
A&A or C&A Authorities provide a standardized approach to security assessment or certification and authorization.
Security and Privacy Controls for Cloud-based Federal Information Systems (*Cloud Overlay*)
NOW: Identifying SP 800-53 Security and Privacy Controls for Cloud Capabilities
Reviewed Low (Capability implementation)
Reviewed Moderate (Capability
implementation)
Reviewed High (Capability implementation)
PM Controls
Low (info protection) Moderate (info protection) High (info protection)
AC-1, AC-2, AC-3, AC-8, AC-17, AC-18, AC-19, AC-20
AU-1, AU-2, AU-3, AU-12, AU-6, AU-9,
AT-1, AT-2, AT-3
CM-1, CM-2, CM-3, CM-4, CM-5, CM-6, CM-7, CM-8, CM-10, CM-11
IA-1, IA-2, IA-2(1), IA-4, IA-5, IA-5(1), IA-6, IA-7, IA-8
MA-1, MA-2, MA-3, MA-4, MA-5MP-1, MP-2, MP-4, MP-5, MP-6, PE-1, PE-2, PE-3, PE-6PL-1, PL-4PS-1, PS-2,PS-3, PS-4, PS-5, PS-6, PS-7RA-1, RA-2, RA-3, RA-5
SC-1, SC-7, SC-8, SC-12, SC-13, SC-15, SC-28, SC-39
AC-2(1), AC-2(2), AC-2(3), AC-2(4), AC-2(5), AC-2(7), AC-2(9), AC-2(10), AC-2(12), AC-4, AC-4(21), AC-5, AC-6, AC-6(1), AC-6(2), AC-6(5), AC-6(9), AC-6(10), AC-10, AC-11, AC-11(1), AC-12, AC-17(9), AC-18(1), AC-19, AC-19(5), AC-20(1), AC-20(2), AC-21AU-2(3), AU-3(1),CM-2(1), CM-2(3), CM-2(7), CM-3 (2), CM-5, CM-6, CM-7(2), CM-7(5), CM-8(1), CM-8(3), CM-8(5),IA-5(4), IA-5(6), IA-5(7),MA-3(3), MA-5(1)MP-5(4)PE-4, PE-5, PE-6(1)PL-4(1)RA-5(1), RA-5(2), RA-5(5)SC-2, SC-4, SC-7(5), SC-7(7), SC-8(1), SC-10, SC-18, SC-23, SC-28(1)SI-3(1), SI-3(2), SI-4(4), SI-7, SI-10, SI-16
AC-2(11), AC-2(13), AC-6(3), AC-6(7), AC-6(8), AC-18(4), AC-21(2)
AU-13,
CM-3(1), CM-5(1), CM-5(3), CM-5(4), CM-6(2), CM-8(4)
MA-4(3)
PE-2(3), PE-3(1), PE-6(4)
PS-4(2), PS-6(3)
RA-5(4), RA-5(6), RA-5(10)
SC-3, SC-7(8), SC-7(10), SC-7(11), SC-7(14), SC-7(15), SC-7(18), SC-7(21), SC-24
SI-7(10), SI-10(5)
AC-1, AC-2, AC-3, AC-8, AC-17, AC-18, AC-19, AC-20
AT-1, AT-2, AT-3
AU-1, AU-2, AU-3, AU-6, AU-9, AU-12
CM-1, CM-2, CM-3, CM-4, CM-5, CM-6, CM-7, CM-8, CM-10, CM-11
IA-1, IA-2, IA-2(1), IA-4, IA-5, IA-5(1), IA-6, IA-7, IA-8
MA-1, MA-2, MA-3, MA-4, MA-5
MP-1, MP-2, MP-4, MP-5, MP-6
PE-1, PE-2, PE-3, PE-6
PL-1, PL-4
PS-1, PS-2,PS-3, PS-4, PS-5, PS-6, PS-7
RA-1, RA-2, RA-3, RA-5SC-1, SC-7, SC-8, SC-12, SC-13, SC-15, SC-28, SC-39
SI-1, SI-2, SI-3, SI-4, SI-5, SI-12
AC-2(1), AC-2(2), AC-2(3), AC-2(4), AC-2(5), AC-2(7), AC-2(9), AC-2(10), AC-2(12), AC-4, AC-4(21), AC-5, AC-6, AC-6(1), AC-6(2), AC-6(5), AC-6(9), AC-6(10), AC-10, AC-11, AC-11(1), AC-12, AC-17(9), AC-18(1), AC-19, AC-19(5), AC-20(1), AC-20(2), AC-21AU-2(3), AU-3(1),
CM-2(1), CM-2(3), CM-2(7), CM-3 (2), CM-5, CM-6, CM-7(2), CM-7(5), CM-8(1), CM-8(3), CM-8(5),
IA-5(4), IA-5(6), IA-5(7),MA-3(3), MA-5(1)MP-5(4)PE-4, PE-5, PE-6(1)PL-4(1)RA-5(1), RA-5(2), RA-5(5)SC-2, SC-4, SC-7(5), SC-7(7), SC-8(1), SC-10, SC-18, SC-23, SC-28(1)SI-3(1), SI-3(2), SI-4(4), SI-7, SI-10, SI-16
AC-2(11), AC-2(13), AC-6(3), AC-6(7), AC-6(8), AC-18(4), AC-21(2)
AU-13,
CM-3(1), CM-5(1), CM-5(3), CM-5(4), CM-6(2), CM-8(4)
MA-4(3)
PE-2(3), PE-3(1), PE-6(4)
PS-4(2), PS-6(3)
RA-5(4), RA-5(6), RA-5(10)
SC-3, SC-7(8), SC-7(10), SC-7(11), SC-7(14), SC-7(15), SC-7(18), SC-7(21), SC-24
SI-7(10), SI-10(5)
Audit Planning
SP 500-299
Security and Privacy Controls for Cloud-based Federal Information Systems (SP 800-174) & CSA’s STAR
NIST SP 800-53 R4NIST SP 800-53 R4
FedRAMP+
SP 500-299
SP 800-173
Guide to Applying Risk Management Framework to
Cloud-based Federal Information Systemd
SP 800-174
Security and PrivacyControls for Cloud-based
Federal Information Systems
1.Identify Security Controls
2. Provide Implementation Guidance
3. Provide Assessment Guidance
Security SLA
Security Metrics
Security Intelligence
&ContinuousMonitoring
Cloud Computing ServiceMetrics Description
Overview of NIST’s Current & Future Work
39
Additional Information
NIST Cloud Computing Collaborative Twiki:http://collaborate.nist.gov/twiki-cloud-computing/bin/view/CloudComputing/CloudSecurity
NIST Cloud Home Page: http://www.nist.gov/itl/cloud
Questions?
Thank you !