NIST Cloud Computing
Security Working Group
Dr. Michaela Iorga, NIST, Computer Security Division
NIST Senior Cloud Computing Technical Lead,
Chair, NIST Cloud Computing Public Security Working Group
Co-Chair, NIST Cloud Computing Public Forensic Science Working Group
NIST Cloud Computing Security Reference Architecture
NIST Enterprise-Wide Data-Centric Computing
Environment
February, 2013
2
NIST MISSION: To promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life
*Standards Acceleration to Jumpstart the Adoption of Cloud Computing (SAJACC) in transition to private sector
Deliverables:
1. “Challenging Security Requirements for the US Government Cloud Computing
Adoption” – white paper released November, 2012
- available on NIST CC twiki: http://collaborate.nist.gov/twiki-cloud-
computing/bin/view/CloudComputing/CloudSecurity
2. “NIST Cloud Computing Security Reference Architecture” – work in progress
- a three-dimensional approach that considers: • the RA’s actors : (Consumer, Provider, Broker, Auditor, Carrier) • the cloud computing service models (IaaS, PaaS, SaaS) • the cloud mode of deployment (Public, Private, Community, Hybrid)
- outcome: a framework that provides:
• an architectural formal model;
• a methodology for addressing security requirements.
NIST Cloud Computing Security Working Group
NIST CC Security Reference Architecture - Approach -
+
Mapping
components to
architecture
NIST Reference Architecture TCI Reference Architecture
NIST Security Reference Architecture – formal model NIST Security Reference Architecture – security components
NIST CC Reference Architecture (SP 500-292)
NIST CC Security Reference Architecture
NIST CC Security Reference
Architecture – formal model
NIST CC Security Reference
Architecture
- NCC SWG leverages on Cloud Security Alliance’s Trusted Cloud Initiative - Reference Architecture
https://cloudsecurityalliance.org/wp-content/uploads/2011/11/TCI-Reference-Architecture-1.1.pdf
NIST Security Reference Architecture – Data Aggregation -
Organizational Support
Provider’s BOSS SCs Broker’s BOSS SCs
Provider’s ITOS SCs Broker’s ITOS SCs
Provider’s ITOS SCs Broker’s ITOS SCs
Provider’s Infrastrct SCs
Provider’s Physical Sec
Consumer’s BOSS SCs
Consumer’s S&RM
Consumer’s ITOS
S&RM
S&RM Provider’s S&RM
Provider’s S&RM
Provider’s S&RM
Carrier’s BOSS SCs Carrier’s ITOS SCs Carrier’s S&RM SCs
NIST CC Security Reference Architecture – Ecosystem Orchestration
– Use Case Example -
Use Case: USG Agency plans the migration of their Unified
Messaging System (UMS) to the cloud.
Ecosystem Orchestration example presents:
1. UMS description
2. Cloud solution analysis
• Identifies the security components
• Applies a Security Index System to security
components for CIA security triad
• Determines the Aggregated Security Index – a
global value used to prioritize the security
components’ implementation.
• Highlights the importance of properly applying the
Risk Management Framework
3. Defines a high-level architecture
• Public SaaS –Technical Broker + Provider with
ATOs
4. SA and SLA negotiation
NIST Enterprise-Wide Data-Centric
Computing Environment
http://csrc.nist.gov/pm/
1. A CSD Project (not part of the Cloud Computing Program).
2. Leverages the NIST research on Access Control mechanisms (the Policy Machines Project).
3. Developed as a proof of concept of a cloud computing secure environment.
Cloud Provider:
Infrastructure as a Service
Cloud Consumer:
“Enterprise-Wide Data-Centric
Computing Environment” = Controlled
Delivery of Data Service through AC
DS=capability(Objects, Operations)
Operations = read, manipulate,
perform computations on,
manage, and/or share
NIST Enterprise-Wide Data-Centric
Computing Environment
http://csrc.nist.gov/pm/
1. Replaces multiple operating environments, each delivering
different DSs with a single operating environment delivering
all DSs
2. Creates a data centric view - users can see and consume all
their authorized data (regardless of its kind) under a single
authenticated session.
3. Data interoperability among DSs.
4. Comprehensive policy enforcement across DSs.
5. Eliminates or reduces vulnerabilities due to AC in DSs.
6. The OE is object-type agnostic and the objects (data) of DSs
naturally interoperate.
Benefits
NIST Enterprise-Wide Data-Centric
Computing Environment
http://csrc.nist.gov/pm/
IaaS is an OE that implements the Policy Machine and composed of its functional components (i.e., PEPs, PDPs) that run in VMs.
Users and objects are provisioned, and DSs are selected by the subscriber.
DSs may be provided as SaaS or PaaS so long as they conform to the Policy Enforcement Point (PEP) API.
Policies are imported from a library of predefined PM data and relation configurations or configured from scratch, by the subscriber – POLICYaaS.
Benefits
NIST Enterprise-Wide Data-Centric
Computing Environment
http://csrc.nist.gov/pm/
Commercial Applications
SaaS Cloud Provider
may offer:
“Enterprise-Wide
Data-Centric Computing
Environments” to their
Consumers.
Available as open source this spring. What can a SaaS Cloud Provider do?
Collaboration Opportunities
Available as open source this spring.
NIST will maintain the source.
Collaboration on enhancing and maintaining the source is welcomed.
Contact Information
Thank you !
NIST EWDCCE
David Ferraiolo, NIST
301-975-3046
NIST CC SRA
Dr. Michaela Iorga, NIST
301-975-8431
For questions on For questions on
For information on Collaboration and/or Technology transfer: Jack E. Pevenstein, NIST
Technology Transfer Advisor
Technology Partnership Office
301-975-5519