NIST Cloud Computing Security Working Group NIST Cloud Computing Security Reference Architecture NIST Enterprise-Wide Data-Centric Computing Environment February, 2013 Dr. Michaela Iorga, NIST, Computer Security Division NIST Senior Cloud Computing Technical Lead, Chair, NIST Cloud Computing Public Security Working Group Co-Chair, NIST Cloud Computing Public Forensic Science Working Group
NIST MISSION: To promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life *Standards Acceleration to Jumpstart the Adoption of Cloud Computing (SAJACC) in transition to private sector 2
Deliverables: NIST Cloud Computing Security Working Group 1. Challenging Security Requirements for the US Government Cloud Computing Adoption white paper released November, 2012 - available on NIST CC twiki: http://collaborate.nist.gov/twiki-cloudcomputing/bin/view/cloudcomputing/cloudsecurity 2. NIST Cloud Computing Security Reference Architecture work in progress - a three-dimensional approach that considers: the RA s actors : (Consumer, Provider, Broker, Auditor, Carrier) the cloud computing service models (IaaS, PaaS, SaaS) the cloud mode of deployment (Public, Private, Community, Hybrid) - outcome: a framework that provides: an architectural formal model; a methodology for addressing security requirements.
NIST CC Security Reference Architecture - Approach - NIST Security Reference Architecture formal model NIST Security Reference Architecture security components Mapping components to architecture + NIST Reference Architecture TCI Reference Architecture
NIST CC Reference Architecture (SP 500-292)
NIST CC Security Reference Architecture
NIST CC Security Reference Architecture formal model
NIST CC Security Reference Architecture - NCC SWG leverages on Cloud Security Alliance s Trusted Cloud Initiative - Reference Architecture https://cloudsecurityalliance.org/wp-content/uploads/2011/11/tci-reference-architecture-1.1.pdf
NIST Security Reference Architecture Data Aggregation -
Consumer s ITOS S&RM S&RM Consumer s S&RM Provider s S&RM Provider s S&RM Provider s S&RM Consumer s BOSS SCs Organizational Support Provider s Infrastrct SCs Provider s Physical Sec Provider s ITOS SCs Provider s ITOS SCs Provider s BOSS SCs Broker s ITOS SCs Broker s ITOS SCs Broker s BOSS SCs Carrier s S&RM SCs Carrier s ITOS SCs Carrier s BOSS SCs
NIST CC Security Reference Architecture Ecosystem Orchestration Use Case Example - Use Case: USG Agency plans the migration of their Unified Messaging System (UMS) to the cloud. Ecosystem Orchestration example presents: 1. UMS description 2. Cloud solution analysis Identifies the security components Applies a Security Index System to security components for CIA security triad Determines the Aggregated Security Index a global value used to prioritize the security components implementation. Highlights the importance of properly applying the Risk Management Framework 3. Defines a high-level architecture Public SaaS Technical Broker + Provider with ATOs 4. SA and SLA negotiation
NIST Enterprise-Wide Data-Centric Computing Environment http://csrc.nist.gov/pm/ 1. A CSD Project (not part of the Cloud Computing Program). 2. Leverages the NIST research on Access Control mechanisms (the Policy Machines Project). 3. Developed as a proof of concept of a cloud computing secure environment.
NIST Enterprise-Wide Data-Centric Computing Environment http://csrc.nist.gov/pm/ Cloud Consumer: Enterprise-Wide Data-Centric Computing Environment = Controlled Delivery of Data Service through AC DS=capability(Objects, Operations) Operations = read, manipulate, perform computations on, manage, and/or share Cloud Provider: Infrastructure as a Service
NIST Enterprise-Wide Data-Centric Computing Environment http://csrc.nist.gov/pm/ Benefits 1. Replaces multiple operating environments, each delivering different DSs with a single operating environment delivering all DSs 2. Creates a data centric view - users can see and consume all their authorized data (regardless of its kind) under a single authenticated session. 3. Data interoperability among DSs. 4. Comprehensive policy enforcement across DSs. 5. Eliminates or reduces vulnerabilities due to AC in DSs. 6. The OE is object-type agnostic and the objects (data) of DSs naturally interoperate.
NIST Enterprise-Wide Data-Centric Computing Environment http://csrc.nist.gov/pm/ Benefits IaaS is an OE that implements the Policy Machine and composed of its functional components (i.e., PEPs, PDPs) that run in VMs. Users and objects are provisioned, and DSs are selected by the subscriber. DSs may be provided as SaaS or PaaS so long as they conform to the Policy Enforcement Point (PEP) API. Policies are imported from a library of predefined PM data and relation configurations or configured from scratch, by the subscriber POLICYaaS.
Commercial Applications Available as open source this spring. What can a SaaS Cloud Provider do? SaaS Cloud Provider may offer: Enterprise-Wide Data-Centric Computing Environments to their Consumers.
Collaboration Opportunities Available as open source this spring. NIST will maintain the source. Collaboration on enhancing and maintaining the source is welcomed.
Contact Information For questions on NIST CC SRA Dr. Michaela Iorga, NIST michaela.iorga@nist.gov 301-975-8431 For questions on NIST EWDCCE David Ferraiolo, NIST david.ferraiolo@nist.gov 301-975-3046 For information on Collaboration and/or Technology transfer: Jack E. Pevenstein, NIST Technology Transfer Advisor Technology Partnership Office 301-975-5519 Jack.pevenstein@nist.gov Thank you!