NIST Cloud Computing

Security Working Group

Dr. Michaela Iorga, NIST, Computer Security Division

NIST Senior Cloud Computing Technical Lead,

Chair, NIST Cloud Computing Public Security Working Group

Co-Chair, NIST Cloud Computing Public Forensic Science Working Group

NIST Cloud Computing Security Reference Architecture

NIST Enterprise-Wide Data-Centric Computing

Environment

February, 2013

2

NIST MISSION: To promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life

*Standards Acceleration to Jumpstart the Adoption of Cloud Computing (SAJACC) in transition to private sector

Deliverables:

1. “Challenging Security Requirements for the US Government Cloud Computing

Adoption” – white paper released November, 2012

- available on NIST CC twiki: http://collaborate.nist.gov/twiki-cloud-

computing/bin/view/CloudComputing/CloudSecurity

2. “NIST Cloud Computing Security Reference Architecture” – work in progress

- a three-dimensional approach that considers: • the RA’s actors : (Consumer, Provider, Broker, Auditor, Carrier) • the cloud computing service models (IaaS, PaaS, SaaS) • the cloud mode of deployment (Public, Private, Community, Hybrid)

- outcome: a framework that provides:

• an architectural formal model;

• a methodology for addressing security requirements.

NIST Cloud Computing Security Working Group

NIST CC Security Reference Architecture - Approach -

+

Mapping

components to

architecture

NIST Reference Architecture TCI Reference Architecture

NIST Security Reference Architecture – formal model NIST Security Reference Architecture – security components

NIST CC Reference Architecture (SP 500-292)

NIST CC Security Reference Architecture

NIST CC Security Reference

Architecture – formal model

NIST CC Security Reference

Architecture

- NCC SWG leverages on Cloud Security Alliance’s Trusted Cloud Initiative - Reference Architecture

https://cloudsecurityalliance.org/wp-content/uploads/2011/11/TCI-Reference-Architecture-1.1.pdf

NIST Security Reference Architecture – Data Aggregation -

Organizational Support

Provider’s BOSS SCs Broker’s BOSS SCs

Provider’s ITOS SCs Broker’s ITOS SCs

Provider’s ITOS SCs Broker’s ITOS SCs

Provider’s Infrastrct SCs

Provider’s Physical Sec

Consumer’s BOSS SCs

Consumer’s S&RM

Consumer’s ITOS

S&RM

S&RM Provider’s S&RM

Provider’s S&RM

Provider’s S&RM

Carrier’s BOSS SCs Carrier’s ITOS SCs Carrier’s S&RM SCs

NIST CC Security Reference Architecture – Ecosystem Orchestration

– Use Case Example -

Use Case: USG Agency plans the migration of their Unified

Messaging System (UMS) to the cloud.

Ecosystem Orchestration example presents:

1. UMS description

2. Cloud solution analysis

• Identifies the security components

• Applies a Security Index System to security

components for CIA security triad

• Determines the Aggregated Security Index – a

global value used to prioritize the security

components’ implementation.

• Highlights the importance of properly applying the

Risk Management Framework

3. Defines a high-level architecture

• Public SaaS –Technical Broker + Provider with

ATOs

4. SA and SLA negotiation

NIST Enterprise-Wide Data-Centric

Computing Environment

http://csrc.nist.gov/pm/

1. A CSD Project (not part of the Cloud Computing Program).

2. Leverages the NIST research on Access Control mechanisms (the Policy Machines Project).

3. Developed as a proof of concept of a cloud computing secure environment.

Cloud Provider:

Infrastructure as a Service

Cloud Consumer:

“Enterprise-Wide Data-Centric

Computing Environment” = Controlled

Delivery of Data Service through AC

DS=capability(Objects, Operations)

Operations = read, manipulate,

perform computations on,

manage, and/or share

NIST Enterprise-Wide Data-Centric

Computing Environment

http://csrc.nist.gov/pm/

1. Replaces multiple operating environments, each delivering

different DSs with a single operating environment delivering

all DSs

2. Creates a data centric view - users can see and consume all

their authorized data (regardless of its kind) under a single

authenticated session.

3. Data interoperability among DSs.

4. Comprehensive policy enforcement across DSs.

5. Eliminates or reduces vulnerabilities due to AC in DSs.

6. The OE is object-type agnostic and the objects (data) of DSs

naturally interoperate.

Benefits

NIST Enterprise-Wide Data-Centric

Computing Environment

http://csrc.nist.gov/pm/

IaaS is an OE that implements the Policy Machine and composed of its functional components (i.e., PEPs, PDPs) that run in VMs.

Users and objects are provisioned, and DSs are selected by the subscriber.

DSs may be provided as SaaS or PaaS so long as they conform to the Policy Enforcement Point (PEP) API.

Policies are imported from a library of predefined PM data and relation configurations or configured from scratch, by the subscriber – POLICYaaS.

Benefits

NIST Enterprise-Wide Data-Centric

Computing Environment

http://csrc.nist.gov/pm/

Commercial Applications

SaaS Cloud Provider

may offer:

“Enterprise-Wide

Data-Centric Computing

Environments” to their

Consumers.

Available as open source this spring. What can a SaaS Cloud Provider do?

Collaboration Opportunities

Available as open source this spring.

NIST will maintain the source.

Collaboration on enhancing and maintaining the source is welcomed.

Contact Information

Thank you !

NIST EWDCCE

David Ferraiolo, NIST

david.ferraiolo@nist.gov

301-975-3046

NIST CC SRA

Dr. Michaela Iorga, NIST

michaela.iorga@nist.gov

301-975-8431

For questions on For questions on

For information on Collaboration and/or Technology transfer: Jack E. Pevenstein, NIST

Technology Transfer Advisor

Technology Partnership Office

301-975-5519

Jack.pevenstein@nist.gov