The National Institute of Standards and Technology (NIST), which has produced technical information security guidance since 1990, has been working to develop the technology and security standards necessary to deploy government services in the cloud. Last month, NIST released its three-volume draft document,
The NIST roadmap is divided into three volumes to tackle all of the issues inherent with cloud services deployment. Volume I, developed with input from the Federal CIO Council-sponsored Cloud Computing Standards and Technology Working Group, serves as a general overview and identifies 10 requirements necessary to move government cloud adoption forward. The requirements make it clear that without new standards and technology, cloud computing services may not be viable for government use.
These requirements are intentionally explored at a high level as they are explored in more detail in volumes II and III. Volume II, Useful Information for Cloud Adopters, is written as a technical reference that supports the requirements identified in Volume I. Volume III, Technical Considerations for USG Cloud Computing Deployment Decisions, provides practical guidance for decision makers planning cloud deployments by combining the requirements in Volume I with the technical information in Volume II.
The 10 requirements identified in Volume I are not specific to only government uses of cloud technologies. They apply to any implementation of cloud services, making SP500-253 valuable to private businesses when performing their own custom risk assessments. Here is a summary of the 10 requirements:
International voluntary consensus-based interoperability, portability and security standards
This requirement deals with one of the core issues of using cloud services: How easy is it to move your company’s data from one cloud provider to another? According to NIST, the industry should develop standards that enable an application to be moved between different cloud providers. These new standards would not just include the data itself, but virtual machine, firewall, and virtual network configurations as well.
Solutions for high-priority security requirements
Information security in the cloud still possesses many of the same traits as traditional, hosted information security. However, there are differences such as multi-tenancy that must be addressed for cloud-based systems and require higher levels of security. How do you verify your data is kept separate when running on a shared system?
Technical specifications for high-quality service-level agreements
Another important aspect of cloud computing is defining service-level agreements. A standardized SLA for cloud service providers does not yet exist. There is a great degree of variability between the reliability measures in place at each cloud provider as well. Some providers will focus on higher levels of redundancy while others focus only on price. This requirement defines the need for a standard list of key elements that needs to be addressed by a cloud services SLA.
Clear and consistently categorized cloud services
The alphabet soup of cloud services can be confusing to decipher, and IaaS, SaaS, PaaS may not actually reference the same types of capabilities that are offered by a cloud service provider. NIST performed a survey in late 2010 and found there were disparities among 11 different cloud computing models across multiple vendors. The requirement states there should be comparable classifications of cloud services across providers to ease the selection process and provide for clear comparisons.
Frameworks to support federated community clouds
There are different tools to develop applications for each community cloud application platform, making it very difficult to build applications that span across multiple cloud providers.. Common authentication across cloud providers is just as difficult with a myriad of different protocols and standards, including SAML and OAuth. This requirement defines the need for a common standard that would allow development tools and federated security models to cross these boundaries.
Technical security solutions de-coupled from organizational policy
Legal and business requirements for the security and privacy of data are different around the country and around the world. California has requirements around the protection of driver’s license numbers where other states may not. Some nations consider birth records to be public while others have strict privacy rules protecting birth records. The requirement states that industry standards need to be defined that allow cloud technology to adapt to different legal and business requirements. The cloud services consumer should only have to select an abstract layer of security without deciding when it should be applied, according to NIST.
Defined unique government requirements and solutions
Government agencies have additional regulatory requirements that go beyond what is required of private businesses. Commercial cloud providers may not have sufficient means of addressing these additional requirements. The government cannot use the same mitigation strategies as private businesses such as financial penalties, insurance or litigation. According to NIST, these compliance gaps must be identified and technological solutions developed or government cloud adoption may not accelerate.
Collaborative parallel “future cloud” development initiatives
Current cloud solutions were all developed by private companies. The functioning of these highly complex networks is considered to be a trade secret by their respective owners. This requirement defines the need for private industries to work with academic institutions to build even larger but more open clouds. Past network technologies like Layer 2 switching may need to be redesigned to sustain future massive cloud operations across vast geographic distances, according to NIST.
Defined and implemented reliability design goals
Cloud providers have designed their systems to be highly available. However, there have been major cloud outages at some of the top-tier cloud providers such as Amazon that raise the concern of design reliability. This requirement describes the need for the industry to develop a set of best practices for reliable cloud network designs as well as a standard to report cloud network reliability information.
Defined and implemented cloud service metrics
Cloud providers have all developed their own methodology for allocating resources to their customers. Their marketing often leads with their lowest cost offerings that are not useful for anything but the smallest workloads. How does the cloud consumer select the appropriate plan for their intended workload? This can lead to greater expense or lower performance than originally anticipated. This requirement defines the need for a common set of performance metrics that would allow consumers to compare and select the appropriate size for their intended workload.
The NIST roadmap contains a lot of invaluable information about cloud computing risks that is useful to anyone considering using cloud services. The 10 requirements identified in the first volume can be converted into a custom due diligence process tailored to your business needs. While the NIST guidance identifies gaps that may prevent the U.S. government from adopting cloud services as they exist today, we can be assured these gaps likely will be addressed quickly by cloud providers, given the potential size of this market. This is good news for the private industry as everyone stands to benefit from more open, reliable and secure cloud service offerings.
About the author:
Joseph Granneman, CISSP, has over 20 years in information technology and security with experience in both healthcare and financial services. He has been involved in the Health Information Security and Privacy Working Group for Illinois, the Certification Commission for Health Information Technology (CCHIT) Security Working Group, and is an active InfraGard member.
This was first published in December 2011