The question asked of every information security practitioner in the last several years is: “How do I know if my data is safe in the cloud?” The federal government is asking the same question and has asked the National Institute of Standards and Technology (NIST) to classify the risks and develop a long-term security strategy to support the adoption of cloud computing. NIST released the first draft of SP500-293 U.S. Government Cloud Computing Technology Roadmap in early November 2011, and work is underway to develop technical specifications, use cases, reference security architecture and standards to support the roadmap.
An examination of this work demonstrates the size and general complexity of developing the NIST cloud security guidelines. The project is huge, but promises to provide a new cloud security standard that can be used by businesses as well as the U.S. government. Many businesses have been working to develop their own custom standards and due diligence processes to define secure cloud services adoption and operation, but the NIST technology roadmap has the potential to become an industry standard.
Subgroups work to build out NIST guidance
To review, the NIST SP500-293 roadmap is divided into three separate volumes. Volume I contains 10 NIST requirements (covered in a previous tip) the government would need to more aggressively adopt cloud computing. Volume II offers a technical perspective on meeting the 10 requirements while Volume III provides guidance to decision makers considering cloud solutions with sample scenarios and logical process models.
NIST has created several different public/private subgroups in order to tackle the enormous task of building out the guidance contained in each of these volumes. The Reference Architecture and Taxonomy working group has the job of defining the terms and standards for measurement for cloud services. Specifically it will be addressing requirements 3, 5 and 10 from Volume I: develop technical specifications to make cloud service-level agreements comparable between cloud service providers, create frameworks for federated cloud environments, and establish metrics for cloud services to allow customers to easily compare cloud service providers.
The Standards Acceleration to Jumpstart the Adoption of Cloud Computing (SAJACC) working group is developing use cases on various cloud systems in order to foster faster cloud services adoption. The Business Use Cases working group is identifying areas where cloud services can be adopted and providing examples of deployment methodology. The Cloud Computing Standards Roadmap Working Group is identifying new models and standards that should be included in NIST SP 500-291 USG Cloud Computing Standards Roadmap (.pdf). Finally, there is the Cloud Computing Security Working Group, which has the daunting task of developing reference security architecture to support the NIST 500-293 Technology Roadmap.
Defining roles and security requirements
The Reference Architecture and Taxonomy working group has defined specific actors in cloud computing to provide focus for the security and architecture teams:
- Cloud service consumer -- Person or organization that maintains a business relationship with, and uses service from, cloud service providers.
- Cloud service provider --Person, organization or entity responsible for making a service available to service consumers.
- Cloud carrier -- The intermediary that provides connectivity and transport of cloud services between cloud providers and cloud consumers.
- Cloud broker -- An entity that manages the use, performance and delivery of cloud services, and negotiates relationships between cloud providers and cloud consumers.
- Cloud auditor -- A party that can conduct independent assessment of cloud services, information system operations, performance and security of the cloud implementation.
The Cloud Computing Security Working group is focused on defining the security requirements and roles for each one of these actors. What security responsibilities does the cloud broker have that are different than the responsibilities of the cloud carrier? When the cloud broker recommends or aggregates various cloud services, what security measures should be in place and how are they communicated to the cloud service consumer? These types of questions are being compiled into a matrix to begin building the appropriate recommendations for each type of actor.
The matrix is then being expanded based on the type of cloud service used by each actor. There are many different types of cloud services that must be considered, including IaaS, PaaS, SaaS and the mutations that occur with public and hybrid and commercial versus free implementations. A cloud service consumer will need to understand that the security capabilities of a free public cloud service like Google Docs may be much different than a commercial cloud service like Salesforce.com. The cloud service consumer will also need a checklist of these security requirements based on their application; this is what NIST hopes to achieve in the Cloud Computing Security Workgroup.
This workgroup has been building upon existing material from the Cloud Security Alliance, including the Cloud Controls Matrix. The CSA matrix forms the initial basis of the group’s security requirements, but has been expanded to support the different cloud services and actors. For example, the workgroup’s matrix defines a requirement for audit planning (control CO-01 in the CSA matrix); this control is then cross referenced to its location in NIST SP800-53 R3 (.pdf) and applied against each of the cloud service actors -- provider, consumer, carrier, broker and auditor.
Tackling cloud compliance
The biggest complication with adopting cloud services can be compliance with specific regulations. The Cloud Computing Security Working Group is taking this into account and applied all relevant compliance regulations and standards to the modified CSA Cloud Controls matrix. The regulations and standards that are being mapped to these requirements include: FedRAMP, COBIT 4.1, HIPAA/HITECH Act, ISO/IEC 27001-2005, PCI DSS 2.0, BITS Shared Assessments, AICPA Generally Accepted Privacy Principles, Jericho Forum Commandments and NERC CIP. There has also been recent discussion of inclusion of the FBI Criminal Justice Information Services security rules. This creates a daunting matrix with over 200 security requirements for five cloud service actors using 12 different types of cloud services complying with 10 separate compliance standards.
Ultimately, the final NIST cloud security guidelines document may prove unwieldy for general businesses looking for a golden standard on which to base their cloud security due diligence processes and implementations. However, this could change, as the standards are not yet complete. The Cloud Computing Security Working Group has a very aggressive schedule with an initial draft of these requirements due by April 25 with a final version due by September 1. In the meantime, businesses may want to look to the sources NIST is using to develop its standards The CSA guidance and ISO 27000 standards make a good starting point for businesses to build a solid cloud security due diligence process.
About the author:
Joseph Granneman, CISSP, has over 20 years in information technology and security with experience in both healthcare and financial services. He has been involved in the Health Information Security and Privacy Working Group for Illinois, the Certification Commission for Health Information Technology (CCHIT) Security Working Group, and is an active InfraGard member.