160 likes | 238 Views
Securing the Cloud NIST Draft SP 800-144. By Kevin Stevens. What is Cloud Computing?. Cloud computing can be described several ways. NIST provides the following definition:
E N D
Securing the CloudNIST Draft SP 800-144 By Kevin Stevens
What is Cloud Computing? Cloud computing can be described several ways. NIST provides the following definition: “Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”
How we use the Cloud • Software as a Service (SaaS) • Platform as a Service (PaaS) • Infrastructure as a Service (IaaS) The “cloud” provides a virtual environment without the physical infrastructure in typically deployments. This offloading of assets creates new issues for information security.
Why the Cloud? Simple! • Reduced costs • Increased efficiency Can you say greater ROI
So what is the problem? Cloud computing is an emerging technology that is being implemented across all industries. New technologies always come with greater risk. • Privacy • Security
Who provides Security? • Many aspects of security fall in the hands of a third party. • Security also falls in the hands on the client organization as well.
Important Factors in the Cloud • SLA – Service level agreement should outline the level of services provided by the cloud provider. • Security • Privacy • Policy & Procedures • Technical controls • Data ownership • Exit rights • Date encryption • Compliance
What is the biggest obstacle? And the winner is…. Security
FISMA “FISMA requires federal agencies to adequately protect their information and information systems against unauthorized access, use, disclosure, disruption, modification, or destruction [HR2458].” EVEN in the cloud!
Detailed Concerns • System Complexity • Shared Multi-tenant Environment • Internet facing Services • Loss of control
Summary of Recommendations • Duplicate physical network security controls • Require cloud provider to immediately report intrusions • Secure management of virtual images • Secure both client and server, including physical and logical controls. (virtual firewall, common hardening, etc) • Dual Identity and Access Management • Isolation of client resources • Data Isolation (may be done by encryption to data at rest and in transit)
Summary of Recommendations-continued- • Data sanitization • Availability • Incident Response
References FISMApedia. Retrieved March 25, 2011, from http://www.fismapedia.org/index.php?title=Main_Page NIST.gov - Computer Security Division - Computer Security Resource Center. Retrieved March 27, 2011, from http://csrc.nist.gov/groups/SNS/cloud-computing/