Transcription
THE PRESIDENT’SNATIONAL SECURITY TELECOMMUNICATIONSADVISORY COMMITTEENSTAC Report to the President on Cloud Computing: CloudComputing Security Controls For NS/EP (Appendix E)May 15, 2012
President’s National Security Telecommunications Advisory CommitteeTABLE OF CONTENTS1.02.0CLOUD SECURITY ALLIANCE (CSA) CLOUD CONTROLS MATRIX . 1ISACA IT CONTROL OBJECTIVES FOR CLOUD COMPUTING: CONTROLS ANDASSURANCE IN THE CLOUD . 13.0 FEDERAL RISK AND AUTHORIZATION MANAGEMENT PROGRAM (FEDRAMP)SECURITY CONTROLS . 24.0 EUROPEAN NETWORK AND INFORMATION SECURITY AGENCY (ENISA) CLOUDCOMPUTING: BENEFITS, RISKS AND RECOMMENDATIONS FOR INFORMATIONSECURITY . 35.0 THE NSTAC NS/EP CLOUD CONTROL FRAMEWORKS . 45.1 CSA Cloud Controls Matrix . 45.2 ISACA IT Control Objectives for Cloud Computing: Controls and Assurance in the Cloud 415.3 FedRAMP Security Controls . 131NSTAC Report to the President on Cloud Computing: Cloud Computing Security Controls For NS/EPSupplemental Information
President’s National Security Telecommunications Advisory Committee1.0 CLOUD SECURITY ALLIANCE (CSA) CLOUD CONTROLS MATRIXThe Cloud Security Alliance (CSA) is a non-profit organization that promotes best practices forproviding security assurance in cloud computing and consists of industry practitioners, corporations,associations (including its founding affiliate member the Information Systems Audit and ControlAssociation [ISACA]) and other key stakeholders. This member-driven organization is comprisedof regional chapters, both domestic and abroad, that focus on different areas of interest specific to aregion and/or aspect of cloud computing.CSA’s Cloud Control Matrix (CCM) is a framework consisting of security control requirementsbuilt for the cloud and provides fundamental information security principles for cloud serviceowners and cloud service providers (CSP). The CSA CCM emphasizes business informationsecurity control requirements and identifies security threats and vulnerabilities in the cloud. TheCCM also aligns with industry-accepted security standards and controls frameworks such as theInternational Organization for Standardization (ISO) 27001/270021, ISACA Control Objectives forInformation and Related Technology (COBIT), payment card industry (PCI)2, and the NationalInstitute for Standards and Technology (NIST), among others, and received validation from anindependent certification organization comprised of information security practitioners.CCM consists of 100 controls developed around 13 control areas, or domains. 3 The President’sNational Telecommunications Advisory Committee (NSTAC) determined that certain control areas,such as control measurement or certification, were of limited relevance to informing the riskimplications to the five key factors. Therefore, using relevancy to the five key factors and ourprofessional judgment, the NSTAC reduced the number of controls to be assessed to 34. TheNSTAC then analyzed those controls according to the general methodology previous discussed.2.0 ISACA IT CONTROL OBJECTIVES FOR CLOUD COMPUTING: CONTROLS ANDASSURANCE IN THE CLOUDISACA is a non-profit, global association that engages in the development, adoption and use ofglobally accepted, industry-leading knowledge and practices for information systems.4 ISACA hasissued a number of information technology (IT) governance frameworks including its most widelyrecognized COBIT IT risk and controls framework, which was developed as a tool to map businessrequirements to IT controls for managing and securing information and information systems.COBIT consists of 210 controls developed around the lifecycle of a program. As such, thisframework focuses on IT processes–not functions or applications – from the perspective of theprocess owners, who principally assumes the responsibility of the IT functions that support and1ISO 27001: http://www.iso.org/iso/catalogue detail?csnumber 42103 and ISO 27002http://www.iso.org/iso/catalogue detail?csnumber .aspx4ISACA’s 95,000 membership includes auditors, chief executives (including CIOs), educators, information security andcontrol professionals, business managers, students, and IT consultants spanning 160 countries.NSTAC Report to the President on Cloud Computing:Cloud Computing Security Controls For NS/EP Supplemental Information1
President’s National Security Telecommunications Advisory Committeeenable the business processes under their purview. Leveraging the flexibility of the framework,ISACA created its IT Control Objectives for Cloud Computing, which extends the COBIT controlsto the cloud computing environment. The ISACA IT Control Objectives for Cloud Computing alsomaps to other industry-accepted security standards, regulations, and controls frameworks such asNIST Special Publication 800-53, ISO 17799: Information Technology - Security Techniques Code Of Practice For Information Security Management, and the Capability Maturity ModelIntegration (CMMI), among others.The methodology the NSTAC used to review this framework is consistent with the one used forevaluating CSA’s CCM; however, the NSTAC made necessary modifications to account for thedifferences in the constructs of the frameworks. As previously mentioned, the general COBITframework, along with the IT Control Objectives for Cloud Computing, are structured around a lifecycle approach, therefore, it is not functions-based around specific IT (or cloud) domains like theCSA CCM. In reflecting this approach, the 210 control objectives are mapped to 34 IT processes,which fall under 4 larger domains: 1) plan and organize, 2) acquire and implement, 3) deliver andsupport, and 4) monitor and evaluate.5 Similar to the CSA analysis, the NSTAC reduced thenumber of controls to include only those relevant to the cloud environment. ISACA self-designatedthe cloud-relevant controls, which reduced the number of controls to be evaluated from 210 controlsdown to 155. Taking into account the appropriate level of evaluation required for the report, and inorder to preserve the life-cycle based construct of this framework, instead of further distilling thenumber of controls based on their relevance to the NS/EP context as done for the CSA CCM, theNSTAC performed our evaluation of the risks and NS/EP implications at the process-level. TheNSTAC did, however, evaluate the five key factors and identify the responsible party at the controllevel to provide context and support for the types of functions/controls that were classified undereach of the five key factors and to determine the responsible parties for functions/processes andtheir associated risks.3.0 FEDERAL RISK AND AUTHORIZATION MANAGEMENT PROGRAM (FEDRAMP)SECURITY CONTROLSAs previously discussed, the Office of Management and Budget (OMB) established the FederalRisk Authorization and Management Program (FedRAMP) to provide a standard approach toassessing and authorizing cloud computing services and products. This approach leverages theexisting processes based on NIST 800-37 Guide for Applying the Risk Management Framework toFederal Information Systems Processes and the NIST 800-53 Recommended Security Controls forFederal Information Systems and Organizations and adapts them for cloud computing. FedRAMPis intended to enable multiple agencies to gain from the benefit and insight of the FedRAMP’sauthorization, including access to service provider’s security documentation packages. FedRAMP’s168 security controls and enhancements were selected from NIST 800-53 Revision 3 for systemsdesignated at the low and moderate impact levels as defined by Federal Information ProcessingStandards (FIPS) 199. Consistent with the rationale for analyzing the ISACA framework, theNSTAC performed our evaluation of the risks and national security and emergency T-Request.aspxNSTAC Report to the President on Cloud Computing:Cloud Computing Security Controls For NS/EP Supplemental Information2
President’s National Security Telecommunications Advisory Committee(NS/EP) implications at the higher domain (i.e. “family”) level, totaling 17 families. The NSTACalso evaluated the five key factors at the individual control level to provide context and support forthe types of functions/controls that were classified under each of the five factors. Finally, sinceFedRAMP will identify responsible parties for the each of the controls in forthcoming guidance, theNSTAC did not identify them during our review.4.0 EUROPEAN NETWORK AND INFORMATION SECURITY AGENCY (ENISA)CLOUD COMPUTING: BENEFITS, RISKS AND RECOMMENDATIONS FORINFORMATION SECURITYThe European Network and Information Security Agency (ENISA) is a European Union agency thatprovides expertise in network and information security issues. The NSTAC evaluated ENISA’sCloud Computing: Benefits, Risks and Recommendations for Information Security to understandthe broader, holistic perspective of assessing risks for cloud services for government functions. Thedocument enumerates risks in the following domain areas: policy and organizational, technical,legal, and risks not specific to the cloud. The NSTAC reviewed the 35 individual risk factors thatwere categorized into the domains identified above and mapped them to the affected securitycontrols in the CSA and ISACA frameworks. In so doing, the NSTAC identified a baseline set ofcontrols from the CSA and ISACA frameworks that can be used to address the risks highlighted inthe ENISA framework.NSTAC Report to the President on Cloud Computing:Cloud Computing Security Controls For NS/EP Supplemental Information3
President’s National Security Telecommunications Advisory Committee5.0 THE NSTAC NS/EP CLOUD CONTROL FRAMEWORKS5.1 CSA Cloud Controls MatrixPrimary NSTACConcernsDataControl AreaData GovernanceOwnership /Stewardship/ClassificationControlSpecificationAll data shall bedesignated withstewardship withassignedresponsibilitiesdefined, documentedand communicated.Data, and objectscontaining data, shallbe assigned aclassification basedon data type,jurisdiction of origin,jurisdiction domiciled,context, legalconstraints,contractualconstraints, value,sensitivity, criticalityto the organizationand third partyobligation forretention andprevention ofunauthorizeddisclosure or misuse.ENISA MappingR.35 NaturalDisastersapplicable to allResponsible PartyUserOwnerProviderXXXR.1. Lock-in;R.2 Loss ofgovernance;R.20 Conflictbetweencustomerhardeningprocedures andcloudenvironment;R.21 Subpoenaand e-discovery;R.21 Subpoenaand e-discovery;R.23 Dataprotection risks;R.30 Loss orcompromise ofoperational logsNSTAC Report to the President on Cloud Computing:Cloud Computing Security Controls For NS/EP Supplemental InformationUnique Characteristicor RiskPotential NS/EPImplicationsAn incomplete and/orinaccurate inventory ofassets (such as data),improper designation ofappropriate risk level (tothe data), andmisallocation of theappropriate roles andresponsibilities to dataowners (commensuratewith the risk level) canresult in unauthorizedaccess, use, disclosure,modification, and/ordestruction.In an NS/EP event, manydifferent users will needaccess to systems, dataand services. It will becritical for NS/EP owners tomaintain (and automatewhere possible) dataclassification. While certaintypes of data will requireimmediate access,specialized handling, and/ordistribution can lead toliability concerns when thedata is managed in amanner not explicitlydefined by or consistentwith its original intent (i.e.audit trail or no audit trail.)Additionally, as data isbeing generated from anevent, its classificationcould change and NS/EPservice owners will needSLAs that will enable therapid movement to aclassified platform andguarantee wiping of data.4
President’s National Security Telecommunications Advisory CommitteePrimary NSTACConcernsDataControl AreaData Governance Retention PolicyControlSpecificationPolicies andprocedures for dataretention and storageshall be establishedand backup orredundancymechanismsimplemented toensure compliancewith regulatory,statutory, contractualor businessrequirements. Testingthe recovery of diskor tape backups mustbe implemented atplanned intervals.ENISA MappingR.35 NaturalDisastersapplicable to allResponsible PartyUserR.1 Lock-in;R.2 Loss ofgovernance;R.23 Dataprotection risks;R.30 Loss orcompromise ofoperational logsNSTAC Report to the President on Cloud Computing:Cloud Computing Security Controls For NS/EP Supplemental InformationOwnerProviderXXUnique Characteristicor RiskPotential NS/EPImplicationsLoss of data orprolonged inability toaccess critical data canhave significant impacton operations. Cloudservices shouldimplement redundantdata storage as well asthorough data backupprocedures allowing forrecovery of historicaldata for a set period oftime.The key characteristics ofthe cloud, includingdistributed computing base,geo-redundancy, scalability,and ability to rapidly deploynew services makes cloudservices a promisingenvironment for NS/EPapplications. NS/EP ownerswill need to set clearrequirements for dataretention in the cloud.NS/EP owners will need todetermine specific policiesrelated to data retention,including not just how longbut where the data is beingretained (e.g., user devices,cloud, or back inside ofgovernment enterprises).For example, in response tonational disasters, does theNS/EP data generated in acollaborative cloud modelhave specific time-to-live?Are there specificGovernment policies forretention or is up to theservice owners and stakeholders to establish this?At the same time, if theservice owner or theprovider are required tocomply with regulatoryor legal requirements topreserve certain typesof data (e.g. accesslogs) for set periods oftime, loss of said datacan result in penaltiesand/or impede forensic /LE activities.5
President’s National Security Telecommunications Advisory CommitteePrimary NSTACConcernsDataControl AreaData Governance Secure DisposalControlSpecificationPolicies andprocedures shall beestablished andmechanismsimplemented for thesecure disposal andcomplete removal ofdata from all storagemedia, ensuring datais not recoverable byany computerforensic means.ENISA MappingR.35 NaturalDisastersapplicable to allResponsible PartyUserR.1 Lock-in;R.2 Loss ofgovernance;R.14 Insecure orineffectivedeletion of data;R.23 Dataprotection risks;R.30 Loss orcompromise ofoperational logsNSTAC Report to the President on Cloud Computing:Cloud Computing Security Controls For NS/EP Supplemental InformationOwnerProviderXXUnique Characteristicor RiskPotential NS/EPImplicationsThe redundant nature ofcloud storage and itsbuilt-in backupmechanisms couldpresent a challenge inensuring completeerasure of information.Most commercial cloudproviders do not trulyerase data. In manycases it is simplymarked as erased, andthen portions of the diskspace allocated to thedata are erased prior toreuse by othercustomers.In dealing with sensitiveinformation, complete andsecure removal of datamust be supported andaccess to the functionalityneeds to be effectivelycontrolled. Depending onthe cloud service model,the responsibility mayreside with applicationowner, the service provider,or jointly with both.Additionally, NS/EP ownersmay need to have theability to wipe devices oncean event is over and thismay require buildingpermissions andmanagement systems intonon-governmentowned/managed devices.6
President’s National Security Telecommunications Advisory CommitteePrimary NSTACConcernsDataControl AreaData Governance Information LeakageControlSpecificationSecurity mechanismsshall be implementedto prevent dataleakage.ENISA MappingR.35 NaturalDisastersapplicable to allResponsible PartyUserOwnerProviderXXXR.1 Lock-in;R.2 Loss ofgovernance;R.12 Interceptingdata in transit;R.13 Dataleakage onup/download,intra-cloud;R.23 Dataprotection risksUnique Characteristicor RiskPotential NS/EPImplicationsIn addition to presentingthe same data leakagerisks as most in-houseand/or outsourced ITenvironments, cloudcomputing mayintroduce additionalleakage channels due tomulti-tenancy or insiderthreat.Ensuring controlled accessto sensitive information isessential to NS/EPapplications. Depending onthe service model andarchitecture theresponsibility of the areamay reside with some or allof the actors (user, owner,provider). At the sametime, properly architectedand implemented cloudapplications cansignificantly reduce dataleakage due to some of themost common channelssuch as device loss or theft.The most seriousinformation leakage riskin cloud computing atthis point seems to liewith out-of-policy cloudmigration projects thatexpose organizationdata to the cloud withoutproper risk assessment.Finally, cloud-basedservice may provideimproved protection ofdata by allowingubiquitous accesswithout the need forlocal storage of the dataon mobile devices(currently one of themost significant sourcesof data leakage).NSTAC Report to the President on Cloud Computing:Cloud Computing Security Controls For NS/EP Supplemental Information7
President’s National Security Telecommunications Advisory CommitteePrimary NSTACConcernsDataControl AreaInformation Security Acceptable UseControlSpecificationPolicies andprocedures shall beestablished for theacceptable use ofinformation assets.ENISA MappingR.35 NaturalDisastersapplicable to allResponsible PartyOwnerProviderXXXPolicies and proceduresshould clearly defineactivities that qualify asboth authorized andunauthorized uses ofinformation assets,infrastructurecomponents, andservices/technologies.NS/EP users may not befully aware of acceptableuse of information assetsand compliancerequirements. Acceptableuse exception scenariosalong with risk implicationsneed to be anticipated andplanned for.XXXA complete inventory ofall assets (includingasset classification) anddesignation of ownersaccountable formanaging the asset andupdating the inventory isessential to ensureadequate assetmanagement, includingreturns.In an NS/EP event, assetscan be lost, damaged,stolen, or otherwiseunaccounted for, which canresult in its inappropriateuse, mishandling, ordestruction. NS/EP ownersneed to consider whetherdata can (temporarily)reside on a device duringan event and also putmechanisms in place towipe the data upon return.R.10 Cloudprovidermalicious insiderabuse of highprivilege roles;R.28 PrivilegeescalationInformation Security Asset ReturnsEmployees,contractors and thirdparty users mustreturn all assetsowned by theorganization within adefined anddocumented timeframe once theemployment, contractor agreement hasbeen terminated.Potential NS/EPImplicationsUserR.12 Interceptingdata in transit;DataUnique Characteristicor RiskR.2 Loss ofgovernance;R.6 CloudProviderAcquisition;R.7 Supply ChainFailure;R.34 ComputerTheftNSTAC Report to the President on Cloud Computing:Cloud Computing Security Controls For NS/EP Supplemental Information8
President’s National Security Telecommunications Advisory CommitteePrimary NSTACConcernsDataControl AreaSecurity Architecture Data IntegrityControlSpecificationData input and outputintegrity routines (i.e.,reconciliation and editchecks) shall beimplemented forapplication interfacesand databases toprevent manual orsystematicprocessing errors orcorruption of data.ENISA MappingR.35 NaturalDisastersapplicable to allResponsible PartyUserR.7 Supply ChainFailure;Unique Characteristicor RiskPotential NS/EPImplicationsOwnerProviderXXFailure to ensure dataintegrity at applicationinterfaces anddatabases leave datavulnerable to alteration,exploitation, orcorruption.With vast amounts of dataflowing and no reliablemechanism by which toascertain a user's identity,particularly in the context ofP2P and governmentcitizen data sharing viasocial media sites, thesecurity and integrity of thedata can be compromisedby a user to intentionallymislead or convey wronginformation. Potential needfor a process to snap shotdata so that in case it wascorrupted, it could bereadily recovered.XXLack of compliance withbaseline securitystandards withoutcompensating controlsis likely to leavesignificant gaps inprotection of the cloudinfrastructure orapplication putting theservice and data at risk.Compliance with securitybaseline requirementsidentified for the specificservice is essential inensuring security of theservice and the data. InNS/EP applications,compliance with the NS/EPspecific baseline standardsmust be evaluated.R.10 Cloudprovidermalicious insiderabuse of highprivilege roles;R.28 Privilegeescalation;R.30 Loss orcompromise ofoperational logsPolicy/LegalInformation Security Baseline RequirementsBaseline securityrequirements shall beestablished andapplied to the designand implementationof (developed orpurchased)applications,databases, systems,and networkinfrastructure andinformationprocessing thatcomply with policies,standards andapplicable regulatoryrequirements.R.10 Cloudprovidermalicious insiderabuse of highprivilege roles;R.11Managementinterfacecompromise;R.15 DDoS;R.20 Conflictbetweencustomerhardeningprocedures andNSTAC Report to the President on Cloud Computing:Cloud Computing Security Controls For NS/EP Supplemental Information9
President’s National Security Telecommunications Advisory CommitteePrimary NSTACConcernsControl AreaControlSpecificationCompliance withsecurity baselinerequirements must bereassessed at leastannually or uponsignificant changes.ENISA MappingR.35 NaturalDisastersapplicable to allResponsible PartyUserOwnerProviderXXUnique Characteristicor RiskPotential NS/EPImplicationsIneffective accesspolicies and controlscan lead to data leakageand/or servicecompromise byuntrusted parties.Effective access controlsare essential in the NS/EPenvironment, which dealswith sensitive informationand where the availability ofthe service is essential. Ina crisis situation, dynamicmanagement of credentialsand modifying accesspolicies to facilitateresponse activities isessential. The AccessControl policy and systemmust support this for NS/EPapplications.cloudenvironment;R.25 Networkbreaks;R.26 Networkmanagement;R.28 PrivilegeescalationPolicy/LegalInformation Security User Access Policy andConfigurationUser access policiesand procedures shallbe documented,approved andimplemented forgranting and revokingnormal and privilegedaccess toapplications,databases, andserver and networkinfrastructure inaccordance withbusiness, security,compliance andservice levelagreement (SLA)requirements.R.2 Loss ofgovernance;R.10 Cloudprovidermalicious insiderabuse of highprivilege roles;R.20 Conflictbetweencustomerhardeningprocedures andcloudenvironment;R.23 Dataprotection risks;Normal and privilegedR.27 Modifyinguser access toNSTAC Report to the President on Cloud Computing:Cloud Computing Security Controls For NS/EP Supplemental InformationNS/EP owners will need tothink about access policiesand configurations that willenable rapidly grantingaccess to new users and10
President’s National Security Telecommunications Advisory CommitteePrimary NSTACConcernsControl AreaControlSpecificationapplications, systems,databases, networkconfigurations, andsensitive data andfunctions shall berestricted andapproved bymanagement prior toaccess granted.ENISA MappingR.35 NaturalDisastersapplicable to allResponsible PartyUsernetwork traffic;R.28 PrivilegeescalationTimelydeprovisioning,revocation ormodification of useraccess to theorganizationssystems, informationassets and data shallbe implemented uponany change in statusof employees,contractors,customers, businesspartners or thirdparties. Any changein status is intendedto include terminationof employment,contract oragreement, change ofemployment ortransfer within theorganization.NSTAC Report to the President on Cloud Computing:Cloud Computing Security Controls For NS/EP Supplemental InformationOwnerProviderUnique Characteristicor RiskPotential NS/EPImplicationsdetermining whatauthentication methods itwill use to make it easy andsafe. NS/EP owners shouldalso consider whether theywant to establish a set ofrole-based accessrequirements that are nottied to unique people butrather functions.11
President’s National Security Telecommunications Advisory CommitteePrimary NSTACConcernsInfrastructureInfrastructureControl AreaInformation Security EncryptionInformation Security Audit Tools AccessControlSpecificationENISA MappingR.35 NaturalDisastersapplicable to allPolicies andprocedures shall beestablished andmechanismsimplemented forencrypting sensitivedata in storage (e.g.,file servers,databases, and enduser workstations)and data intransmission (e.g.,system interfaces,over public networks,and electronicmessaging).R.12 Interceptingdata in transit;Access to, and useof, audit tools thatinteract with theorganization'sinformation systemsshall be appropriatelysegmented andrestricted to preventcompromise andmisuse of log data.R.22 Risks fromchanges ofjurisdiction;Responsible PartyUserProviderXXUnencrypted data atrest or in transit makes iteasier for an adversaryto intercept information.Compensating /defense-in-depthcontrols can be providedto protect informationfrom unauthorizeddisclosure within thecloud environment /data center. When datais processed in anunattended mannermanaging security of theat-rest encryption keysbecomes a significantchallenge in the cloudenvironment.NS/EP applications canimpose stringent encryptionrequirements based on thesensitivity of the dataand/or classified datahandling standards.However, NS/EP users maywant to determine whetherthey need encryption for NSusers and functions and noencryption for theemergency response side.XXAppropriatelysegmenting and limitingaccess to and use ofaudit tools can reducethe risk that theuser/owner of thesystem being auditedhas privileged access tothat system andcorrupts the audit log.Audit logs that can be usedto support investigations orpost-incident analysis canbe inadvertently orintentionally compromisedor destroyed by users thathave acquired privilegedaccess to the log data.R.17 Loss ofencryption keys;R.23 Dataprotection risks;R.27 Modifyingnetwork trafficR.30 Loss orcompromise ofoperational logs;Potential NS/EPImplicationsOwnerR.13 Dataleakage onup/download,intra-cloud;R.28 Privilegeescalation;Unique Characteristicor RiskR.31 Loss orcompromise ofsecurity logsNSTAC Report to the President on Cloud Computing:Cloud Computing Security Controls For NS/EP Supplemental Information12
President’s National Security Telecommunications Advisory CommitteePrimary NSTACConcernsInfrastructureInfrastructureControl AreaControlSpecificationENISA MappingR.35 NaturalDisastersapplicable to allInformation Security Diagnostic /Configuration PortsAccess and UtilityPrograms AccessUser access todiagnostic andconfiguration portsshall be restricted toauthorized individualsand applications.Utility programscapable of potentiallyoverriding system,object, network,virtual machine andapplication controlsshall be restricted.R.26 Networkmanagement;Information Security Network / InfrastructureServices and Third PartyAgreementsNetwork andinfrastructure servicelevel agreements (inhouse or outsourced)shall clearlydocument securitycontrols, capacity andservice levels, andbusiness or customerrequirements.Additionally, thirdparty agreements thatdirectly, or indirectly,R.2 Loss ofgovernance;Responsible PartyUserOwnerUnique Characteristicor RiskPotential NS/EPImplicationsXLack of proper user andapplication access rightscan allow unauthorizedaccess to diagnostictools, configuration portsand utility programs thatsit in the cloud servicenetwork or infrastructuremanagement layer.Access to thismanagement layerallows for configurationchanges or the potentialfor insertion of maliciouscode that couldultimately undermine theunderpinnings of thecloud infrastructure orvirtual infrastructureincluding virtualizedpartitions.NS/EP owners who areoperating a collaborativeplatform may have theability to run their owndiagnostics or tools todetermine if there is asecurity issue orunderstand a problem inthe system and resolve it.There could be an instancewhere such tools areneeded to conduct aninvestigation into breaches,misuse of data, or systemcompromise.XService LevelAgreements are key toensuring that theowners' requirementsfor security controls(including non-standardcontrols), capacity andservice levels, and otherbusiness requirementsare completely spelledout and agreed to. Lackof clear documentationof these requirementsSpecific, well-spelled outagreements must bedocumented and signed byall parties to ensure that themost critical functions areable to persist during anNS/EP event. Failure ofsuch can result in a securitybreach, data leak or serviceinterruption.ProviderR.28 PrivilegeescalationR.8 ResourceExhaustion(under or overprovisioning);R.7 Supply ChainFailure;R.12 Interceptingdata in transit;NSTAC Report to the President on Cloud Computing:Cloud Computing Security Controls For NS/EP Supplemental InformationX13
President’s National Security Telecommunications Advisory CommitteePrimary NSTACConcernsControl AreaControlSpecificationimpact anorganization'sinformation assets ordata are required toinclude explicitcoverage of allrelevant securityrequirements. Fornetwork,infrastructure andthird party SLAs, thisincludes agreementsinvolving processing,accessing,communicating,hosting or managingthe organization'sinformation assets, oradding or terminatingservices
2.0 ISACA IT CONTROL OBJECTIVES FOR CLOUD COMPUTING: CONTROLS AND ASSURANCE IN THE CLOUD ISACA is a non-profit, global association that engages in the development, adoption and use of globally accepted, industry-leading knowledge and practices for information systems.4 ISACA has
![WELCOME [ montclair.edu]](/img/31/commencement-program-2022.jpg)
