Transcription
Special Publication 800-144Guidelines onSecurity and Privacyin Public Cloud ComputingWayne JansenTimothy Grance
NIST Special Publication 800-144Guidelines on Security and Privacy inPublic Cloud ComputingWayne JansenTimothy GranceC O M P U T E RS E C U R I T YComputer Security DivisionInformation Technology LaboratoryNational Institute of Standards and TechnologyGaithersburg, MD 20899-8930December 2011U.S. Department of CommerceRebecca M. Blank, Acting SecretaryNational Institute of Standards and TechnologyPatrick D. Gallagher, Under Secretary of Commerce forStandards and Technology and Directorii
Reports on Computer Systems TechnologyThe Information Technology Laboratory (ITL) at the National Institute of Standards andTechnology (NIST) promotes the U.S. economy and public welfare by providing technicalleadership for the Nation’s measurement and standards infrastructure. ITL develops tests,test methods, reference data, proof of concept implementations, and technical analysis toadvance the development and productive use of information technology.ITL’sresponsibilities include the development of technical, physical, administrative, andmanagement standards and guidelines for the cost-effective security and privacy of sensitiveunclassified information in Federal computer systems. This Special Publication discussesITL’s research, guidance, and outreach efforts in computer security, and its collaborativeactivities with industry, government, and academic organizations.National Institute of Standards and Technology Special Publication 800-14480 pages (December 2011)Certain commercial entities, equipment, or materials may be identified in thisdocument in order to describe an experimental procedure or concept adequately.Such identification is not intended to imply recommendation or endorsement by theNational Institute of Standards and Technology, nor is it intended to imply that theentities, materials, or equipment are necessarily the best available for the purpose.iii
AbstractCloud computing can and does mean different things to different people. The commoncharacteristics most interpretations share are on-demand scalability of highly available andreliable pooled computing resources, secure access to metered services from nearly anywhere,and displacement of data and services from inside to outside the organization. While aspects ofthese characteristics have been realized to a certain extent, cloud computing remains a work inprogress. This publication provides an overview of the security and privacy challenges pertinentto public cloud computing and points out considerations organizations should take whenoutsourcing data, applications, and infrastructure to a public cloud environment.Keywords: Cloud Computing; Computer Security and Privacy; Information TechnologyOutsourcingAcknowledgementsThe authors, Wayne Jansen of Booz Allen Hamilton and Tim Grance of NIST, wish to thankcolleagues who reviewed drafts of this document and contributed to its technical content, as wellas the individuals who reviewed the public-release draft of this document and providedcomments during the review period. In particular, Erika McCallister of NIST offered insight onthe subject of privacy as it relates to cloud computing, and Tom Karygiannis and RamaswamyChandramouli, also from NIST, provided input on cloud security in early drafts. Thanks also goto Kevin Mills and Lee Badger, who assisted with our internal review process. Keyimprovements to this document would not have been possible without the feedback and valuablesuggestions of all these individuals.iv
Table of ContentsExecutive Summary .vi1.Introduction. 11.11.21.31.42.Background . 32.12.22.33.Service Agreements . 7The Security and Privacy Upside . 8The Security and Privacy Downside .10Key Security and Privacy Issues .144.14.24.34.44.54.64.74.84.94.105.Deployment Models . 3Service Models . 4Outsourcing and Accountability . 6Public Cloud Services . 73.13.23.34.Authority . 1Purpose and Scope . 1Audience . 1Document Structure . 2Governance .14Compliance .15Trust .18Architecture .22Identity and Access Management .25Software Isolation .27Data Protection .29Availability .31Incident Response .33Summary of Recommendations .35Public Cloud Outsourcing .375.15.25.35.45.5General Concerns .39Preliminary Activities.42Initiating and Coincident Activities.48Concluding Activities.50Summary of Recommendations .516.Conclusion .527.References .53Appendix A—Acronyms .69Appendix B—Online Resources .70v
Executive SummaryCloud computing has been defined by NIST as a model for enabling convenient, on-demandnetwork access to a shared pool of configurable computing resources (e.g., networks, servers,storage, applications, and services) that can be rapidly provisioned and released with minimalmanagement effort or cloud provider interaction [Mel11]. Cloud computing technologies can beimplemented in a wide variety of architectures, under different service and deployment models,and can coexist with other technologies and software design approaches. The security challengescloud computing presents are formidable, including those faced by public clouds whoseinfrastructure and computational resources are owned and operated by an outside party thatdelivers services to the general public via a multi-tenant platform.The emergence of cloud computing promises to have far-reaching effects on the systems andnetworks of federal agencies and other organizations. Many of the features that make cloudcomputing attractive, however, can also be at odds with traditional security models and controls.The primary purpose of this report is to provide an overview of public cloud computing and thesecurity and privacy considerations involved. More specifically, this document describes thethreats, technology risks, and safeguards surrounding public cloud environments, and theirtreatment. This document does not prescribe or recommend any specific cloud computingservice, service arrangement, service agreement, service provider, or deployment model. Eachorganization is instead expected to apply the guidelines provided when performing its ownanalysis of its requirements, and to assess, select, engage, and oversee the public cloud servicesthat can best fulfill those requirements.The key guidelines from the report are summarized and listed below and are recommended tofederal departments and agencies.Carefully plan the security and privacy aspects of cloud computing solutions beforeengaging them.Public cloud computing represents a significant paradigm shift from the conventional norms ofan organizational data center to a deperimeterized infrastructure open to use by potentialadversaries. As with any emerging information technology area, cloud computing should beapproached carefully with due consideration to the sensitivity of data. Planning helps to ensurethat the computing environment is as secure as possible and in compliance with all relevantorganizational policies and that privacy is maintained. It also helps to ensure that the agencyderives full benefit from information technology spending.The security objectives of an organization are a key factor for decisions about outsourcinginformation technology services and, in particular, for decisions about transitioningorganizational data, applications, and other resources to a public cloud computing environment.Organizations should take a risk-based approach in analyzing available security and privacyoptions and deciding about placing organizational functions into a cloud environment. Theinformation technology governance practices of the organizations that pertain to the policies,procedures, and standards used for application development and service provisioning, as well asthe design, implementation, testing, use, and monitoring of deployed or engaged services, shouldbe extended to cloud computing environments.vi
To maximize effectiveness and minimize costs, security and privacy must be consideredthroughout the system lifecycle from the initial planning stage forward. Attempting to addresssecurity and privacy issues after implementation and deployment is not only much more difficultand expensive, but also exposes the organization to unnecessary risk.Understand the public cloud computing environment offered by the cloud provider.The responsibilities of both the organization and the cloud provider vary depending on theservice model. Organizations consuming cloud services must understand the delineation ofresponsibilities over the computing environment and the implications for security and privacy.Assurances furnished by the cloud provider to support security or privacy claims, or by acertification and compliance review entity paid by the cloud provider, should be verifiedwhenever possible through independent assessment by the organization.Understanding the policies, procedures, and technical controls used by a cloud provider is aprerequisite to assessing the security and privacy risks involved. It is also important tocomprehend the technologies used to provision services and the implications for security andprivacy of the system. Details about the system architecture of a cloud can be analyzed and usedto formulate a complete picture of the protection afforded by the security and privacy controls,which improves the ability of the organization to assess and manage risk accurately, includingmitigating risk by employing appropriate techniques and procedures for the continuousmonitoring of the security state of the system.Ensure that a cloud computing solution satisfies organizational security and privacyrequirements.Public cloud providers’ default offerings generally do not reflect a specific organization’ssecurity and privacy needs. From a risk perspective, determining the suitability of cloud servicesrequires an understanding of the context in which the organization operates and theconsequences from the plausible threats it faces. Adjustments to the cloud computingenvironment may be warranted to meet an organization’s requirements. Organizations shouldrequire that any selected public cloud computing solution is configured, deployed, and managedto meet their security, privacy, and other requirements.Non-negotiable service agreements in which the terms of service are prescribed completely bythe cloud provider are generally the norm in public cloud computing. Negotiated serviceagreements are also possible. Similar to traditional information technology outsourcing contractsused by agencies, negotiated agreements can address an organization’s concerns about securityand privacy details, such as the vetting of employees, data ownership and exit rights, breachnotification, isolation of tenant applications, data encryption and segregation, tracking andreporting service effectiveness, compliance with laws and regulations, and the use of validatedproducts meeting federal or national standards (e.g., Federal Information Processing Standard140). A negotiated agreement can also document the assurances the cloud provider must furnishto corroborate that organizational requirements are being met.Critical data and applications may require an agency to undertake a negotiated service agreementin order to use a public cloud. Points of negotiation can negatively affect the economies of scalevii
that a non-negotiable service agreement brings to public cloud computing, however, making anegotiated agreement less cost effective. As an alternative, the organization may be able toemploy compensating controls to work around identified shortcomings in the public cloudservice. Other alternatives include cloud computing environments with a more suitabledeployment model, such as an internal private cloud, which can potentially offer an organizationgreater oversight and authority over security and privacy, and better limit the types of tenantsthat share platform resources, reducing exposure in the event of a failure or configuration error ina control.With the growing number of cloud providers and range of services from which to choose,organizations must exercise due diligence when selecting and moving functions to the cloud.Decision making about services and service arrangements entails striking a balance betweenbenefits in cost and productivity versus drawbacks in risk and liability. While the sensitivity ofdata handled by government organizations and the current state of the art make the likelihood ofoutsourcing all information technology services to a public cloud low, it should be possible formost government organizations to deploy some of their information technology services to apublic cloud, provided that all requisite risk mitigations are taken.Ensure that the client-side computing environment meets organizational security and privacyrequirements for cloud computing.Cloud computing encompasses both a server and a client side. With emphasis typically placedon the former, the latter can be easily overlooked. Services from different cloud providers, aswell as cloud-based applications developed by the organization, can impose more exactingdemands on the client, which may have implications for security and privacy that need to betaken into consideration.Because of their ubiquity, Web browsers are a key element for client-side access to cloudcomputing services. Clients may also entail small lightweight applications that run on desktopand mobile devices to access services. The various available plug-ins and extensions for Webbrowsers are notorious for their security problems. Many browser add-ons also do not provideautomatic updates, increasing the persistence of any existing vulnerabilities. Similar problemsexist for other types of clients.Maintaining physical and logical security over clients can be troublesome, especially withembedded mobile devices such as smart phones. Their size and portability can result in the lossof physical control. Built-in security mechanisms often go unused or can be overcome orcircumvented without difficulty by a knowledgeable party to gain control over the device.Moreover, cloud applications are often delivered to them through custom-built nativeapplications (i.e., apps) rather than a Web browser.The growing availability and use of social media, personal Webmail, and other publicly availablesites are a concern, since they increasingly serve as avenues for social engineering attacks thatcan negatively impact the security of the client, its underlying platform, and cloud servicesaccessed. Having a backdoor Trojan, keystroke logger, or other type of malware running on aclient device undermines the security and privacy of public cloud services as well as otherInternet-facing public services accessed. As part of the overall cloud computing securityviii
architecture, organizations should review existing security and privacy measures and employadditional ones, if necessary, to secure the client side.Maintain accountability over the privacy and security of data and applications implementedand deployed in public cloud computing environments.Organizations should employ appropriate security management practices and controls over cloudcomputing. Strong management practices are essential for operating and maintaining a securecloud computing solution. Security and privacy practices entail monitoring the organization’sinformation system assets and assessing the implementation of policies, standards, procedures,controls, and guidelines that are used to establish and preserve the confidentiality, integrity, andavailability of information system resources.The organization should collect and analyze available data about the state of the system regularlyand as often as needed to manage security and privacy risks, as appropriate for each level of theorganization (i.e., governance level, mission or business process level, and information systemslevel) [Dem10]. Continuous monitoring of information security requires maintaining ongoingawareness of privacy and security controls, vulnerabilities, and threats to support riskmanagement decisions. The goal is to conduct ongoing monitoring of the security of anorganization’s networks, information, and systems, and to respond by accepting, avoiding, ormitigating risk as situations change.Assessing and managing risk in cloud computing systems can be a challenge, since significantportions of the computing environment are under the control of the cloud provider and maylikely be beyond the organization’s purview. Both qualitativ
Cloud computing has been defined by NIST as a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or cloud provider interaction [Mel11].File Size: 1MB
