Cloud Security using NIST guidelines, using NIST Cloud Computing Security Reference Architecture
(NIST SP 500-299), NIST Cloud
Computing Reference Architecture (NIST SP 500-292), NIST's Guide for Applying the Risk Management Framework to Federal Information Systems (NIST SP 800-37)
2. Since the COVID-19 lockdown has imposed work from home, this has
pushed businesses to hasten their adoption to Cloud and its services.
Here are NIST’s Guides for Cloud adoption.
NIST SP 500-291
Cloud Computing Standards
Roadmap
NIST SP 500-292
NIST Cloud Computing
Reference Architecture
NIST SP 500-293
US Government Cloud
Computing Technology
Roadmap Volume 1, High-
Priority requirements to Further
USG Agency Cloud Computing
Adoption
NIST SP 500-293
US Government Cloud
Computing Technology
Roadmap Volume II, Useful
Information for Cloud Adopters
(Draft)
NIST SP 500-293
US Government Cloud
Computing Technology
Roadmap Volume III, Technical
Considerations for USG Cloud
Computing Deployment
Decisions (Draft)
NIST SP 800-144
Guidelines on Security and
Privacy in Public Cloud
Computing
NIST SP 800-145
The NIST Definition of Cloud
Computing
NIST SP 800-146
Cloud Computing Synopsis and
Recommendations (Draft)
3. On one hand, the convenience and low cost of cloud computing services
have changed our daily lives. However, the security issues associated with
cloud computing make us vulnerable to cybercrimes that happen every
day.
Security is one of the most significant barriers of migrating to cloud,
followed by issues regarding compliance, privacy and legal matters.
Hackers can apply several techniques to gain access to our cloud without
any legal authorization and they can disrupt various services to achieve
their objectives. They could even modify the cloud settings to treat an
illegal activity as a normal activity and thus gain unauthorized access to
data stored in the cloud.
Before migrating to cloud, the sensitivity of the stored information needs
to be considered against the incurred security and privacy risks.
For example, the benefits of a cloud-based solution would depend on the
cloud model, type of cloud service considered, the type of data involved,
the system’s criticality/impact level, the cost savings, the service type,
and any associated regulatory requirements.
Importance of Cloud Security
4. Security Threats
Browser Security
Insecure Interfaces and Application
Programming Interfaces (APIs)
Cloud Malware Injection Attack
Flooding Attacks
Data Protection
Incomplete Data Deletion
Locks In
Some Common Threats in Cloud
With cloud migration, we lose control over physical security. Thus, to understand how to
protect our data, we must understand the types of attacks that could occur in our cloud.
Network Threats
Denial of Service (DoS)
Network Sniffing
Man in the Middle Attack
Port Scanning
Structured Query Language (SQL)
Injection Attack
Cross Site Scripting (XSS)
5. NIST SP 500-299
Our objective is to study
Cloud Security, thus, we
would be focusing on the
NIST Cloud Computing Security
Reference Architecture
6. The NIST Cloud Computing Security Reference Architecture model is
derived from the following models:
01
02
NIST SP 500-292:
NIST Cloud Computing Reference Architecture
NIST SP 800-37:
Guide for Applying the Risk Management
Framework to Federal Information Systems
7. 01
The NIST Cloud Computing Security Reference Architecture is mainly derived from this model as it
provides an overall template description of the Cloud architecture.
This model is a generic high-level conceptual model that is a powerful tool for discussing the
requirements, structures, and operations of cloud computing.
This model is Vendor–neutral, it is not tied to any specific vendor products, services, or reference
implementation, nor does it define prescriptive solutions that restrict innovation.
It provides a blueprint to guide developers in the design of (cloud) services and applications; and
defines a set of actors, activities, and functions that can be used in the process of developing
cloud computing architectures.
NIST SP 500-292
NIST Cloud Computing
Reference Architecture
8. Cloud Consumer: acquires/maintains business relationship
with and uses services from Cloud Providers.
Cloud Provider: the purveyor of services to Cloud
Consumers.
Cloud Auditor: conducts independent assessment of cloud
services, information system operations, performance
and security of the cloud implementation.
Cloud Broker: intermediate between Cloud Consumer and
Cloud Provider, they hide complexity of services or
create new services.
Cloud Carrier: provides connectivity and transport of data
and services between Cloud Consumers and Cloud
Providers.
ACTORS AND THEIR FUNCTIONS
10. Software as a Service (SaaS)
Software as a Service provides consumers with a completed product that is run and
managed by the service provider. In most cases, people referring to Software as a
Service are referring to end-user applications. With a SaaS offering, consumers do not
have to think about how the service is maintained or how the underlying infrastructure is
managed; you only need to think about how you will use that particular piece of
software. A common example of a SaaS application is web-based email where you can
send and receive email without having to manage feature additions to the email product
or maintaining the servers and operating systems that the email program is running on.
Platform as a Service (PaaS)
Platforms as a service remove the need for consumers to manage the underlying
infrastructure and allow you to focus on the deployment and management of your
applications. This helps consumers be more efficient as you don’t need to worry about
resource procurement, capacity planning, software maintenance, patching, or any of the
other undifferentiated heavy lifting involved in running your application.
PaaS consumers employ the tools and execution resources provided by cloud providers
to develop, test, deploy, and manage the operation of PaaS applications hosted in a
cloud environment.
SERVICE MODELS
11. Infrastructure as a Service (IaaS)
Infrastructure as a Service contains the basic building blocks for cloud IT and typically
provides consumers access to networking features, computers (virtual or on dedicated
hardware), and data storage space. It also provides consumers with the highest level of
flexibility and management control over your IT resources and is most like existing IT
resources that many IT departments and developers are familiar with today.
SERVICE MODELS (cont’d)
12. CLOUD CONSUMER AND CLOUD PROVIDER
SERVICE
MODELS
CONSUMER ACTIVITIES PROVIDER ACTIVITIES
IaaS
Creates/installs, manages, and
monitors services for IT
infrastructure operations.
Provisions and manages the physical
processing, storage, networking, and the
hosting environment and cloud
infrastructure for IaaS consumers.
PaaS
Develops, tests, deploys, and
manages applications hosted in a
cloud system
Provisions and manages cloud
infrastructure and middleware for the
platform consumers; provides
development, deployment, and
administration tools to platform consumers.
SaaS
Uses application/service for
business process operations.
Installs, manages, maintains, and supports
the software application on a cloud
infrastructure.
14. CLOUD COMPUTING STANDARDS FOR SECURITY
As most of the Cloud consumers and providers wish to accelerate the adoption of cloud computing, and to
advance the deployment of cloud services, solutions coping with cloud security threats need to be addressed.
Many of the threats that cloud providers and consumers face can be dealt with through traditional security
processes and mechanisms such as security policies, cryptography, identity management, intrusion
detection/prevention systems, and supply chain vulnerability analysis. However, risk management activities
must also be undertaken to determine how to mitigate the threats specific to different cloud models and to
analyze existing standards for gaps that need to be addressed.
Securing the information systems and ensuring the confidentiality, integrity, and availability of information and
information being processed, stored, and transmitted are particularly relevant as these are the high-priority
concerns and present a higher risk of being compromised in a cloud computing system.
Having understood the basic Cloud Architecture and its Service Models.
We would now focus on the required Cloud Security Standards.
Security is a responsibility shared between Cloud Consumer and Cloud
Provider.
22. 02
NIST SP 800-37
Guide for Applying the Risk
Management Framework to
Federal Information Systems
This Guide covers the Risk Management Framework (RMF)
23. A risk management framework (RMF) is the structured process used to identify
potential threats to an organization and to define the strategy for eliminating or
minimizing the impact of these risks, as well as the mechanisms to effectively
monitor and evaluate this strategy.
Before acquiring a cloud service, a cloud Consumer needs to analyze the risk
associated with the adoption of a cloud-based solution for an information system,
and plan for the risk treatment and risk control activities associated with the cloud-
based operations of this system. To do so, a cloud Consumer needs to gain the
perspective of the entire cloud Ecosystem that will serve the operations of their
cloud-based information system. Cloud Consumers must also apply the RMF in a
customized way that allows them to:
Perform a risk assessment
Identify the best-fitting cloud architecture
Select the most suitable cloud service
Gain necessary visibility into the cloud offering
Define and negotiate necessary risk treatment and risk control mitigations
before finalizing the SLA and proceeding with the security authorization
The Risk Management Framework
25. Step-wise Activities
Risk Assessment
(analyze cloud environment to identify potential vulnerabilities
and shortcomings)
Step 1: Categorize the information system and the
information processed, stored, and transmitted by that
system based on a system impact analysis. Identify
operational, performance, security, and privacy
requirements.
Step 2: Select, based on the security categorization, the
initial set of security controls for the information system
(referred to as baseline security controls). Then, tailor and
supplement the baseline security controls set based on the
organizational assessment of risk and the conditions of the
operational environment. Develop a strategy for the
continuous monitoring of security control effectiveness.
Document all the controls in the security plan. Review and
approve the security plan.
26. Step-wise Activities (cont’d)
Risk Treatment
(design mitigation policies and plans)
Step 3: Implement the security controls and describe how
the controls are employed within the information system
and its environment of operation.
Step 4: Assess the security controls using appropriate
assessment procedures as documented in the
assessment plan. The assessment determines if the
controls are implemented correctly and if they are effective
in producing the desired outcome.
Step 5: Authorize information system operation based on
the determined risk resulting from the operation of the
information system and the decision that this risk is
acceptable. The assessment is performed considering the
risk to organizational operations (including mission,
functions, image, or reputation), organizational assets,
individuals, and other organizations.
Risk Control
(risk monitoring-surveying, reviewing events, identifying
policy adjustments)
Step 6: Monitor the security controls in the information
system on an ongoing basis including assessing control
effectiveness, documenting changes to the system or its
environment of operation, conducting security impact
analyses of these changes, and reporting the security
state of the system to designated organizational officials.
27. This concludes the understanding of Cloud Security Standards as well as their Risk
Management requirements when implementing Cloud.
28. CREDITS: This presentation template was created by Slidesgo, including
icons by Flaticon, and infographics & images by Freepik.
Please keep this slide for attribution.
THANK YOU!
srishtiahuja16@gmail.com
slashsrishti
srishtiahuja16