NIST Cloud Computing Program

Transcription

1 NIST Program USG Roadmap Top 10 high priority requirements to accelerate USG adoption of the model NIST Mission: To promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life Robert Rathe CASC, February 29, 2012 Robert Bohn, Program Manager NIST 1 Program

2 Unchanged: NIST Program Goal Accelerate the federal government s adoption of cloud computing* Build a USG Roadmap which focuses on the highest priority USG cloud computing security, interoperability and portability requirements Lead efforts to develop standards and guidelines in close consultation and collaboration with standards bodies, the private sector, and other stakeholders * REF 2 NIST 2 Program

3 S T R A T E G I C NIST CC Definition May 2010 Workshop I REVISITING NIST CLOUD COMPUTING PROGRAM (PHASE 1) INITIATIVE TO BUILD A USG CLOUD COMPUTING TECHNOLOGY ROADMAP Outreach & Fact finding with USG, Industry, SDOs Evaluate past models & lessons learned Define fresh approach to support secure & effective USG cloud computing adoption, prioritize interoperability, portability, & security requirements, collaborate, more quickly respond to operational needs Tactical efforts Nov 2010 Workshop II Launch CC Strategic Program Initiate Stakeholder Meetings Collaboratively define working group scope & resources Refine Plan March 2011 Workshop III Execute CC Strategic program Continue Stakeholder meetings Integrate results into tactical priorities How to build a USG Roadmap 1. Define Target USG Use Cases 2. Define Neutral Reference Architecture & Taxonomy 3. Generate Roadmap Translate Requirements & Identify Gaps Oct 2011 Workshop IV Complete 1 st draft USG Roadmap Interagency Report Assess Results & Replan 3 NIST 3 Program

4 Volume I - Highlights USG Roadmap requirements* - high priorities to further USG Adoption: Requirement 1: International voluntary consensus based interoperability, portability and security standards Requirement 2: Solutions for high priority Security Requirements Top 10 High Priority USG Requirements to accelerate secure & effective cloud adoption (interoperability, portability, security) And.There are practical reasons why the requirements that are needed for USG agencies to securely & effectively deploy the model are also needed by the broad cloud computing stakeholder community Requirement 3: Technical specifications to enable development of consistent, high quality Service Level Agreements Requirement 4: Clearly and consistently categorized cloud services Requirement 5: Frameworks to support seamless implementation of federated community cloud environments Requirement 6: Technical security solutions which are decoupled from organizational policy decisions Requirement 7: Defined unique government regulatory requirements, technology gaps, and solutions Requirement 8: Collaborative parallel strategic future cloud development initiatives Requirement 9: Defined and implemented reliability design goals Requirement 10: Defined and implemented cloud service metrics NIST 4 Program *relationship to interoperability, portability, and security 4 guidance, standards, & technology highlighted in roadmap

5 Security Privacy Volume II - Highlights Useful Information for Adopters Summary of the work completed November 2010 through September 2011 in projects & working groups Analysis supports high priority requirements introduced in Volume I References to detailed publications & external work NIST Reference Architecture (& Taxonomy) SP Sept 2011 Summary of USG target business use case templates & initial set SAJACC technical use case summary spec 1 spec 2 Specifications Use Cases Case 1 Case 2 Validation Exercises Spec 1 Test 1 Spec 2 Test 2 Spec n Test n Standards Roadmap SP July 2011 standards & gap analysis Consumer Auditor Securit y Audit Privacy Impact Audit Perfor mance Audit Service Layer IaaS SaaS PaaS Resource Abstraction and Control Layer Physical Resource Hardware Layer Facility Provider Carrier Community Outreach Service Manage ment Business Support Provisio ning/ Configur ation Portabili ty/ Interoper ability NIST Standards Portal Use Cases Validated Specifications standards Existing Standards Working Groups information Reference Implementations Standards Development Organizations High Priority Security Requirements - challenges, requirements overview, risk mitigation measures Other related work - Reliability Research in -based Complex Systems Koala SLA taxonomy, Broker Service Intermed iation Service Aggregat ion Service Arbitrag e NIST 5 Program

6 We have practical opportunities to leverage our efforts one is identifying complementary efforts the NIST Roadmap refers to as Priority Action Plans 6 Strategic Program (continue phase 1 activities and ) How to build a USG Roadmap 1. Define Target USG Business Use Cases 2. REFINE & APPLY Neutral CC Reference Architecture & Taxonomy priorities risks obstacles 3. UPDATE Roadmap Translate Requirements & Identify Gaps Vendors map services NIST Tactical Program USG Roadmap... leverage Priority Action Plans (PAPs) selected for self-tasking by Stakeholder Community Assess & Track: USG CC High Priority Requirements met by Priority Action Plans (self-tasked by NIST and other CC stakeholders) Rqmt 1: International consensus interoperability, security, portability standards Rqmt 2: Solutions for High Priority Security requirements Rqmt 3: Technical Specifications to enable high quality SLAs. Rqmt 10: Defined and Implemented cloud service metrics Integrate results into tactical priorities Measure Results NIST Program

7 USG Roadmap requirements - high priorities to further USG Adoption: Encourage standards & compensate with Service Level Agreements to require demonstration of data/system portability between providers Requirement 1: International voluntary consensus based interoperability, portability and security standards (interoperability, portability, and security standards) Requirement 2: Solutions for high priority Security Requirements (security technology) Recommended Priority Action Plans are tactical as well as strategic Examples of Priority Action Plans & interim solutions to apply while cloud solutions are maturing Request that cloud service vendors map their offerings to a common reference (i.e. NIST Reference Architecture) so that it is easier to compare services Define unique USG/mission/sector/business Requirements (e.g. 508 compliance, e-discovery, record retention) Requirement 3: Technical specifications to enable development of consistent, high quality Service Level Agreements (interoperability, portability, and security standards and guidance) Requirement 4: Clearly and consistently categorized cloud services (interoperability and portability guidance and technology) Requirement 5: Frameworks to support seamless implementation of federated community cloud environments (interoperability and portability guidance and technology) Requirement 6: Technical security solutions which are de-coupled from organizational policy decisions (security guidance, standards and technology) Requirement 7: Defined unique government regulatory requirements, technology gaps, and solutions (interoperability, portability and security technology) Requirement 8: Collaborative parallel strategic future cloud development initiatives (interoperability, portability, and security technology) Requirement 9: Defined and implemented reliability design goals (interoperability, portability, and security technology) Requirement 10: Defined and implemented cloud service metrics (interoperability and portability standards) 7 NIST 7 Program

8 NIST COMPUTING PROGRAM TIMELINE (PHASE 2) 8 S T R A T E G I C Analyze Phase 1 working group & project results Complete 1 st draft for public comment USG Roadmap Version 1 SP Nov 2011 Workshop IV Re-Assess Progress & Phase 2 Plan March 2012 Workshop V Initiate Program Phase II Integrate & track USG Roadmap Priority Action Plans (PAPs) with external stakeholders Integrate results into tactical priorities Measure Results Nov 2012 Workshop VI USG Roadmap Version 2 Tactical efforts Public & Federal Standards & working groups Standards liaison, SAJACC, FedRamp & other technical advisory, Guidance, Koala NIST Special Pubs Guidelines on Security and Privacy Definition of CC Synopsis & Recommendations CC Standards Roadmap CC Reference Architecture USG CC Roadmap Draft NIST Program Planned NIST Special Pubs Challenging Security Requirements for US Government CC Adoption Revised USG CC Roadmap Vol I High-priority requirements to Further USG Agency CC Adoption 2. Vol II Useful Information for Adopters 3. Draft Vol. III Technical Considerations for USG CC Deployment Decisions

9 9 NIST invites you to collaborate with us on! US Federal references: Public NIST cloud web site: United States Department of Commerce National Institute of Standards and Information Laboratory 100 Bureau Drive Stop 2000 Gaithersburg, MD Tel: (301) , NIST Program