Cloud Computing Technologies Achieving Greater Trustworthiness and Resilience

Transcription

1 Cloud Computing Technologies Achieving Greater Trustworthiness and Resilience Cloud Standards Customer Council Public Sector Cloud Summit March 24, 2014 Dr. Ron Ross Computer Security Division Information Technology Laboratory NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1

2 We are living in the golden age of information technology. Ironically, the same information technology that has brought unprecedented innovation and prosperity to millions, has now become a significant vulnerability to nation states, corporate entities, and individuals. How do we provide for the common defense in the digital age? NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 2

3 Advanced Persistent Threat An adversary that Possesses significant levels of expertise / resources. Creates opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, deception). Establishes footholds within IT infrastructure of targeted organizations: To exfiltrate information; To undermine / impede critical aspects of a mission, program, or organization; and To position itself to carry out these objectives in the future. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 3

4 Classes of Vulnerabilities A 2013 Defense Science Board Report described Tier 1: Known vulnerabilities. Tier 2: Unknown vulnerabilities (zero-day exploits). Tier 3: Adversary-created vulnerabilities (APT). Two-thirds of these vulnerability classes are off the radar of most organizations NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 4

5 We want to strengthen the underlying information technology infrastructure to achieve stronger, more resilient information systems Reducing the likelihood that cyber attacks will be successful and helping to ensure we can continue to carry out critical federal missions and business operations. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 5

6 Complexity. Ground zero for our current problems NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 6

7 If we can t understand it we can t protect it NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 7

8 Cloud Computing Managing Complexity Consolidate. Optimize. Standardize. And the integration of information security requirements Reduces the size and complexity of IT infrastructures, promotes good information security and privacy, and can potentially lower costs (significantly) for organizations. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 8

9 With cloud computing, you don t have to own everything It is now possible to reduce the size of our digital footprint NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9

10 Cloud computing. Lower cost, more efficient services, better security On demand scalable dynamic. Churning the IT infrastructure can eliminate malware. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 10

11 What Cloud Gives Us Less complicated IT infrastructure. Less expensive IT infrastructure. More efficient services for consumers. More resilient IT infrastructure. More effective risk-based, information security. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 11

12 One possible cloud approach. Categorize information and systems, separating critical and sensitive data into domains. Choose best cloud model. Private Cloud High impact data Public Cloud Low impact data Moderate impact data NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 12

13 Resilience. The only way to go for critical missions and information systems NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 13

14 Dual Protection Strategies Sometimes your information systems will be compromised even when you do everything right Boundary Protection Primary Consideration: Penetration resistance. Adversary Location: Outside defensive perimeter. Objective: Repel the attack. Agile Defense Primary Consideration: Information system resilience. Adversary Location: Inside defensive perimeter. Objective: Operate while under attack, limit damage, survive. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 14

15 Cloud Can Provide Agile Defense Boundary protection is a necessary but not sufficient condition for Agile Defense. Examples of Agile Defense measures Compartmentalization and segregation of critical assets. Targeted allocation of security controls. Virtualization and obfuscation techniques. Encryption of data at rest. Limiting privileges. Routine reconstitution to known secure state. Bottom Line: Limit damage of hostile attack while operating in a (potentially) degraded or debilitated state NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 15

16 Cloud Provides Defense-in-Depth Links in the Security and Privacy Chain: Security and Privacy Controls Risk assessment Security planning, policies, procedures Configuration management and control Contingency planning Incident response planning Security awareness and training Security in acquisitions Physical and personnel security Security assessments and authorization Continuous monitoring Privacy protection Access control mechanisms Identification & authentication mechanisms (Biometrics, tokens, passwords) Audit mechanisms Encryption mechanisms Boundary and network protection devices (Firewalls, guards, routers, gateways) Intrusion protection/detection systems Security configuration settings Anti-viral, anti-spyware, anti-spam software Smart cards Adversaries attack the weakest link where is yours? NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 16

17 Cloud technologies can bring best practices to systems design and development. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 17

18 The Federal Cyber Security Strategy Build It Right, Continuously Monitor NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 18

19 The Cyber Security Toolset NIST Special Publication Managing Information Security Risk: Organization, Mission, and Information System View NIST Special Publication Guide for Conducting Risk Assessments NIST Special Publication Applying the Risk Management Framework to Federal Information Systems NIST Special Publication Security and Privacy Controls for Federal Information Systems and Organizations NIST Special Publication A Guide for Assessing the Security Controls in Federal Information Systems and Organizations NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 19

20 For bridge builders, it's all about physics Equilibrium, static and dynamic loads, vibrations, and resonance. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 20

21 For information system developers, it's all about mathematics, computer science, architecture, and systems engineering Trustworthiness, assurance, penetration resistance and resilience. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 21

22 The national imperative for building stronger, more resilient information systems Software assurance. Systems and security engineering. Supply chain risk management. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 22

23 Security should be a by-product of good design and development practices cloud technologies can help. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 23

24 Getting the attention of the C-Suite. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 24

25 TACIT Security Threat Assets Complexity Integration Trustworthiness MERRIAM-WEBSTER DICTIONARY tac. it adjective : expressed or understood without being directly stated NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 25

26 Threat Develop a better understanding of the modern threat space, including the capability of adversaries to launch sophisticated, targeted cyber-attacks that exploit specific organizational vulnerabilities. Obtain open source and/or classified threat briefing. Include external and insider threat assessments. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 26

27 Assets Conduct a comprehensive criticality analysis of organizational assets including information and information systems. Use FIPS Publication 199 for mission/business impact analysis (triage). NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 27

28 Complexity Reduce the complexity of the information technology infrastructure including IT component products and information systems. Use enterprise architecture to consolidate, optimize, and standardize the IT infrastructure. Employ cloud computing architectures to reduce the number of IT assets that need to be managed. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 28

29 Integration Integrate information security requirements and the security expertise of individuals into organizational development and management processes. Embed security personnel into enterprise architecture, systems engineering, SDLC, and acquisition processes. Coordinate security requirements with mission/business owners; become key stakeholders. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 29

30 Trustworthiness Invest in more trustworthy and resilient information systems supporting organizational missions and business functions. Isolate critical assets into separate enclaves. Implement solutions with greater strength of mechanism. Increase developmental and evaluation assurance. Use modular design, layered defenses, component isolation. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 30

31 Summary TACIT Security Understand the cyber threat space. Conduct a thorough criticality analysis of organizational assets. Reduce complexity of IT infrastructure. Integrate security requirements into organizational processes. Invest in trustworthiness and resilience of IT components and systems. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 31

32 Cybersecurity is the great challenge of the 21 st century. Cybersecurity problems are hard not easy. Cloud technologies can help NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 32

33 Be proactive, not reactive when it comes to protecting your organizational assets. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 33

34 The clock is ticking the time to act is now. Failure is not an option when freedom and economic prosperity are at stake. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 34

35 Contact Information Project Leader 100 Bureau Drive Mailstop 8930 Gaithersburg, MD USA Administrative Support Dr. Ron Ross Peggy Himes (301) (301) Senior Information Security Researchers and Technical Support Pat Toth Kelley Dempsey (301) (301) Arnold Johnson (301) Web: csrc.nist.gov/sec-cert Comments: NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 35