When Security, Privacy and Forensics Meet in the Cloud

When Security, Privacy and Forensics Meet in the Cloud Dr. Michaela Iorga, Senior Security Technical Lead for Cloud Computing Co-Chair, Cloud Security WG Co-Chair, Cloud Forensics Science WG March 26, 2015

NIST MISSION: To promote U.S. innovation and industrial competitiveness by advancing measurement 2 science, standards, and technology in ways that enhance economic security and improve our quality of life Privacy Engineering Project *Standards Acceleration to Jumpstart the Adoption of Cloud Computing (SAJACC) in transition to private sector

Standards for Security Categorization of Federal Information and Information Systems (FIPS 199); Feb 2004 Guide for Mapping Types of Information and Information Systems to Security Categories (SP 800-60 Rev. 1); Aug 2008 Minimum Security Requirements for Federal Information and Information Systems (FIPS 200); Mar 2006 Security Considerations in the System Development Life Cycle (SP 800-64 Rev. 2); Oct 2008 Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (SP 800-37, Rev. 1); Feb 2010 Managing Information Security Risk: Organization, Mission, and Information System View (SP 800-39); Mar 2011 Guide for Conducting Risk Assessments (SP 800-30 Rev. 1); Sep 2012 Security and Privacy Controls for Federal Information Systems and Organizations (SP 800-53 Rev. 4); Apr 2013

4 Performance Measurement Guide for Information Security (SP 800-55 Rev. 1); Jul 2008 Contingency Planning Guide for Federal Information Systems (SP 800-34 Rev. 1); May 2010 Information Security Continuous Monitoring for Federal Information Systems and Organizations (SP 800-137); Sep 2011 Computer Security Incident Handling Guide (SP 800-61 Rev. 2); Aug 2012 DRAFT Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems (SP 800-160 Draft); May 12, 2014 DRAFT Supply Chain Risk Management Practices for Federal Information Systems and Organizations SP 800-161 (Second Draft); Jun. 3, 2014 Cloud-Adapted Risk Management Framework: Guide for Applying the Risk Management Framework to Cloud-based Federal Information Systems (SP 800-173); work in progress Security and Privacy Controls for Cloud-based Federal Information Systems (SP 800-174); work in progress

Slide courtesy of Bill Murray, AWS, Amazon 5

What Privacy means to you? Cybersecurity Information Sharing Act : Senator Richard Burr argued that it successfully balanced security and privacy Critics still have two fundamental problems : a) Proposed cybersecurity act won t boost security; b) information sharing it {CISA) describes sounds more than ever like a backchannel for surveillance. The bill, as worded, lets a private company share with the Department of Homeland Security any information construed as a cybersecurity threat notwithstanding any other provision of law.

Why Do We Fear the Clouds? - Searching For an Answer - NIST: Research Challenging Security Requirement for the USG Cloud Adoption, (whitepaper) MeriTalk: 1... If I like it, it's mine. 2... If it's in my hand, it's mine. 3... If I can take it from you, it's mine. 4... If I had it a little while ago, it is mine. 5... If it's mine, it must never appear to be yours in any way. 6... If I'm doing or building something, all the pieces are mine. 7... If it looks just like mine, it's mine. 8... If I saw it first, it's mine. 9... If you are playing with something and you put it down, it automatically becomes mine. 10... If it is broken, it's yours.

Trust & Trustworthiness (NIST SP 800-39*) Trust is an important concept related to risk management. How organizations approach trust influences their behaviors and their internal and external trust relationships. [ ] The reliance on IS services results in the need for trust relationships among organizations * 1 Validated Trust. One organization obtains a body of evidence regarding the actions of another organization and uses that evidence to establish a level of trust with the other organization. 2 Direct Historical. The track record exhibited by an organization in the past is used to establish a level of trust with other organizations. 3 Mediated Trust. An organization establishes a level of trust with another organization based on assurances provided by some mutually trusted third party. 4 Mandated Trust. An organization establishes a level of trust with another organization based on a specific mandate issued by a third party in a position of authority. 5Hybrid Trust. An organization uses one of the previously described models in conjunction with another model(s). *NIST SP 800-39: Managing Information Security Risk; Organization, Mission, and Information System View

Predictability Manageability Unlinkability (or) Obscurity Predictability: Enabling reliable assumptions by individuals and system participants about what personal information is being processed, by whom, and why. Manageability: Providing the capability for granular administration of personal information including alteration, deletion, and selective disclosure. Obscurity/ Unlinkability- Enabling the processing of personal information or events in an information system without association to individuals beyond the operational requirements of the system.

Data Actions Likelihood of Problematic Data Actions Personal Information Context AIMING AT MORE THAN WHAT ISO/IEC 27018 OFFERS! Impact Privacy Risk

You manage Consumer s Level of Control & SP 800-37 RMF RMF Cloud-adapted RMF RMF Cloud-adapted RMF RMF RMF Cloud-adapted RMF IaaS PaaS SaaS Stack image source: Cloud Security Alliance specification, 2009 Trustworthiness requires visibility into Provider s practices and risk/information security decisions to understand risk tolerance. But level of trust can vary & the accepted risk depends on the established trust relation.

NIST s Work Helps Consumers Deal With an Iceberg Architecture SP 500-299 NIST SP 800-173: Cloud-adapted Risk Management Framework RMF Risk Management Framework (SP 800-37) Step 1: Categorize Information System Step 2: Select Security Controls Step 3: Implement Security Controls Step 4: Assess Security Controls Step 5: Authorize Information System Step 6: Monitor Security Controls (Repeat process as necessary) CRM F consumer nsumer co Cloud-adapted Risk Management Framework (SP 800-173) Step 1: Categorize Federal Information System Step 2: Identify Security Requirements, perform a Risk Assessment & select Security Controls Step 3: Select best-fitting Cloud Architecture Step 4: Assess Service Provider(s) & Controls Step 5: Authorize Use of Service Step 6: Monitor Service Provider (on-going, nearreal- time); Repeat process as necessary RMF provider provider Stack -- image image source: source: Cloud Cloud Security Security Alliance Alliance Stack specification, 2009 2009 specification,

CRMF Cloud-adapted Risk Management Framework cont. 1. Follows NIST RMF (SP 800-37 Rev1) structure 2. Discusses the impact of cloud computing architecture (deployment model & service type), and cloud characteristics (multi-tenancy, resource-pooling, elasticity, etc.) on Information System Boundary. 3. Introduces the Security Conservation Principle & Privacy Conservation Principle 4. Discusses the notion of TRUST in a cloud ecosystem, and introduces the notion of TRUST BOUNDARY

CRMF Cloud-adapted Risk Management Framework cont. RMF consumer RMF provider Risk Management Framework (SP 800-37 Rev1) : Step 1: Categorize Information System Step 2: Select Security Controls Step 3: Implement Security Controls Step 4: Assess Security Controls Step 5: Authorize Information System Step 6: Monitor Security Controls (Repeat process as necessary) Cloud-adapted Risk Management Framework (SP 800-173, draft): Step 1: Categorize System to be migrated Step 2: Identify Security Requirements, perform a Risk Assessment & select Security Controls Step 3: Select best-fitting Cloud Architecture Step 4: Assess Service Provider(s) & Controls Step 5: Authorize Use of Service Step 6: Monitor Service Provider [on-going, near-realtime ] (Repeat process as necessary) Stack - image source: Cloud Security Alliance specification, 2009

Cloud-adapted Risk Management Framework cont. Step 1 : Categorize Federal Information System Step 2 : Identify Security Requirements, perform a Risk Assessment & select Security Controls deemed necessary. Step 3 : Select best-fitting Cloud Architecture

User-data Boundary User-data Boundary Cloud-adapted Risk Management Framework cont. Step 4: Assess Service Provider(s) & Broker (if applicable) leverage FedRAMP P-ATOs or Agency-ATOs, or assess the controls build necessary TRUST that the residual risk is acceptable Step 5: Authorize Use of Service negotiate SLAs & Security SLA Step 6: Monitor Service Provider(s) (on-going, near- real- time); Repeat process as necessary

Distributed Architecture = Split Control & Responsibilities Security Conservation Principle CLOUD ECOSYSTEM Cloud Clients (Browsers, Mobile Apps, etc.) CLOUD ENVIRONMENT Software as a Service (SaaS) (Application, Services) Platform as a Service (PaaS) (APIs, Pre-built components) Infrastructure as a Service (VMs, Load Balancers, DB, etc.) Physical Hardware (Servers, Storage, Networking)

Privacy Conservation Principle - Privacy Coin -

User-data Boundary User-data Boundary User s Privacy vs. Data Privacy What is the difference?

Privacy Enhanced User & Data Protection Sharing raw sensitive data beyond the original trusted entity (system owner) introduces the risk of a variety of harms to individual s privacy: Stigmatization Power Imbalance Loss of Liberty Economic Loss (identity theft) [NIST Privacy Engineering Objectives and Risk Model Discussion Draft] Defense mechanisms: 1. Encryption Concerns: Key management Synthetic 2. Simple anonymization Meta-Data Concerns: Deanonymization when auxiliary data is available, Limited applicability (statistical datasets). 3. Differentially-privatized data Concerns: Limited applicability (statistical datasets). Accuracy concerns. Can differential privacy protect Consumers against nosey cloud Providers?

Privacy Enhanced User-Data Protection

When Things Go Wrong in the Cloud 1. Segregation of potential evidence 5. Ease of anonymity and creating in a multi-tenant system 2. Locating and collecting volatile data 3. Evidence correlation across multiple cloud Providers 4. Malicious code may circumvent virtual machine isolation methods false personas online 6. e-discovery 7. Evidence correlation of multiple copies at different geo-locations 8. Data deletion - a) deleted when needed for investigations. b) often reveals information about others (overwritten)

Highest Priority Challenges & Scores 10 Confidentiality and PII 9 Root of trust 9 E-discovery 8 Deletion in the cloud 8 Lack of transparency 7 Timestamp synchronization 7 Use of metadata 7 Multiple venues and geolocations 7 Data integrity and evidence preservation 6 Recovering overwritten data 6 Cloud confiscation and resource seizure 6 Potential evidence segregation 6 Secure provenance 6 Data chain of custody 6 Chain of dependencies 6 Locating evidence 6 Locating storage media 6 Evidence identification 6 Dynamic storage 6 Live forensics 6 Resource abstraction 6 Ambiguous trust boundaries 6 Cloud training for investigators From NIST IR 8006: DRAFT NIST Cloud Computing Forensic Science Challenges http://csrc.nist.gov/publications/pubsnistirs.html

Questions? Thank you! Additional Information NIST Cloud Home Page: http://www.nist.gov/itl/cloud NIST Cloud Computing Collaborative Twiki: http://collaborate.nist.gov/twiki-cloud-computing/bin/view/cloudcomputing/cloudsecurity 25