Cloud Computing Technologies Achieving Greater Trustworthiness and Resilience



Similar documents
Security Risk Management For Health IT Systems and Networks

Managing Security Risk In a World of Complex Systems and IT Infrastructures

Cyber Security Risk Management: A New and Holistic Approach

Managing Security and Privacy Risk in Healthcare Applications

FISMA Implementation Project

FREQUENTLY ASKED QUESTIONS

Enterprise Cybersecurity: Building an Effective Defense

Compliance Risk Management IT Governance Assurance

Cybersecurity Kill Chain. William F. Crowe, CISA, CISM, CRISC, CRMA September 2015 ISACA Jacksonville Chapter Meeting August 13, 2015

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

DoD Strategy for Defending Networks, Systems, and Data

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

A Systems Approach to Protecting the U.S. Air Traffic Control System Against Cyber-Terrorism

Cybersecurity Enhancement Account. FY 2017 President s Budget

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Looking at the SANS 20 Critical Security Controls

Bellevue University Cybersecurity Programs & Courses

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

Protecting Organizations from Cyber Attack

Incident Response. Six Best Practices for Managing Cyber Breaches.

Cybersecurity on a Global Scale

Security and Privacy

Appendix. Key Areas of Concern. i. Inadequate coverage of cybersecurity risk assessment exercises

NIST Cybersecurity Initiatives. ARC World Industry Forum 2014

The introduction covers the recent changes is security threats and the effect those changes have on how we protect systems.

Cybersecurity. Cloud. and the. 4TH Annual NICE Workshop Navigating the National Cybersecurity Education InterState Highway September 2013

Security Architecture: From Start to Sustainment. Tim Owen, Chief Engineer SMS DGI Cyber Security Conference June 2013

Microsoft s cybersecurity commitment

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

future data and infrastructure

Capabilities for Cybersecurity Resilience

White Paper. Information Security -- Network Assessment

Information Security Program Management Standard

Jort Kollerie SonicWALL

IG ISCM MATURITY MODEL FOR FY 2015 FISMA FOR OFFICIAL USE ONLY

The Advanced Attack Challenge. Creating a Government Private Threat Intelligence Cloud

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Enterprise Cybersecurity: Building an Effective Defense

Security and Privacy Controls for Federal Information Systems and Organizations

BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT

How SPAWAR s Information Technology & Information Assurance Technical Authority Support Navy Cybersecurity Objectives

External Supplier Control Requirements

NATIONAL CYBER SECURITY AWARENESS MONTH

How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1

Seven Things To Consider When Evaluating Privileged Account Security Solutions

Critical Controls for Cyber Security.

Cyber Security Metrics Dashboards & Analytics

Purpose. Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public.

Cybersecurity and internal audit. August 15, 2014

KEY TRENDS AND DRIVERS OF SECURITY

NERC CIP VERSION 5 COMPLIANCE

Frontiers in Cyber Security: Beyond the OS

OFFICE OF THE SECRETARY OF DEFENSE 1700 DEFENSE PENTAGON WASHINGTON, DC

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

Security Controls Assessment for Federal Information Systems

Cybersecurity The role of Internal Audit

Ed McMurray, CISA, CISSP, CTGA CoNetrix

CYBERSECURITY: ISSUES AND ISACA S RESPONSE

CYBER SECURITY, A GROWING CIO PRIORITY

Cloud Security for Federal Agencies

Perspectives on Cybersecurity in Healthcare June 2015

BlackRidge Technology Transport Access Control: Overview

Cybersecurity: Mission integration to protect your assets

A Modern Framework for Network Security in Government

Next Generation Security Strategies. Marc Sarrias Regional Sales Manager

How To Protect Your Data From Attack

Data- centric Security: A New Information Security Perimeter Date: March 2015 Author: Jon Oltsik, Senior Principal Analyst

ICT SECURITY SECURE ICT SYSTEMS OF THE FUTURE

U.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems

Risk Management Guide for Information Technology Systems. NIST SP Overview

Internal audit of cybersecurity. Presentation to the Atlanta IIA Chapter January 2015

Information Technology Risk Management

How To Secure The Internet In Jordan

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

A COMPLETE APPROACH TO SECURITY

CPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS

Cybersecurity Delivering Confidence in the Cyber Domain

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

Managing the Unpredictable Human Element of Cybersecurity

---Information Technology (IT) Specialist (GS-2210) IT Security Competency Model---

The Protection Mission a constant endeavor

CYBER SECURITY FOR LONG TERM EVOLUTION

CYBERSPACE SECURITY CONTINUUM

Defending Against Data Beaches: Internal Controls for Cybersecurity

Cyber Security Risk Mitigation Checklist

SOMEBODY'S WATCHING YOU! Maritime Cyber Security White Paper. Safeguarding data through increased awareness

Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples

Secure networks are crucial for IT systems and their

POLICIES TO MITIGATE CYBER RISK

Transcription:

Cloud Computing Technologies Achieving Greater Trustworthiness and Resilience Cloud Standards Customer Council Public Sector Cloud Summit March 24, 2014 Dr. Ron Ross Computer Security Division Information Technology Laboratory NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1

We are living in the golden age of information technology. Ironically, the same information technology that has brought unprecedented innovation and prosperity to millions, has now become a significant vulnerability to nation states, corporate entities, and individuals. How do we provide for the common defense in the digital age? NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 2

Advanced Persistent Threat An adversary that Possesses significant levels of expertise / resources. Creates opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, deception). Establishes footholds within IT infrastructure of targeted organizations: To exfiltrate information; To undermine / impede critical aspects of a mission, program, or organization; and To position itself to carry out these objectives in the future. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 3

Classes of Vulnerabilities A 2013 Defense Science Board Report described Tier 1: Known vulnerabilities. Tier 2: Unknown vulnerabilities (zero-day exploits). Tier 3: Adversary-created vulnerabilities (APT). Two-thirds of these vulnerability classes are off the radar of most organizations NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 4

We want to strengthen the underlying information technology infrastructure to achieve stronger, more resilient information systems Reducing the likelihood that cyber attacks will be successful and helping to ensure we can continue to carry out critical federal missions and business operations. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 5

Complexity. Ground zero for our current problems NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 6

If we can t understand it we can t protect it NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 7

Cloud Computing Managing Complexity Consolidate. Optimize. Standardize. And the integration of information security requirements Reduces the size and complexity of IT infrastructures, promotes good information security and privacy, and can potentially lower costs (significantly) for organizations. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 8

With cloud computing, you don t have to own everything It is now possible to reduce the size of our digital footprint NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9

Cloud computing. Lower cost, more efficient services, better security On demand scalable dynamic. Churning the IT infrastructure can eliminate malware. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 10

What Cloud Gives Us Less complicated IT infrastructure. Less expensive IT infrastructure. More efficient services for consumers. More resilient IT infrastructure. More effective risk-based, information security. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 11

One possible cloud approach. Categorize information and systems, separating critical and sensitive data into domains. Choose best cloud model. Private Cloud High impact data Public Cloud Low impact data Moderate impact data NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 12

Resilience. The only way to go for critical missions and information systems NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 13

Dual Protection Strategies Sometimes your information systems will be compromised even when you do everything right Boundary Protection Primary Consideration: Penetration resistance. Adversary Location: Outside defensive perimeter. Objective: Repel the attack. Agile Defense Primary Consideration: Information system resilience. Adversary Location: Inside defensive perimeter. Objective: Operate while under attack, limit damage, survive. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 14

Cloud Can Provide Agile Defense Boundary protection is a necessary but not sufficient condition for Agile Defense. Examples of Agile Defense measures Compartmentalization and segregation of critical assets. Targeted allocation of security controls. Virtualization and obfuscation techniques. Encryption of data at rest. Limiting privileges. Routine reconstitution to known secure state. Bottom Line: Limit damage of hostile attack while operating in a (potentially) degraded or debilitated state NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 15

Cloud Provides Defense-in-Depth Links in the Security and Privacy Chain: Security and Privacy Controls Risk assessment Security planning, policies, procedures Configuration management and control Contingency planning Incident response planning Security awareness and training Security in acquisitions Physical and personnel security Security assessments and authorization Continuous monitoring Privacy protection Access control mechanisms Identification & authentication mechanisms (Biometrics, tokens, passwords) Audit mechanisms Encryption mechanisms Boundary and network protection devices (Firewalls, guards, routers, gateways) Intrusion protection/detection systems Security configuration settings Anti-viral, anti-spyware, anti-spam software Smart cards Adversaries attack the weakest link where is yours? NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 16

Cloud technologies can bring best practices to systems design and development. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 17

The Federal Cyber Security Strategy Build It Right, Continuously Monitor NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 18

The Cyber Security Toolset NIST Special Publication 800-39 Managing Information Security Risk: Organization, Mission, and Information System View NIST Special Publication 800-30 Guide for Conducting Risk Assessments NIST Special Publication 800-37 Applying the Risk Management Framework to Federal Information Systems NIST Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations NIST Special Publication 800-53A Guide for Assessing the Security Controls in Federal Information Systems and Organizations NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 19

For bridge builders, it's all about physics Equilibrium, static and dynamic loads, vibrations, and resonance. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 20

For information system developers, it's all about mathematics, computer science, architecture, and systems engineering Trustworthiness, assurance, penetration resistance and resilience. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 21

The national imperative for building stronger, more resilient information systems Software assurance. Systems and security engineering. Supply chain risk management. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 22

Security should be a by-product of good design and development practices cloud technologies can help. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 23

Getting the attention of the C-Suite. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 24

TACIT Security Threat Assets Complexity Integration Trustworthiness MERRIAM-WEBSTER DICTIONARY tac. it adjective : expressed or understood without being directly stated NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 25

Threat Develop a better understanding of the modern threat space, including the capability of adversaries to launch sophisticated, targeted cyber-attacks that exploit specific organizational vulnerabilities. Obtain open source and/or classified threat briefing. Include external and insider threat assessments. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 26

Assets Conduct a comprehensive criticality analysis of organizational assets including information and information systems. Use FIPS Publication 199 for mission/business impact analysis (triage). NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 27

Complexity Reduce the complexity of the information technology infrastructure including IT component products and information systems. Use enterprise architecture to consolidate, optimize, and standardize the IT infrastructure. Employ cloud computing architectures to reduce the number of IT assets that need to be managed. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 28

Integration Integrate information security requirements and the security expertise of individuals into organizational development and management processes. Embed security personnel into enterprise architecture, systems engineering, SDLC, and acquisition processes. Coordinate security requirements with mission/business owners; become key stakeholders. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 29

Trustworthiness Invest in more trustworthy and resilient information systems supporting organizational missions and business functions. Isolate critical assets into separate enclaves. Implement solutions with greater strength of mechanism. Increase developmental and evaluation assurance. Use modular design, layered defenses, component isolation. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 30

Summary TACIT Security Understand the cyber threat space. Conduct a thorough criticality analysis of organizational assets. Reduce complexity of IT infrastructure. Integrate security requirements into organizational processes. Invest in trustworthiness and resilience of IT components and systems. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 31

Cybersecurity is the great challenge of the 21 st century. Cybersecurity problems are hard not easy. Cloud technologies can help NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 32

Be proactive, not reactive when it comes to protecting your organizational assets. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 33

The clock is ticking the time to act is now. Failure is not an option when freedom and economic prosperity are at stake. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 34

Contact Information Project Leader 100 Bureau Drive Mailstop 8930 Gaithersburg, MD USA 20899-8930 Administrative Support Dr. Ron Ross Peggy Himes (301) 975-5390 (301) 975-2489 ron.ross@nist.gov peggy.himes@nist.gov Senior Information Security Researchers and Technical Support Pat Toth Kelley Dempsey (301) 975-5140 (301) 975-2827 patricia.toth@nist.gov kelley.dempsey@nist.gov Arnold Johnson (301) 975-3247 arnold.johnson@nist.gov Web: csrc.nist.gov/sec-cert Comments: sec-cert@nist.gov NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 35

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information