ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS



Similar documents
The NIST Definition of Cloud Computing (Draft)

The NIST Definition of Cloud Computing

Cloud Computing. Course: Designing and Implementing Service Oriented Business Processes

IS PRIVATE CLOUD A UNICORN?

Session 2. The economics of Cloud Computing

The Hybrid Cloud: Bringing Cloud-Based IT Services to State Government

Cloud Computing Synopsis and Recommendations


DRAFT Cloud Computing Synopsis and Recommendations

MANAGING THE CONFIGURATION OF INFORMATION SYSTEMS WITH A FOCUS ON SECURITY

OWASP Chapter Meeting June Presented by: Brayton Rider, SecureState Chief Architect

White Paper on CLOUD COMPUTING

Cloud Computing; What is it, How long has it been here, and Where is it going?

See Appendix A for the complete definition which includes the five essential characteristics, three service models, and four deployment models.

Capability Paper. Today, aerospace and defense (A&D) companies find

Perspectives on Moving to the Cloud Paradigm and the Need for Standards. Peter Mell, Tim Grance NIST, Information Technology Laboratory

Perspectives on Cloud Computing and Standards. Peter Mell, Tim Grance NIST, Information Technology Laboratory

Managing Cloud Computing Risk

Cloud Computing: The Next Computing Paradigm

Standardizing Cloud Services for Financial Institutions through the provisioning of Service Level Agreements (SLAs)

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

INTRODUCTION TO CLOUD COMPUTING CEN483 PARALLEL AND DISTRIBUTED SYSTEMS

Cloud Computing Submitted By : Fahim Ilyas ( ) Submitted To : Martin Johnson Submitted On: 31 st May, 2009

East African Information Conference th August, 2013, Kampala, Uganda. Security and Privacy: Can we trust the cloud?

Running head: TAKING A DEEPER LOOK AT THE CLOUD: SOLUTION OR 1

Security Issues in Cloud Computing

Security Considerations for Public Mobile Cloud Computing

Business Intelligence (BI) Cloud. Prepared By: Pavan Inabathini

A Strawman Model. NIST Cloud Computing Reference Architecture and Taxonomy Working Group. January 3, 2011

OVERVIEW Cloud Deployment Services

Flying into the Cloud: Do You Need a Navigator? Services. Colin R. Chasler Vice President Solutions Architecture Dell Services Federal Government

Technology & Business Overview of Cloud Computing

Kent State University s Cloud Strategy

6 Cloud computing overview

A Cloud Computing Handbook for Business

Cloud Security Introduction and Overview

Federal Cloud Computing Initiative Overview

Cloud Computing for SCADA

A Study on Analysis and Implementation of a Cloud Computing Framework for Multimedia Convergence Services

SCADA Cloud Computing

AskAvanade: Answering the Burning Questions around Cloud Computing

IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach.

CLOUD COMPUTING GUIDELINES FOR LAWYERS

agility made possible Steven Romero Robert E Stroud

Cloud definitions you've been pretending to understand. Jack Daniel, Reluctant CISSP, MVP Community Development Manager, Astaro

The Magical Cloud. Lennart Franked. Department for Information and Communicationsystems (ICS), Mid Sweden University, Sundsvall.

Future of Cloud Computing. Irena Bojanova, Ph.D. UMUC, NIST

Seeing Though the Clouds

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

GUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENT

A white paper from Fordway on CLOUD COMPUTING. Why private cloud should be your first step on the cloud computing journey - and how to get there

Security & Trust in the Cloud

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin

Cloud Computing. What is Cloud Computing?

NIST Cloud Computing Reference Architecture

Strategies for Secure Cloud Computing

Cloud Computing in the Federal Sector: What is it, what to worry about, and what to negotiate.

What is Cloud Computing? First, a little history. Demystifying Cloud Computing. Mainframe Era ( ) Workstation Era ( ) Xerox Star 1981!

Document: NIST CCSRWG 092. First Edition

Cloud Security for Federal Agencies

How To Get A Cloud Based System In Your Country

WHITE PAPER: STRATEGIC IMPACT PILLARS FOR EFFICIENT MIGRATION TO CLOUD COMPUTING IN GOVERNMENT

GAO INFORMATION SECURITY. Federal Guidance Needed to Address Control Issues with Implementing Cloud Computing. Report to Congressional Requesters

Cloud Computing A NIST Perspective & Beyond. Robert Bohn, PhD Advanced Network Technologies Division

SURVEY OF ADAPTING CLOUD COMPUTING IN HEALTHCARE

ITSM in the Cloud. An Overview of Why IT Service Management is Critical to The Cloud. Presented By: Rick Leopoldi RL Information Consulting LLC

Validation of a Cloud-Based ERP system, in practice. Regulatory Affairs Conference Raleigh. 8Th September 2014

CLOUD COMPUTING SECURITY CONCERNS

Analysis and Strategy for the Performance Testing in Cloud Computing

Cloud Computing. Bringing the Cloud into Focus

The cloud - ULTIMATE GAME CHANGER ===========================================

Fast IT: Accelerate Your Business

Cloud Computing Flying High (or not) Ben Roper IT Director City of College Station

How To Manage Security In A Federal System

Mobile Cloud Computing Security Considerations

The Cloud in Regulatory Affairs - Validation, Risk Management and Chances -

Managing the Real Cost of On-Demand Enterprise Cloud Services with Chargeback Models

Topics. Images courtesy of Majd F. Sakr or from Wikipedia unless otherwise noted.

CSO Cloud Computing Study. January 2012

John Essner, CISO Office of Information Technology State of New Jersey

IT Risk and Security Cloud Computing Mike Thomas Erie Insurance May 2011

CLOUD COMPUTING. Agencies Need to Incorporate Key Practices to Ensure Effective Performance

Federal Aviation Administration. efast. Cloud Computing Services. 25 October Federal Aviation Administration

ITL BULLETIN FOR JANUARY 2011

National Institute of Standards and Technology

A COALFIRE PERSPECTIVE. Moving to the Cloud. NCHELP Spring Convention Panel May 2012

journey to a hybrid cloud

Transcription:

ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Department of Commerce Cloud computing is an emerging area of distributed computing that offers many potential benefits to organizations by making information technology (IT) services available as a commodity. When they contract for cloud services, such as applications, software, data storage, and processing capabilities, organizations can improve their efficiency and their ability to respond more quickly and reliably to their customers needs. At the same time, there are risks to be considered, including maintaining the security and privacy of systems and information, and assuring the wise expenditure of IT resources. Cloud computing is not a single type of system, but it encompasses a range of underlying technologies and configuration options. The strengths and weaknesses of the different cloud technologies, configurations, service models, and deployment methods should be considered by organizations evaluating services to meet their requirements. The U.S. Office of Management and Budget (OMB) has identified cloud computing as a tool for helping federal government agencies provide reliable, innovative, and timely services, especially when resources are constrained. The National Institute of Standards and Technology (NIST) has been working in collaboration with government, industry, and standards bodies to accelerate the federal government s secure adoption of cloud computing. NIST s goals are to foster cloud computing systems and practices; support interoperability, portability, and security requirements; and cooperate in the development of needed standards and guidelines. NIST Special Publication (SP) 800-146, Cloud Computing Synopsis and Recommendations: Recommendations of the National Institute of Standards and Technology The Information Technology Laboratory (ITL) at NIST recently issued a new publication that explains the different cloud computing technologies and configurations, and recommends methods and approaches that organizations should consider when making decisions about implementing cloud computing. NIST SP 800-146, which was written by Lee Badger and Tim Grance of NIST, Robert Patt-Corner of Global Tech, Inc., and Jeff Voas of NIST, also identifies areas that need further analysis.

The publication includes an explanation of the commercial terms that are frequently used in service agreements between subscribers and providers of cloud computing systems. One section is devoted to a discussion of how cloud computing may be deployed and the general issues associated with each deployment method. Other sections of the publication explain the various service models for cloud computing and their different strengths and weaknesses. A section of the new publication details the open issues that remain to be resolved for cloud computing: computing performance; cloud reliability; economic goals; compliance; and data and application security. General recommendations for the implementation of cloud computing cover the areas of management, data governance, security and reliability, virtual machines, and software and applications. The appendices to SP 800-146 include an example of the different costs and benefits that can be associated with cloud computing; a discussion of roles and responsibilities of providers and subscribers of cloud services in protecting the security and privacy of information systems; a list of acronyms and abbreviations used; a glossary of terms used; and a list of references. NIST SP 800-146 is available here. Characteristics of Cloud Computing NIST has defined cloud computing as a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. For a discussion of this definition, see NIST SP 800-145, The NIST Definition of Cloud Computing, listed in the For More Information section below. With cloud computing, organizations can have on-demand self-service for computing capabilities, such as server time and network storage when needed, and through a single provider. Capabilities for different platforms, such as mobile phones, laptops computers, and personal digital assistants, are available through broad network access. The provider s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. While the location of the resources, such as storage, processing, memory, network bandwidth, and virtual machines, is not controlled by the subscriber, it may be possible for the subscriber to specify the country, state, or data center that provides the cloud services. Cloud capabilities can be provided to the subscriber rapidly and elastically, allowing the subscriber to either increase or decrease services. The capabilities available often appear to be unlimited to the subscriber and can be purchased in any quantity at any time.

Cloud systems automatically control and optimize resource use through a measured service capability that is appropriate for the type of service provided. Resource usage can be monitored, controlled, and reported providing transparency for both the provider and the consumer of the utilized service. Issues to be Considered in the Deployment of Cloud Computing Cloud computing allows computer users to conveniently rent access to fully featured applications, to software development and deployment environments, and to computing infrastructure assets such as network-accessible data storage and processing. When considering the move to cloud computing, organizations should evaluate the different technologies and configurations, and determine the specific parts of the cloud computing spectrum that meet their needs. The factors to be considered include: Deployment Models. Depending on the kind of cloud deployment, the cloud may have limited private computing resources, or may have access to large quantities of remotely accessed resources. The following deployment models present a number of trade-offs in how customers can control their resources, and the scale, cost, and availability of resources. Private cloud. The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise. Community cloud. The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise. Public cloud. The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services. Hybrid cloud. The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but that are bound together by standardized or proprietary technology enabling data and application portability. On-site private cloud. The security perimeter for this deployment model extends around both the subscriber's on-site resources and the private cloud's resources. The private cloud may be centralized at a single subscriber site or may be distributed over several subscriber sites. The subscriber implements the security perimeter, which will not guarantee control over the private

cloud's resources, but will enable the subscriber to exercise control over resources entrusted to the on-site private cloud. Service Models. The following service models have different strengths and are suitable for different customers and business objectives. In general, interoperability and portability of customer workloads are more achievable in the Infrastructure as a Service (IaaS) service model because the building blocks of this service are relatively welldefined. Cloud Software as a Service (SaaS). The subscriber uses the provider s applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a Web browser. The consumer does not manage or control the underlying cloud infrastructure, including network, servers, operating systems, storage, or individual application capabilities. It might be possible for the subscriber to specify application configuration settings. Cloud Platform as a Service (PaaS). This service allows the subscriber to deploy onto the cloud infrastructure applications that the subscriber created or acquired using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations. Cloud Infrastructure as a Service (IaaS). This service enables the subscriber to use processing, storage, networks, and other fundamental computing resources, and to deploy and run other software, including operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components, such as host firewalls. Economic Considerations. In outsourced and public deployment models, cloud computing provides convenient rental of computing resources: users pay service charges while using a service but need not pay large up-front acquisition costs to build a computing infrastructure. The reduction of up-front costs reduces the risks for pilot projects and experimental efforts, and enhances organizational flexibility. In outsourced and public deployment models, cloud computing allows the customer to request, receive, and later release as many resources as needed. This elasticity can enable the customer to avoid excessive costs from over-provisioning capacity to meet peak demand but not using the capacity in nonpeak periods. A careful analysis of the costs of operation, compliance, and security, including costs to migrate to and, if necessary, migrate from a cloud, is necessary to determine overall costs.

Operational Characteristics. Cloud systems generally depend on networking and any limitations on networking, such as data import/export bottlenecks or service disruptions, reduce cloud utility, especially for applications that are not tolerant of disruptions. Service-Level Agreements (SLAs). Organizations should understand the terms of the service agreements that define the legal relationships between cloud customers and cloud providers. Organization should also understand customer responsibilities, and those of the service provider, before using a cloud service. Security. Cloud computing systems are complex networked systems that are affected by traditional computer and network security issues, such as the need to provide data confidentiality, data integrity, and system availability. By imposing uniform management practices, cloud providers may be able to improve on some security update and response issues. Clouds, however, have the potential to aggregate private, sensitive information about customers in cloud data centers. Cloud providers must assure the subscriber that they can keep customer data isolated and protected. Since cloud users and administrators rely heavily on Web browsers, browser security failures can lead to cloud security breaches. The privacy and security of cloud computing depend primarily on whether the cloud service provider has implemented robust security controls and a sound privacy policy required by their customers. Customers need confidence and transparency about the performance of the cloud system and how well it is managed. The move to cloud computing is a business decision that takes into account the readiness of existing applications for cloud deployment, the transition and life-cycle costs, the maturity of service orientation in the existing infrastructure, and the organization s security and privacy requirements. Open Issues Cloud computing may not be a solution for all organizations, nor is it appropriate for all applications. Many of the open issues with respect to deploying cloud computing are similar to concerns that apply to other IT hosted services. Complex computing and software systems may contain flaws, fail, or compromise security. As a result, techniques for detecting failures, understanding their consequences, isolating their effects, and remediating them, are central to the wide-scale adoption of clouds. Cloud computing has potential to foster more efficient markets through swift leasing of computing resources. Consumers may be able to forgo capital expenses in exchange for variable service fees. Providers of cloud computing can leverage capital expenses to serve many clients. These economic issues become mixed with the complexities of network and system configurations as well as the risks of exposing data and software assets to an external party. The technical means used to provide the quality of service promised by cloud providers are usually not disclosed to the consumer, thus raising questions about how consumers can verify that the promised quality of service has been provided. Additionally, efficient

markets rely on consumers' ability to compare service offerings. This is difficult since service agreements may not adhere to standard metrics, terminology, and vocabularies. Different types of applications require differing levels of computing system performance. For example, email services may tolerate short service interruptions, but industrial automation and real-time processing generally require both high performance and a high degree of predictability. These performance issues are similar to performance issues for other forms of distributed computing. Reliability refers to the probability that a system will offer failure-free service for a specified period of time within the bounds of a specified environment. Cloud reliability is a function of the reliability of four individual components: the hardware and software facilities offered by providers; the provider s personnel; connectivity to the subscribed services; and the consumer s personnel. Cloud computing offers an opportunity for consumers to meet economic goals by using computing resources with small or modest up-front costs; also cloud computing promotes business agility by reducing the costs of pilot efforts, and may reduce costs to consumers through economies of scale. Although the benefits can be substantial, a number of economic risks must be considered as well. When data or processing is moved to a cloud, the consumer retains the ultimate responsibility for compliance with established policies and regulations but the provider who has direct access to the data may be in the best position to enforce compliance rules. The issues of compliance should be addressed in the contract for cloud services. The General Services Administration (GSA) through the Federal Risk and Authorization Management Program (FedRAMP) is working towards a more consolidated set of compliance requirements and efficient reuse of compliance information. This governmentwide program provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Information security involves protecting the confidentiality and integrity of data and ensuring data availability. An organization that owns and runs its IT operations will apply organizational and administrative controls, specifying who can perform data-related operations such as creation, access, disclosure, transport, and destruction of data; physical controls to protect storage media and devices; and technical controls for identity and access management, data encryption, and other data protection measures. When an organization subscribes to cloud services, all of the data generated and processed will physically reside in systems that are owned and operated by a provider. An open issue is whether the consumer can obtain assurance that the provider is implementing the same or equivalent controls as the consumer would have implemented. Other considerations include the quality of a cloud's implementation, the vulnerability of the cloud to attack, system complexity, and the expertise level of cloud administrators. General Recommendations

Under the Federal Information Security Management Act (FISMA) of 2002, federal agencies are required to apply a risk-based policy to achieve cost-effective results for the security of their information and information systems. Standards and guidelines developed by NIST help agencies to carry out effective information security programs based on the management of risk. SP 800-146 includes general recommendations that supplement existing NIST standards and recommendations for cloud systems. See Section 9 of the publication for recommendations in the areas of management, data governance, security and reliability, virtual machines, and software and applications. For More Information Federal Information Processing Standards (FIPS) and NIST Special Publications (SPs), including the following, are referenced in NIST SP 800-146: FIPS 199, Standards for Security Categorization of Federal Information and Information Systems FIPS 200, Minimum Security Requirements for Federal Information and Information Systems NIST SP 800-41, Revision 1, Guidelines on Firewalls and Firewall Policy NIST SP 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations NIST SP 800-144, Guidelines on Security and Privacy in Public Cloud Computing NIST SP 800-145, The NIST Definition of Cloud Computing For information about these NIST standards and recommendations, as well as other security-related publications, see here. Information about FEDRAMP is here. ITL Bulletin Publisher: Elizabeth Lennon Writer/Editor Information Technology Laboratory National Institute of Standards and Technology Email here. Disclaimer Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST, nor does it imply that the products mentioned are necessarily the best available for the purpose.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information