Expert answer:NIST Cloud Security Management

Answer & Explanation:Create an overview of the NIST Cloud Security Management publications, how they relate to ITIL and ISO, and how they can be used in an organization. One place to start is on the NIST Workshop site linked below and the “Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26”.
NIST Work Shop Site Link: http://www.nist.gov/itl/cloud/Presentation: Click Here 
Submission RequirementsFormat: Microsoft WordCitation Style: APALength: 2–3 pages (plus a cover sheet)
cloud_computing_v26.ppt

cloud_computing_v26.ppt

Unformatted Attachment Preview

Effectively and Securely Using
the Cloud Computing Paradigm
Peter Mell, Tim Grance
NIST, Information Technology Laboratory
10-7-2009
NIST Cloud Research Team
Peter Mell
Project Lead
Lee Badger
Tim Grance
Program Manager
Contact information is available from:
http://www.nist.gov/public_affairs/contact.htm
2
NIST Cloud Computing Resources
• NIST Draft Definition of Cloud Computing
• Presentation on Effective and Secure Use of Cloud
Computing
• http://csrc.nist.gov/groups/SNS/cloud-computing/index.html
3
Caveats and Disclaimers
• This presentation provides education on
cloud technology and its benefits to set up a
discussion of cloud security
• It is NOT intended to provide official NIST
guidance and NIST does not make policy
• Any mention of a vendor or product is NOT
an endorsement or recommendation
Citation Note: All sources for the material in this presentation are included within
the Powerpoint “notes” field on each slide
4
Agenda
• Part 1: Effective and Secure Use
–
–
–
–
–
Understanding Cloud Computing
Cloud Computing Security
Secure Cloud Migration Paths
Cloud Publications
Cloud Computing and Standards
• Part 2: Cloud Resources, Case Studies, and Security
Models
– Thoughts on Cloud Computing
– Foundational Elements of Cloud Computing
– Cloud Computing Case Studies and Security Models
5
Part I: Effective and Secure Use
6
Understanding Cloud Computing
7
Origin of the term “Cloud Computing”
• “Comes from the early days of the Internet where we
drew the network as a cloud… we didn’t care where
the messages went… the cloud hid it from us” – Kevin
Marks, Google
• First cloud around networking (TCP/IP abstraction)
• Second cloud around documents (WWW data
abstraction)
• The emerging cloud abstracts infrastructure
complexities of servers, applications, data, and
heterogeneous platforms
– (“muck” as Amazon’s CEO Jeff Bezos calls it)
8
A Working Definition of Cloud Computing
• Cloud computing is a model for enabling
convenient, on-demand network access to a
shared pool of configurable computing
resources (e.g., networks, servers, storage,
applications, and services) that can be rapidly
provisioned and released with minimal
management effort or service provider
interaction.
• This cloud model promotes availability and is composed
of five essential characteristics, three service models,
and four deployment models.
9
5 Essential Cloud Characteristics
• On-demand self-service
• Broad network access
• Resource pooling
– Location independence
• Rapid elasticity
• Measured service
10
3 Cloud Service Models
• Cloud Software as a Service (SaaS)
– Use provider’s applications over a network
• Cloud Platform as a Service (PaaS)
– Deploy customer-created applications to a cloud
• Cloud Infrastructure as a Service (IaaS)
– Rent processing, storage, network capacity, and other
fundamental computing resources
• To be considered “cloud” they must be deployed on
top of cloud infrastructure that has the key
characteristics
11
Service Model Architectures
Cloud Infrastructure
Cloud Infrastructure
Cloud Infrastructure
IaaS
PaaS
PaaS
SaaS
SaaS
SaaS
Cloud Infrastructure
Cloud Infrastructure
IaaS
PaaS
Cloud Infrastructure
IaaS
PaaS
Software as a Service
(SaaS)
Architectures
Platform as a Service (PaaS)
Architectures
Infrastructure as a Service (IaaS)
Architectures
12
4 Cloud Deployment Models
• Private cloud
– enterprise owned or leased
• Community cloud
– shared infrastructure for specific community
• Public cloud
– Sold to the public, mega-scale infrastructure
• Hybrid cloud
– composition of two or more clouds
13
Common Cloud Characteristics
• Cloud computing often leverages:
– Massive scale
– Homogeneity
– Virtualization
– Resilient computing
– Low cost software
– Geographic distribution
– Service orientation
– Advanced security technologies
14
The NIST Cloud Definition Framework
Hybrid Clouds
Deployment
Models
Service
Models
Community
Cloud
Private
Cloud
Software as a
Service (SaaS)
Public Cloud
Platform as a
Service (PaaS)
Infrastructure as a
Service (IaaS)
On Demand Self-Service
Essential
Characteristics
Common
Characteristics
Broad Network Access
Rapid Elasticity
Resource Pooling
Measured Service
Massive Scale
Resilient Computing
Homogeneity
Geographic Distribution
Virtualization
Service Orientation
Low Cost Software
Advanced Security
Based upon original chart created by Alex Dowbor – http://ornot.wordpress.com
15
Cloud Computing Security
16
Security is the Major Issue
17
Analyzing Cloud Security
• Some key issues:
– trust, multi-tenancy, encryption, compliance
• Clouds are massively complex systems can
be reduced to simple primitives that are
replicated thousands of times and common
functional units
• Cloud security is a tractable problem
– There are both advantages and challenges
Former Intel CEO, Andy Grove: “only the paranoid survive”
18
General Security Advantages
• Shifting public data to a external cloud
reduces the exposure of the internal
sensitive data
• Cloud homogeneity makes security
auditing/testing simpler
• Clouds enable automated security
management
• Redundancy / Disaster Recovery
19
General Security Challenges
•
•
•
•
•
•
Trusting vendor’s security model
Customer inability to respond to audit findings
Obtaining support for investigations
Indirect administrator accountability
Proprietary implementations can’t be examined
Loss of physical control
20
Security Relevant Cloud
Components
•
•
•
•
•
Cloud Provisioning Services
Cloud Data Storage Services
Cloud Processing Infrastructure
Cloud Support Services
Cloud Network and Perimeter Security
•
Elastic Elements: Storage, Processing, and
Virtual Networks
21
Provisioning Service
• Advantages
– Rapid reconstitution of services
– Enables availability
• Provision in multiple data centers / multiple instances
– Advanced honey net capabilities
• Challenges
– Impact of compromising the provisioning service
22
Data Storage Services
• Advantages
–
–
–
–
–
Data fragmentation and dispersal
Automated replication
Provision of data zones (e.g., by country)
Encryption at rest and in transit
Automated data retention
• Challenges
– Isolation management / data multi-tenancy
– Storage controller
• Single point of failure / compromise?
– Exposure of data to foreign governments
23
Cloud Processing Infrastructure
• Advantages
– Ability to secure masters and push out secure
images
• Challenges
– Application multi-tenancy
– Reliance on hypervisors
– Process isolation / Application sandboxes
24
Cloud Support Services
• Advantages
– On demand security controls (e.g.,
authentication, logging, firewalls…)
• Challenges
– Additional risk when integrated with customer
applications
– Needs certification and accreditation as a
separate application
– Code updates
25
Cloud Network and Perimeter
Security
• Advantages
– Distributed denial of service protection
– VLAN capabilities
– Perimeter security (IDS, firewall, authentication)
• Challenges
– Virtual zoning with application mobility
26
Cloud Security Advantages
Part 1
•
•
•
•
•
•
•
Data Fragmentation and Dispersal
Dedicated Security Team
Greater Investment in Security Infrastructure
Fault Tolerance and Reliability
Greater Resiliency
Hypervisor Protection Against Network
Attacks
Possible Reduction of C&A Activities (Access
to Pre-Accredited Clouds)
27
Cloud Security Advantages
Part 2
• Simplification of Compliance Analysis
• Data Held by Unbiased Party (cloud vendor
assertion)
• Low-Cost Disaster Recovery and Data
Storage Solutions
• On-Demand Security Controls
• Real-Time Detection of System Tampering
• Rapid Re-Constitution of Services
• Advanced Honeynet Capabilities
28
Cloud Security Challenges
Part 1
•
Data dispersal and international privacy laws
–
–
–
•
•
•
•
•
EU Data Protection Directive and U.S. Safe Harbor
program
Exposure of data to foreign government and data
subpoenas
Data retention issues
Need for isolation management
Multi-tenancy
Logging challenges
Data ownership issues
Quality of service guarantees
29
Cloud Security Challenges
Part 2
•
•
•
•
•
Dependence on secure hypervisors
Attraction to hackers (high value target)
Security of virtual OSs in the cloud
Possibility for massive outages
Encryption needs for cloud computing
–
–
–
–
•
•
Encrypting access to the cloud resource control
interface
Encrypting administrative access to OS instances
Encrypting access to applications
Encrypting application data at rest
Public cloud vs internal cloud security
Lack of public SaaS version control
30
Additional Issues
•
Issues with moving PII and sensitive data to the
cloud
–
•
Using SLAs to obtain cloud security
–
–
•
•
Privacy impact assessments
Suggested requirements for cloud SLAs
Issues with cloud forensics
Contingency planning and disaster recovery for
cloud implementations
Handling compliance
–
–
–
–
–
FISMA
HIPAA
SOX
PCI
SAS 70 Audits
31
Secure Migration Paths
for Cloud Computing
32
The ‘Why’ and ‘How’ of Cloud Migration
• There are many benefits that explain
why to migrate to clouds
– Cost savings, power savings, green
savings, increased agility in software
deployment
• Cloud security issues may drive and
define how we adopt and deploy
cloud computing solutions
33
Balancing Threat Exposure and
Cost Effectiveness
• Private clouds may have less threat
exposure than community clouds which
have less threat exposure than public clouds.
• Massive public clouds may be more cost
effective than large community clouds which
may be more cost effective than small private
clouds.
• Doesn’t strong security controls mean that I
can adopt the most cost effective approach?
34
Cloud Migration and Cloud Security
Architectures
• Clouds typically have a single security architecture
but have many customers with different demands
– Clouds should attempt to provide configurable security
mechanisms
• Organizations have more control over the security
architecture of private clouds followed by
community and then public
– This doesn’t say anything about actual security
• Higher sensitivity data is likely to be processed on
clouds where organizations have control over the
security model
35
Putting it Together
• Most clouds will require very strong security
controls
• All models of cloud may be used for differing
tradeoffs between threat exposure and
efficiency
• There is no one “cloud”. There are many
models and architectures.
• How does one choose?
36
Migration Paths for
Cloud Adoption
• Use public clouds
• Develop private clouds
– Build a private cloud
– Procure an outsourced private cloud
– Migrate data centers to be private clouds (fully virtualized)
• Build or procure community clouds
– Organization wide SaaS
– PaaS and IaaS
– Disaster recovery for private clouds
• Use hybrid-cloud technology
– Workload portability between clouds
37
Possible Effects of
Cloud Computing
• Small enterprises use public SaaS and public
clouds and minimize growth of data centers
• Large enterprise data centers may evolve to act as
private clouds
• Large enterprises may use hybrid cloud
infrastructure software to leverage both internal and
public clouds
• Public clouds may adopt standards in order to run
workloads from competing hybrid cloud
infrastructures
38
Cloud Computing
and Standards
39
Cloud Standards Mission
• Provide guidance to industry and
government for the creation and
management of relevant cloud computing
standards allowing all parties to gain the
maximum value from cloud computing
40
NIST and Standards
• NIST wants to promote cloud standards:
– We want to propose roadmaps for needed
standards
– We want to act as catalysts to help industry
formulate their own standards
• Opportunities for service, software, and hardware
providers
– We want to promote government and industry
adoption of cloud standards
41
Goal of NIST Cloud Standards Effort
• Fungible clouds
– (mutual substitution of services)
– Data and customer application portability
– Common interfaces, semantics, programming
models
– Federated security services
– Vendors compete on effective implementations
• Enable and foster value add on services
– Advanced technology
– Vendors compete on innovative capabilities
42
A Model for Standardization
and Proprietary Implementation
• Advanced
features
• Core features
Proprietary Value
Add Functionality
Standardized Core
Cloud Capabilities
43
Proposed Result
• Cloud customers knowingly choose the
correct mix for their organization of
– standard portable features
– proprietary advanced capabilities
44
A proposal: A NIST Cloud
Standards Roadmap
• We need to define minimal standards
– Enable secure cloud integration, application
portability, and data portability
– Avoid over specification that will inhibit innovation
– Separately addresses different cloud models
45
Towards the Creation of
a Roadmap (I)
• Thoughts on standards:
– Usually more service lock-in as you move up the
SPI stack (IaaS->PaaS->SaaS)
– IaaS is a natural transition point from traditional
enterprise datacenters
• Base service is typically computation, storage, and
networking
– The virtual machine is the best focal point for
fungibility
– Security and data privacy concerns are the two
critical barriers to adopting cloud computing
46
Towards the Creation of
a Roadmap (II)
• Result:
– Focus on an overall IaaS standards roadmap as
a first major deliverable
– Research PaaS and SaaS roadmaps as we
move forward
– Provide visibility, encourage collaboration in
addressing these standards as soon as possible
– Identify common needs for security and data
privacy standards across IaaS, PaaS, SaaS
47
A Roadmap for IaaS
• Needed standards
– VM image distribution (e.g., DMTF OVF)
– VM provisioning and control (e.g., EC2 API)
– Inter-cloud VM exchange (e.g., ??)
– Persistent storage (e.g., Azure Storage, S3, EBS,
GFS, Atmos)
– VM SLAs (e.g., ??) – machine readable
• uptime, resource guarantees, storage redundancy
– Secure VM configuration (e.g., SCAP)
48
A Roadmap for PaaS and SaaS
• More difficult due to proprietary nature
• A future focus for NIST
• Standards for PaaS could specify
– Supported programming languages
– APIs for cloud services
• Standards for SaaS could specify
– SaaS-specific authentication / authorization
– Formats for data import and export (e.g., XML schemas)
– Separate standards may be needed for each application
space
49
Security and Data Privacy Across
IaaS, PaaS, SaaS
• Many existing standards
• Identity and Access Management (IAM)
– IdM federation (SAML, WS-Federation, Liberty ID-FF)
– Strong authentication standards (HOTP, OCRA, TOTP)
– Entitlement management (XACML)
• Data Encryption (at-rest, in-flight), Key Management
– PKI, PKCS, KEYPROV (CT-KIP, DSKPP), EKMI
• Records and Information Management (ISO 15489)
• E-discovery (EDRM)
50
Cloud Computing Publications
51
Planned NIST
Cloud Computing Publication
• NIST is planning a series of publications on cloud
computing
• NIST Special Publication to be created in FY09
– What problems does cloud computing solve?
– What are the technical characteristics of cloud
computing?
– How can we best leverage cloud computing and
obtain security?
52
Part II: Cloud Resources, Case Studies,
and Security Models
53
Thoughts on Cloud Computing
54
Thoughts on Cloud Computing
• Galen Gruman, InfoWorld Executive Editor,
and Eric Knorr, InfoWorld Editor in Chief
– “A way to increase capacity or add capabilities
on the fly without investing in new infrastructure,
training new personnel, or licensing new
software.”
– “The idea of loosely coupled services running on
an agile, scalable infrastructure should
eventually make every enterprise a node in the
cloud.”
55
Thoughts on Cloud Computing
• Tim O’Reilly, CEO O’Reilly Media
• “I think it is one of the foundations of the next
generation of computing”
• “The network of networks is the platform for all
computing”
• “Everything we think of as a
computer today is really just
a device that connects to the
big computer that we are all
collectively building”
56
Thoughts on Cloud Computing
• Dan Farber, Editor in Chief CNET News
• “We are at the beginning of the age of planetary
computing. Billions of people will be wirelessly
interconnected, and the only way to achieve that
kind of massive scale usage is by massive scale,
brutally efficient cloud-based infrastructure.”
57
Core objectives of Cloud Computing
• Amazon CTO Werner Vogels
• Core objectives and principles that
cloud computing must meet to be
successful:
–
–
–
–
–
–
–
–
–
–
Security
Scalability
Availability
Performance
Cost-effective
Acquire resources on demand
Release resources when no longer needed
Pay for what you use
Leverage others’ core competencies
Turn fixed cost into variable cost
58
A “sunny” vision
of the future
• Sun Microsystems CTO Greg Papadopoulos
– Users will “trust” service providers with their data
like they trust banks with their money
– “Hosting providers [will] bring ‘brutal efficiency’ for
utilization, power, security, service levels, and ideato-deploy time” –CNET article
– Becoming cost ineffective to build data centers
– Organizations will rent computing resources
– Envisions grid of 6 cloud infrastructure providers
linked to 100 regional providers
59
Foundational Elements of Cloud
Computing
60
Foundational Elements
of Cloud Computing
Primary Technologies
• Virtualization
• Grid technology
• Service Oriented
Architectures
• Distributed Computing
• Broadband Networks
• Browser as a platform
• Free and Open Source
Software
Other Technologies
• Autonomic Systems
• Web 2.0
• Web application
frameworks
• Service Level
Agreements
61
Consumer Software Revolution
Web 2.0
• Is not a standard but an evolution in using the WWW
• “Don’t fight the Internet” – CEO Google, Eric Schmidt
• Web 2.0 is the trend of using the full potential of the
web
–
–
–
–
Viewing the Internet as a computing platform
Running interactive applications through a web browser
Leveraging interconnectivity and mobility of devices
The “long tail” (profits in selling specialized small market
goods)
– Enhanced effectiveness with greater human participation
• Tim O’Reilly: “Web 2.0 is the business revolution in
the computer industry caused by the move to the
Internet as a platform, and an attempt to understand
the rules for success on that new platform.”
62
Enterprise Software Revolution
Software as a Service (SaaS)
• SaaS is hosting applications on the Internet
as a service (both consumer and enterprise)
• Jon Williams, CTO of Kaplan Test Prep on
SaaS
– “I love the fact that I don’t need to deal with servers,
staging, version maintenance, security, performance”
• Eric Knorr with Computerworld says that
“[there is an] increasing desperation on the
part of IT to minimize application deployment
and maintenance hassles”
63
Three Features of
Mature SaaS Applications
• Scalable
– Handle growing amounts of work in a graceful manner
• Multi-tenancy
– One application instance may be serving hundreds of
companies
– Opposite of multi-instance where each customer is
provisioned their own server running one instance
• Metadata driven configurability
– Instead of customizing the application for a customer
(requiring code chang …
Purchase answer to see full
attachment

How it works

1. Paste your instructions in the instructions box. You can also attach an instructions file
2. Select the writer category, deadline, education level and review the instructions 
3. Make a payment for the order to be assignment to a writer
4.  Download the paper after the writer uploads it 

Will the writer plagiarize my essay?

You will get a plagiarism-free paper and you can get an originality report upon request.

Is this service safe?

All the personal information is confidential and we have 100% safe payment methods. We also guarantee good grades