Cloud Computing Technologies · 3/24/2014 · 100 Bureau Drive Mailstop 8930. Gaithersburg, MD USA...
Transcript of Cloud Computing Technologies · 3/24/2014 · 100 Bureau Drive Mailstop 8930. Gaithersburg, MD USA...
![Page 1: Cloud Computing Technologies · 3/24/2014 · 100 Bureau Drive Mailstop 8930. Gaithersburg, MD USA 20899 -8930. Project Leader Administrative Support. Dr. Ron Ross Peggy Himes (301)](https://reader035.fdocuments.in/reader035/viewer/2022070723/5f0207867e708231d40239bb/html5/thumbnails/1.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1
Dr. Ron RossComputer Security Division
Information Technology Laboratory
Cloud Computing TechnologiesAchieving Greater Trustworthiness and Resilience
Cloud Standards Customer CouncilPublic Sector Cloud Summit
March 24, 2014
![Page 2: Cloud Computing Technologies · 3/24/2014 · 100 Bureau Drive Mailstop 8930. Gaithersburg, MD USA 20899 -8930. Project Leader Administrative Support. Dr. Ron Ross Peggy Himes (301)](https://reader035.fdocuments.in/reader035/viewer/2022070723/5f0207867e708231d40239bb/html5/thumbnails/2.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 2
We are living in the golden age of information technology.
Ironically, the same information technology that has brought unprecedented innovation and prosperity to millions, has now become a significant vulnerability to nation states, corporate entities, and individuals.
How do we provide for the common defense in the digital age?
![Page 3: Cloud Computing Technologies · 3/24/2014 · 100 Bureau Drive Mailstop 8930. Gaithersburg, MD USA 20899 -8930. Project Leader Administrative Support. Dr. Ron Ross Peggy Himes (301)](https://reader035.fdocuments.in/reader035/viewer/2022070723/5f0207867e708231d40239bb/html5/thumbnails/3.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 3
Advanced Persistent Threat
An adversary that — Possesses significant levels of expertise / resources. Creates opportunities to achieve its objectives by using
multiple attack vectors (e.g., cyber, physical, deception). Establishes footholds within IT infrastructure of targeted
organizations: To exfiltrate information; To undermine / impede critical aspects of a mission, program, or
organization; and To position itself to carry out these objectives in the future.
![Page 4: Cloud Computing Technologies · 3/24/2014 · 100 Bureau Drive Mailstop 8930. Gaithersburg, MD USA 20899 -8930. Project Leader Administrative Support. Dr. Ron Ross Peggy Himes (301)](https://reader035.fdocuments.in/reader035/viewer/2022070723/5f0207867e708231d40239bb/html5/thumbnails/4.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 4
Classes of VulnerabilitiesA 2013 Defense Science Board Report described— Tier 1: Known vulnerabilities. Tier 2: Unknown vulnerabilities (zero-day exploits). Tier 3: Adversary-created vulnerabilities (APT).
Two-thirds of these vulnerabilityclasses are “off the radar” of
most organizations…
![Page 5: Cloud Computing Technologies · 3/24/2014 · 100 Bureau Drive Mailstop 8930. Gaithersburg, MD USA 20899 -8930. Project Leader Administrative Support. Dr. Ron Ross Peggy Himes (301)](https://reader035.fdocuments.in/reader035/viewer/2022070723/5f0207867e708231d40239bb/html5/thumbnails/5.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 5
We want to strengthen the underlying information technology infrastructure to achieve stronger,
more resilient information systems—
Reducing the likelihood that cyber attacks will be successful and helping to ensure we can continue to carry out critical federal missions and business operations.
![Page 6: Cloud Computing Technologies · 3/24/2014 · 100 Bureau Drive Mailstop 8930. Gaithersburg, MD USA 20899 -8930. Project Leader Administrative Support. Dr. Ron Ross Peggy Himes (301)](https://reader035.fdocuments.in/reader035/viewer/2022070723/5f0207867e708231d40239bb/html5/thumbnails/6.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 6
Complexity.Ground zero for our current problems…
![Page 7: Cloud Computing Technologies · 3/24/2014 · 100 Bureau Drive Mailstop 8930. Gaithersburg, MD USA 20899 -8930. Project Leader Administrative Support. Dr. Ron Ross Peggy Himes (301)](https://reader035.fdocuments.in/reader035/viewer/2022070723/5f0207867e708231d40239bb/html5/thumbnails/7.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 7
If we can’t understand it –we can’t protect it…
![Page 8: Cloud Computing Technologies · 3/24/2014 · 100 Bureau Drive Mailstop 8930. Gaithersburg, MD USA 20899 -8930. Project Leader Administrative Support. Dr. Ron Ross Peggy Himes (301)](https://reader035.fdocuments.in/reader035/viewer/2022070723/5f0207867e708231d40239bb/html5/thumbnails/8.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 8
Cloud Computing – Managing Complexity
Consolidate. Optimize. Standardize.
And the integration of information security requirements…
Reduces the size and complexity of IT infrastructures, promotes good information security and privacy, and can potentially lower costs (significantly) for organizations.
![Page 9: Cloud Computing Technologies · 3/24/2014 · 100 Bureau Drive Mailstop 8930. Gaithersburg, MD USA 20899 -8930. Project Leader Administrative Support. Dr. Ron Ross Peggy Himes (301)](https://reader035.fdocuments.in/reader035/viewer/2022070723/5f0207867e708231d40239bb/html5/thumbnails/9.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9
With cloud computing, you don’t have to own everything…
It is now possible to reduce the size of our digital footprint…
![Page 10: Cloud Computing Technologies · 3/24/2014 · 100 Bureau Drive Mailstop 8930. Gaithersburg, MD USA 20899 -8930. Project Leader Administrative Support. Dr. Ron Ross Peggy Himes (301)](https://reader035.fdocuments.in/reader035/viewer/2022070723/5f0207867e708231d40239bb/html5/thumbnails/10.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 10
Cloud computing.Lower cost, more efficient services, better security…
On demand – scalable – dynamic.
Churning the IT infrastructure…
can eliminate malware.
![Page 11: Cloud Computing Technologies · 3/24/2014 · 100 Bureau Drive Mailstop 8930. Gaithersburg, MD USA 20899 -8930. Project Leader Administrative Support. Dr. Ron Ross Peggy Himes (301)](https://reader035.fdocuments.in/reader035/viewer/2022070723/5f0207867e708231d40239bb/html5/thumbnails/11.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 11
What Cloud Gives Us Less complicated IT infrastructure. Less expensive IT infrastructure. More efficient services for consumers. More resilient IT infrastructure. More effective risk-based, information security.
![Page 12: Cloud Computing Technologies · 3/24/2014 · 100 Bureau Drive Mailstop 8930. Gaithersburg, MD USA 20899 -8930. Project Leader Administrative Support. Dr. Ron Ross Peggy Himes (301)](https://reader035.fdocuments.in/reader035/viewer/2022070723/5f0207867e708231d40239bb/html5/thumbnails/12.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 12
One possible cloud approach. Categorize information and systems, separating critical and sensitive
data into domains. Choose best
cloud model.Private Cloud High impact data
Moderate impact data
Low impact dataPublic Cloud
![Page 13: Cloud Computing Technologies · 3/24/2014 · 100 Bureau Drive Mailstop 8930. Gaithersburg, MD USA 20899 -8930. Project Leader Administrative Support. Dr. Ron Ross Peggy Himes (301)](https://reader035.fdocuments.in/reader035/viewer/2022070723/5f0207867e708231d40239bb/html5/thumbnails/13.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 13
Resilience.The only way to go for critical missions
and information systems…
![Page 14: Cloud Computing Technologies · 3/24/2014 · 100 Bureau Drive Mailstop 8930. Gaithersburg, MD USA 20899 -8930. Project Leader Administrative Support. Dr. Ron Ross Peggy Himes (301)](https://reader035.fdocuments.in/reader035/viewer/2022070723/5f0207867e708231d40239bb/html5/thumbnails/14.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 14
Dual Protection StrategiesSometimes your information systems will be compromised even when you do everything right…
Boundary ProtectionPrimary Consideration: Penetration resistance.Adversary Location: Outside defensive perimeter.Objective: Repel the attack.
Agile DefensePrimary Consideration: Information system resilience.Adversary Location: Inside defensive perimeter.Objective: Operate while under attack, limit damage, survive.
![Page 15: Cloud Computing Technologies · 3/24/2014 · 100 Bureau Drive Mailstop 8930. Gaithersburg, MD USA 20899 -8930. Project Leader Administrative Support. Dr. Ron Ross Peggy Himes (301)](https://reader035.fdocuments.in/reader035/viewer/2022070723/5f0207867e708231d40239bb/html5/thumbnails/15.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 15
Cloud Can Provide Agile Defense Boundary protection is a necessary but not sufficient
condition for Agile Defense. Examples of Agile Defense measures— Compartmentalization and segregation of critical assets. Targeted allocation of security controls. Virtualization and obfuscation techniques. Encryption of data at rest. Limiting privileges. Routine reconstitution to known secure state.
Bottom Line: Limit damage of hostile attack while operating in a (potentially)degraded or debilitated state…
![Page 16: Cloud Computing Technologies · 3/24/2014 · 100 Bureau Drive Mailstop 8930. Gaithersburg, MD USA 20899 -8930. Project Leader Administrative Support. Dr. Ron Ross Peggy Himes (301)](https://reader035.fdocuments.in/reader035/viewer/2022070723/5f0207867e708231d40239bb/html5/thumbnails/16.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 16
Cloud Provides Defense-in-Depth
Adversaries attack the weakest link…where is yours?
Risk assessment Security planning, policies, procedures Configuration management and control Contingency planning Incident response planning Security awareness and training Security in acquisitions Physical and personnel security Security assessments and authorization Continuous monitoring Privacy protection
Access control mechanisms Identification & authentication mechanisms
(Biometrics, tokens, passwords) Audit mechanisms Encryption mechanisms Boundary and network protection devices
(Firewalls, guards, routers, gateways) Intrusion protection/detection systems Security configuration settings Anti-viral, anti-spyware, anti-spam software Smart cards
Links in the Security and Privacy Chain: Security and Privacy Controls
![Page 17: Cloud Computing Technologies · 3/24/2014 · 100 Bureau Drive Mailstop 8930. Gaithersburg, MD USA 20899 -8930. Project Leader Administrative Support. Dr. Ron Ross Peggy Himes (301)](https://reader035.fdocuments.in/reader035/viewer/2022070723/5f0207867e708231d40239bb/html5/thumbnails/17.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 17
Cloud technologies can bring best practices to systems design and
development.
![Page 18: Cloud Computing Technologies · 3/24/2014 · 100 Bureau Drive Mailstop 8930. Gaithersburg, MD USA 20899 -8930. Project Leader Administrative Support. Dr. Ron Ross Peggy Himes (301)](https://reader035.fdocuments.in/reader035/viewer/2022070723/5f0207867e708231d40239bb/html5/thumbnails/18.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 18
The Federal Cyber Security Strategy…
Build It Right, Continuously Monitor
![Page 19: Cloud Computing Technologies · 3/24/2014 · 100 Bureau Drive Mailstop 8930. Gaithersburg, MD USA 20899 -8930. Project Leader Administrative Support. Dr. Ron Ross Peggy Himes (301)](https://reader035.fdocuments.in/reader035/viewer/2022070723/5f0207867e708231d40239bb/html5/thumbnails/19.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 19
The Cyber Security Toolset NIST Special Publication 800-39
Managing Information Security Risk:Organization, Mission, and Information System View
NIST Special Publication 800-30Guide for Conducting Risk Assessments
NIST Special Publication 800-37Applying the Risk Management Frameworkto Federal Information Systems
NIST Special Publication 800-53Security and Privacy Controls for FederalInformation Systems and Organizations
NIST Special Publication 800-53AGuide for Assessing the Security Controlsin Federal Information Systems and Organizations
![Page 20: Cloud Computing Technologies · 3/24/2014 · 100 Bureau Drive Mailstop 8930. Gaithersburg, MD USA 20899 -8930. Project Leader Administrative Support. Dr. Ron Ross Peggy Himes (301)](https://reader035.fdocuments.in/reader035/viewer/2022070723/5f0207867e708231d40239bb/html5/thumbnails/20.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 20
For bridge builders, it's all about physics—Equilibrium, static and dynamic loads, vibrations, and resonance.
![Page 21: Cloud Computing Technologies · 3/24/2014 · 100 Bureau Drive Mailstop 8930. Gaithersburg, MD USA 20899 -8930. Project Leader Administrative Support. Dr. Ron Ross Peggy Himes (301)](https://reader035.fdocuments.in/reader035/viewer/2022070723/5f0207867e708231d40239bb/html5/thumbnails/21.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 21
For information system developers, it's all about mathematics, computer science, architecture, and systems engineering—Trustworthiness, assurance, penetration resistance and resilience.
![Page 22: Cloud Computing Technologies · 3/24/2014 · 100 Bureau Drive Mailstop 8930. Gaithersburg, MD USA 20899 -8930. Project Leader Administrative Support. Dr. Ron Ross Peggy Himes (301)](https://reader035.fdocuments.in/reader035/viewer/2022070723/5f0207867e708231d40239bb/html5/thumbnails/22.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 22
The national imperative for building stronger, more resilient information systems…
Software assurance.Systems and security engineering.
Supply chain risk management.
![Page 23: Cloud Computing Technologies · 3/24/2014 · 100 Bureau Drive Mailstop 8930. Gaithersburg, MD USA 20899 -8930. Project Leader Administrative Support. Dr. Ron Ross Peggy Himes (301)](https://reader035.fdocuments.in/reader035/viewer/2022070723/5f0207867e708231d40239bb/html5/thumbnails/23.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 23
Security should be a by-product of good design and development practices—cloud technologies can help.
![Page 24: Cloud Computing Technologies · 3/24/2014 · 100 Bureau Drive Mailstop 8930. Gaithersburg, MD USA 20899 -8930. Project Leader Administrative Support. Dr. Ron Ross Peggy Himes (301)](https://reader035.fdocuments.in/reader035/viewer/2022070723/5f0207867e708231d40239bb/html5/thumbnails/24.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 24
Getting the attention of the C-Suite.
![Page 25: Cloud Computing Technologies · 3/24/2014 · 100 Bureau Drive Mailstop 8930. Gaithersburg, MD USA 20899 -8930. Project Leader Administrative Support. Dr. Ron Ross Peggy Himes (301)](https://reader035.fdocuments.in/reader035/viewer/2022070723/5f0207867e708231d40239bb/html5/thumbnails/25.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 25
Threat Assets Complexity Integration Trustworthiness
TACIT Security
MERRIAM-WEBSTER DICTIONARYtac.it adjective
: expressed or understoodwithout being directly stated
![Page 26: Cloud Computing Technologies · 3/24/2014 · 100 Bureau Drive Mailstop 8930. Gaithersburg, MD USA 20899 -8930. Project Leader Administrative Support. Dr. Ron Ross Peggy Himes (301)](https://reader035.fdocuments.in/reader035/viewer/2022070723/5f0207867e708231d40239bb/html5/thumbnails/26.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 26
Threat Develop a better understanding of the modern
threat space, including the capability of adversaries to launch sophisticated, targeted cyber-attacks that exploit specific organizational vulnerabilities. Obtain open source and/or classified threat briefing. Include external and insider threat assessments.
![Page 27: Cloud Computing Technologies · 3/24/2014 · 100 Bureau Drive Mailstop 8930. Gaithersburg, MD USA 20899 -8930. Project Leader Administrative Support. Dr. Ron Ross Peggy Himes (301)](https://reader035.fdocuments.in/reader035/viewer/2022070723/5f0207867e708231d40239bb/html5/thumbnails/27.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 27
Assets Conduct a comprehensive criticality analysis of
organizational assets including information and information systems. Use FIPS Publication 199 for mission/business impact
analysis (triage).
![Page 28: Cloud Computing Technologies · 3/24/2014 · 100 Bureau Drive Mailstop 8930. Gaithersburg, MD USA 20899 -8930. Project Leader Administrative Support. Dr. Ron Ross Peggy Himes (301)](https://reader035.fdocuments.in/reader035/viewer/2022070723/5f0207867e708231d40239bb/html5/thumbnails/28.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 28
Complexity Reduce the complexity of the information technology
infrastructure including IT component products and information systems. Use enterprise architecture to consolidate, optimize, and
standardize the IT infrastructure. Employ cloud computing architectures to reduce the
number of IT assets that need to be managed.
![Page 29: Cloud Computing Technologies · 3/24/2014 · 100 Bureau Drive Mailstop 8930. Gaithersburg, MD USA 20899 -8930. Project Leader Administrative Support. Dr. Ron Ross Peggy Himes (301)](https://reader035.fdocuments.in/reader035/viewer/2022070723/5f0207867e708231d40239bb/html5/thumbnails/29.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 29
Integration Integrate information security requirements and the
security expertise of individuals into organizational development and management processes. Embed security personnel into enterprise architecture,
systems engineering, SDLC, and acquisition processes. Coordinate security requirements with mission/business
owners; become key stakeholders.
![Page 30: Cloud Computing Technologies · 3/24/2014 · 100 Bureau Drive Mailstop 8930. Gaithersburg, MD USA 20899 -8930. Project Leader Administrative Support. Dr. Ron Ross Peggy Himes (301)](https://reader035.fdocuments.in/reader035/viewer/2022070723/5f0207867e708231d40239bb/html5/thumbnails/30.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 30
Trustworthiness Invest in more trustworthy and resilient information
systems supporting organizational missions and business functions. Isolate critical assets into separate enclaves. Implement solutions with greater strength of mechanism. Increase developmental and evaluation assurance. Use modular design, layered defenses, component isolation.
![Page 31: Cloud Computing Technologies · 3/24/2014 · 100 Bureau Drive Mailstop 8930. Gaithersburg, MD USA 20899 -8930. Project Leader Administrative Support. Dr. Ron Ross Peggy Himes (301)](https://reader035.fdocuments.in/reader035/viewer/2022070723/5f0207867e708231d40239bb/html5/thumbnails/31.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 31
Understand the cyber threat space. Conduct a thorough criticality analysis
of organizational assets. Reduce complexity of IT infrastructure. Integrate security requirements into
organizational processes. Invest in trustworthiness and resilience
of IT components and systems.
Summary – TACIT Security
![Page 32: Cloud Computing Technologies · 3/24/2014 · 100 Bureau Drive Mailstop 8930. Gaithersburg, MD USA 20899 -8930. Project Leader Administrative Support. Dr. Ron Ross Peggy Himes (301)](https://reader035.fdocuments.in/reader035/viewer/2022070723/5f0207867e708231d40239bb/html5/thumbnails/32.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 32
Cybersecurity is the great challengeof the 21st century.
Cybersecurity problems are hard—not easy.
Cloud technologies can help…
![Page 33: Cloud Computing Technologies · 3/24/2014 · 100 Bureau Drive Mailstop 8930. Gaithersburg, MD USA 20899 -8930. Project Leader Administrative Support. Dr. Ron Ross Peggy Himes (301)](https://reader035.fdocuments.in/reader035/viewer/2022070723/5f0207867e708231d40239bb/html5/thumbnails/33.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 33
Be proactive, not reactive when it comes to protecting your organizational assets.
![Page 34: Cloud Computing Technologies · 3/24/2014 · 100 Bureau Drive Mailstop 8930. Gaithersburg, MD USA 20899 -8930. Project Leader Administrative Support. Dr. Ron Ross Peggy Himes (301)](https://reader035.fdocuments.in/reader035/viewer/2022070723/5f0207867e708231d40239bb/html5/thumbnails/34.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 34
The clock is ticking—the time to act is now.
Failure is not an option…when freedom and economic prosperity are at stake.
![Page 35: Cloud Computing Technologies · 3/24/2014 · 100 Bureau Drive Mailstop 8930. Gaithersburg, MD USA 20899 -8930. Project Leader Administrative Support. Dr. Ron Ross Peggy Himes (301)](https://reader035.fdocuments.in/reader035/viewer/2022070723/5f0207867e708231d40239bb/html5/thumbnails/35.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 35
Contact Information100 Bureau Drive Mailstop 8930
Gaithersburg, MD USA 20899-8930
Project Leader Administrative SupportDr. Ron Ross Peggy Himes(301) 975-5390 (301) [email protected] [email protected]
Senior Information Security Researchers and Technical SupportPat Toth Kelley Dempsey (301) 975-5140 (301) [email protected] [email protected]
Arnold Johnson Web: csrc.nist.gov/sec-cert(301) 975-3247 [email protected] Comments: [email protected]