cloud computing technologies · 3/24/2014 · 100 bureau drive mailstop 8930. gaithersburg, md usa...

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1

Dr. Ron RossComputer Security Division

Information Technology Laboratory

Cloud Computing TechnologiesAchieving Greater Trustworthiness and Resilience

Cloud Standards Customer CouncilPublic Sector Cloud Summit

March 24, 2014


We are living in the golden age of information technology.

Ironically, the same information technology that has brought unprecedented innovation and prosperity to millions, has now become a significant vulnerability to nation states, corporate entities, and individuals.

How do we provide for the common defense in the digital age?


Advanced Persistent Threat

An adversary that — Possesses significant levels of expertise / resources. Creates opportunities to achieve its objectives by using

multiple attack vectors (e.g., cyber, physical, deception). Establishes footholds within IT infrastructure of targeted

organizations: To exfiltrate information; To undermine / impede critical aspects of a mission, program, or

organization; and To position itself to carry out these objectives in the future.


Classes of VulnerabilitiesA 2013 Defense Science Board Report described— Tier 1: Known vulnerabilities. Tier 2: Unknown vulnerabilities (zero-day exploits). Tier 3: Adversary-created vulnerabilities (APT).

Two-thirds of these vulnerabilityclasses are “off the radar” of

most organizations…


We want to strengthen the underlying information technology infrastructure to achieve stronger,

more resilient information systems—

Reducing the likelihood that cyber attacks will be successful and helping to ensure we can continue to carry out critical federal missions and business operations.


Complexity.Ground zero for our current problems…


If we can’t understand it –we can’t protect it…


Cloud Computing – Managing Complexity

Consolidate. Optimize. Standardize.

And the integration of information security requirements…

Reduces the size and complexity of IT infrastructures, promotes good information security and privacy, and can potentially lower costs (significantly) for organizations.


With cloud computing, you don’t have to own everything…

It is now possible to reduce the size of our digital footprint…


Cloud computing.Lower cost, more efficient services, better security…

On demand – scalable – dynamic.

Churning the IT infrastructure…

can eliminate malware.


What Cloud Gives Us Less complicated IT infrastructure. Less expensive IT infrastructure. More efficient services for consumers. More resilient IT infrastructure. More effective risk-based, information security.


One possible cloud approach. Categorize information and systems, separating critical and sensitive

data into domains. Choose best

cloud model.Private Cloud High impact data

Moderate impact data

Low impact dataPublic Cloud


Resilience.The only way to go for critical missions

and information systems…


Dual Protection StrategiesSometimes your information systems will be compromised even when you do everything right…

Boundary ProtectionPrimary Consideration: Penetration resistance.Adversary Location: Outside defensive perimeter.Objective: Repel the attack.

Agile DefensePrimary Consideration: Information system resilience.Adversary Location: Inside defensive perimeter.Objective: Operate while under attack, limit damage, survive.


Cloud Can Provide Agile Defense Boundary protection is a necessary but not sufficient

condition for Agile Defense. Examples of Agile Defense measures— Compartmentalization and segregation of critical assets. Targeted allocation of security controls. Virtualization and obfuscation techniques. Encryption of data at rest. Limiting privileges. Routine reconstitution to known secure state.

Bottom Line: Limit damage of hostile attack while operating in a (potentially)degraded or debilitated state…


Cloud Provides Defense-in-Depth

Adversaries attack the weakest link…where is yours?

Risk assessment Security planning, policies, procedures Configuration management and control Contingency planning Incident response planning Security awareness and training Security in acquisitions Physical and personnel security Security assessments and authorization Continuous monitoring Privacy protection

Access control mechanisms Identification & authentication mechanisms

(Biometrics, tokens, passwords) Audit mechanisms Encryption mechanisms Boundary and network protection devices

(Firewalls, guards, routers, gateways) Intrusion protection/detection systems Security configuration settings Anti-viral, anti-spyware, anti-spam software Smart cards

Links in the Security and Privacy Chain: Security and Privacy Controls


Cloud technologies can bring best practices to systems design and

development.


The Federal Cyber Security Strategy…

Build It Right, Continuously Monitor


The Cyber Security Toolset NIST Special Publication 800-39

Managing Information Security Risk:Organization, Mission, and Information System View

NIST Special Publication 800-30Guide for Conducting Risk Assessments

NIST Special Publication 800-37Applying the Risk Management Frameworkto Federal Information Systems

NIST Special Publication 800-53Security and Privacy Controls for FederalInformation Systems and Organizations

NIST Special Publication 800-53AGuide for Assessing the Security Controlsin Federal Information Systems and Organizations


For bridge builders, it's all about physics—Equilibrium, static and dynamic loads, vibrations, and resonance.


For information system developers, it's all about mathematics, computer science, architecture, and systems engineering—Trustworthiness, assurance, penetration resistance and resilience.


The national imperative for building stronger, more resilient information systems…

Software assurance.Systems and security engineering.

Supply chain risk management.


Security should be a by-product of good design and development practices—cloud technologies can help.


Getting the attention of the C-Suite.


Threat Assets Complexity Integration Trustworthiness

TACIT Security

MERRIAM-WEBSTER DICTIONARYtac.it adjective

: expressed or understoodwithout being directly stated


Threat Develop a better understanding of the modern

threat space, including the capability of adversaries to launch sophisticated, targeted cyber-attacks that exploit specific organizational vulnerabilities. Obtain open source and/or classified threat briefing. Include external and insider threat assessments.


Assets Conduct a comprehensive criticality analysis of

organizational assets including information and information systems. Use FIPS Publication 199 for mission/business impact

analysis (triage).


Complexity Reduce the complexity of the information technology

infrastructure including IT component products and information systems. Use enterprise architecture to consolidate, optimize, and

standardize the IT infrastructure. Employ cloud computing architectures to reduce the

number of IT assets that need to be managed.


Integration Integrate information security requirements and the

security expertise of individuals into organizational development and management processes. Embed security personnel into enterprise architecture,

systems engineering, SDLC, and acquisition processes. Coordinate security requirements with mission/business

owners; become key stakeholders.


Trustworthiness Invest in more trustworthy and resilient information

systems supporting organizational missions and business functions. Isolate critical assets into separate enclaves. Implement solutions with greater strength of mechanism. Increase developmental and evaluation assurance. Use modular design, layered defenses, component isolation.


Understand the cyber threat space. Conduct a thorough criticality analysis

of organizational assets. Reduce complexity of IT infrastructure. Integrate security requirements into

organizational processes. Invest in trustworthiness and resilience

of IT components and systems.

Summary – TACIT Security


Cybersecurity is the great challengeof the 21st century.

Cybersecurity problems are hard—not easy.

Cloud technologies can help…


Be proactive, not reactive when it comes to protecting your organizational assets.


The clock is ticking—the time to act is now.

Failure is not an option…when freedom and economic prosperity are at stake.


Contact Information100 Bureau Drive Mailstop 8930

Gaithersburg, MD USA 20899-8930

Project Leader Administrative SupportDr. Ron Ross Peggy Himes(301) 975-5390 (301) [email protected] [email protected]

Senior Information Security Researchers and Technical SupportPat Toth Kelley Dempsey (301) 975-5140 (301) [email protected] [email protected]

Arnold Johnson Web: csrc.nist.gov/sec-cert(301) 975-3247 [email protected] Comments: [email protected]

cloud computing technologies · 3/24/2014 · 100 bureau drive mailstop 8930. gaithersburg, md usa...

Documents