Cloud Security using NIST guidelines
Download as PPTX, PDF0 likes302 views
The document discusses the impact of COVID-19 on the acceleration of cloud security adoption and outlines the NIST guidelines for successful cloud migration. It highlights the security risks associated with cloud computing, including cyber threats and vulnerabilities that could compromise data integrity and privacy. Furthermore, it emphasizes the importance of a structured risk management framework to assess potential threats and implement appropriate security controls in cloud environments.
Cloud Security using NIST guidelines
- 2. Since the COVID-19 lockdown has imposed work from home, this has pushed businesses to hasten their adoption to Cloud and its services. Here are NIST’s Guides for Cloud adoption. NIST SP 500-291 Cloud Computing Standards Roadmap NIST SP 500-292 NIST Cloud Computing Reference Architecture NIST SP 500-293 US Government Cloud Computing Technology Roadmap Volume 1, High- Priority requirements to Further USG Agency Cloud Computing Adoption NIST SP 500-293 US Government Cloud Computing Technology Roadmap Volume II, Useful Information for Cloud Adopters (Draft) NIST SP 500-293 US Government Cloud Computing Technology Roadmap Volume III, Technical Considerations for USG Cloud Computing Deployment Decisions (Draft) NIST SP 800-144 Guidelines on Security and Privacy in Public Cloud Computing NIST SP 800-145 The NIST Definition of Cloud Computing NIST SP 800-146 Cloud Computing Synopsis and Recommendations (Draft)
- 3. On one hand, the convenience and low cost of cloud computing services have changed our daily lives. However, the security issues associated with cloud computing make us vulnerable to cybercrimes that happen every day. Security is one of the most significant barriers of migrating to cloud, followed by issues regarding compliance, privacy and legal matters. Hackers can apply several techniques to gain access to our cloud without any legal authorization and they can disrupt various services to achieve their objectives. They could even modify the cloud settings to treat an illegal activity as a normal activity and thus gain unauthorized access to data stored in the cloud. Before migrating to cloud, the sensitivity of the stored information needs to be considered against the incurred security and privacy risks. For example, the benefits of a cloud-based solution would depend on the cloud model, type of cloud service considered, the type of data involved, the system’s criticality/impact level, the cost savings, the service type, and any associated regulatory requirements. Importance of Cloud Security
- 4. Security Threats Browser Security Insecure Interfaces and Application Programming Interfaces (APIs) Cloud Malware Injection Attack Flooding Attacks Data Protection Incomplete Data Deletion Locks In Some Common Threats in Cloud With cloud migration, we lose control over physical security. Thus, to understand how to protect our data, we must understand the types of attacks that could occur in our cloud. Network Threats Denial of Service (DoS) Network Sniffing Man in the Middle Attack Port Scanning Structured Query Language (SQL) Injection Attack Cross Site Scripting (XSS)
- 5. NIST SP 500-299 Our objective is to study Cloud Security, thus, we would be focusing on the NIST Cloud Computing Security Reference Architecture
- 6. The NIST Cloud Computing Security Reference Architecture model is derived from the following models: 01 02 NIST SP 500-292: NIST Cloud Computing Reference Architecture NIST SP 800-37: Guide for Applying the Risk Management Framework to Federal Information Systems
- 7. 01 The NIST Cloud Computing Security Reference Architecture is mainly derived from this model as it provides an overall template description of the Cloud architecture. This model is a generic high-level conceptual model that is a powerful tool for discussing the requirements, structures, and operations of cloud computing. This model is Vendor–neutral, it is not tied to any specific vendor products, services, or reference implementation, nor does it define prescriptive solutions that restrict innovation. It provides a blueprint to guide developers in the design of (cloud) services and applications; and defines a set of actors, activities, and functions that can be used in the process of developing cloud computing architectures. NIST SP 500-292 NIST Cloud Computing Reference Architecture
- 8. Cloud Consumer: acquires/maintains business relationship with and uses services from Cloud Providers. Cloud Provider: the purveyor of services to Cloud Consumers. Cloud Auditor: conducts independent assessment of cloud services, information system operations, performance and security of the cloud implementation. Cloud Broker: intermediate between Cloud Consumer and Cloud Provider, they hide complexity of services or create new services. Cloud Carrier: provides connectivity and transport of data and services between Cloud Consumers and Cloud Providers. ACTORS AND THEIR FUNCTIONS
- 10. Software as a Service (SaaS) Software as a Service provides consumers with a completed product that is run and managed by the service provider. In most cases, people referring to Software as a Service are referring to end-user applications. With a SaaS offering, consumers do not have to think about how the service is maintained or how the underlying infrastructure is managed; you only need to think about how you will use that particular piece of software. A common example of a SaaS application is web-based email where you can send and receive email without having to manage feature additions to the email product or maintaining the servers and operating systems that the email program is running on. Platform as a Service (PaaS) Platforms as a service remove the need for consumers to manage the underlying infrastructure and allow you to focus on the deployment and management of your applications. This helps consumers be more efficient as you don’t need to worry about resource procurement, capacity planning, software maintenance, patching, or any of the other undifferentiated heavy lifting involved in running your application. PaaS consumers employ the tools and execution resources provided by cloud providers to develop, test, deploy, and manage the operation of PaaS applications hosted in a cloud environment. SERVICE MODELS
- 11. Infrastructure as a Service (IaaS) Infrastructure as a Service contains the basic building blocks for cloud IT and typically provides consumers access to networking features, computers (virtual or on dedicated hardware), and data storage space. It also provides consumers with the highest level of flexibility and management control over your IT resources and is most like existing IT resources that many IT departments and developers are familiar with today. SERVICE MODELS (cont’d)
- 12. CLOUD CONSUMER AND CLOUD PROVIDER SERVICE MODELS CONSUMER ACTIVITIES PROVIDER ACTIVITIES IaaS Creates/installs, manages, and monitors services for IT infrastructure operations. Provisions and manages the physical processing, storage, networking, and the hosting environment and cloud infrastructure for IaaS consumers. PaaS Develops, tests, deploys, and manages applications hosted in a cloud system Provisions and manages cloud infrastructure and middleware for the platform consumers; provides development, deployment, and administration tools to platform consumers. SaaS Uses application/service for business process operations. Installs, manages, maintains, and supports the software application on a cloud infrastructure.
- 13. SERVICES AVAILABLE TO A CLOUD CONSUMER
- 14. CLOUD COMPUTING STANDARDS FOR SECURITY As most of the Cloud consumers and providers wish to accelerate the adoption of cloud computing, and to advance the deployment of cloud services, solutions coping with cloud security threats need to be addressed. Many of the threats that cloud providers and consumers face can be dealt with through traditional security processes and mechanisms such as security policies, cryptography, identity management, intrusion detection/prevention systems, and supply chain vulnerability analysis. However, risk management activities must also be undertaken to determine how to mitigate the threats specific to different cloud models and to analyze existing standards for gaps that need to be addressed. Securing the information systems and ensuring the confidentiality, integrity, and availability of information and information being processed, stored, and transmitted are particularly relevant as these are the high-priority concerns and present a higher risk of being compromised in a cloud computing system. Having understood the basic Cloud Architecture and its Service Models. We would now focus on the required Cloud Security Standards. Security is a responsibility shared between Cloud Consumer and Cloud Provider.
- 15. SECURITY STANDARDS MAPPING – Security Controls
- 17. SECURITY STANDARDS MAPPING - Confidentiality
- 18. SECURITY STANDARDS MAPPING – Integrity & Availability
- 19. SECURITY STANDARDS MAPPING – Identity Management
- 20. SECURITY STANDARDS MAPPING – Security Monitoring & Incident Response
- 21. SECURITY STANDARDS MAPPING – Security Policy Management
- 22. 02 NIST SP 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems This Guide covers the Risk Management Framework (RMF)
- 23. A risk management framework (RMF) is the structured process used to identify potential threats to an organization and to define the strategy for eliminating or minimizing the impact of these risks, as well as the mechanisms to effectively monitor and evaluate this strategy. Before acquiring a cloud service, a cloud Consumer needs to analyze the risk associated with the adoption of a cloud-based solution for an information system, and plan for the risk treatment and risk control activities associated with the cloud- based operations of this system. To do so, a cloud Consumer needs to gain the perspective of the entire cloud Ecosystem that will serve the operations of their cloud-based information system. Cloud Consumers must also apply the RMF in a customized way that allows them to: Perform a risk assessment Identify the best-fitting cloud architecture Select the most suitable cloud service Gain necessary visibility into the cloud offering Define and negotiate necessary risk treatment and risk control mitigations before finalizing the SLA and proceeding with the security authorization The Risk Management Framework
- 24. Risk Management Framework steps
- 25. Step-wise Activities Risk Assessment (analyze cloud environment to identify potential vulnerabilities and shortcomings) Step 1: Categorize the information system and the information processed, stored, and transmitted by that system based on a system impact analysis. Identify operational, performance, security, and privacy requirements. Step 2: Select, based on the security categorization, the initial set of security controls for the information system (referred to as baseline security controls). Then, tailor and supplement the baseline security controls set based on the organizational assessment of risk and the conditions of the operational environment. Develop a strategy for the continuous monitoring of security control effectiveness. Document all the controls in the security plan. Review and approve the security plan.
- 26. Step-wise Activities (cont’d) Risk Treatment (design mitigation policies and plans) Step 3: Implement the security controls and describe how the controls are employed within the information system and its environment of operation. Step 4: Assess the security controls using appropriate assessment procedures as documented in the assessment plan. The assessment determines if the controls are implemented correctly and if they are effective in producing the desired outcome. Step 5: Authorize information system operation based on the determined risk resulting from the operation of the information system and the decision that this risk is acceptable. The assessment is performed considering the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, and other organizations. Risk Control (risk monitoring-surveying, reviewing events, identifying policy adjustments) Step 6: Monitor the security controls in the information system on an ongoing basis including assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of these changes, and reporting the security state of the system to designated organizational officials.
- 27. This concludes the understanding of Cloud Security Standards as well as their Risk Management requirements when implementing Cloud.
- 28. CREDITS: This presentation template was created by Slidesgo, including icons by Flaticon, and infographics & images by Freepik. Please keep this slide for attribution. THANK YOU!