NIST Publishes Draft Cloud Computing Security Document for Comment
From NIST Tech Beat: June 11, 2013
Contact: Evelyn Brown
The National Institute of Standards and Technology (NIST) has published a draft document on security for cloud computing as used in the federal government. The public comment period runs through July 12, 2013.
In 2010, the Federal Chief Information Officer tapped NIST to play a major role in accelerating the adoption of cloud computing in the federal government. Since then, NIST has held meetings, started working groups and developed the U.S. Government Cloud Computing Technology Roadmap and other related guidance.
The 2011 NIST Cloud Computing Reference Architecture* provided a template and vocabulary for federal cloud adopters to follow for a consistent implementation of cloud-based applications across the government.
This new addition, the NIST Cloud Computing Security Reference Architecture,** contributes a comprehensive security model that supplements the NIST Cloud Computing Reference Architecture.
"The document's objective is to demystify the process of selecting cloud-based services that best address an agency's requirements in the most secure and efficient manner," explains Michaela Iorga, NIST Cloud Computing Security Working Group chair.
Using this model and an associated set of security components derived from the capabilities identified by the Cloud Security Alliance in its Trusted Cloud Initiative Reference Architecture, the NIST Cloud Computing Security Reference Architecture introduces a cloud-adapted Risk Management Framework for applications and/or services migrated to the cloud.
The Risk Management Framework*** helps federal organizations create a computer security plan based on an organization's risk tolerance and how critical and sensitive the information is in its computer system. A suite of NIST standards and guidelines supports response strategies. For example, a security plan may call for increased monitoring of selected components of a system that are at a higher risk of being breached.
"The Risk Management Framework has to be adapted when applying the risk-based approach to applications or systems migrated to the cloud because the implementation, assessment, authorization and monitoring of selected security controls may fall under the responsibility of different cloud 'actors;' for example, consumer, service provider or broker," says Iorga.
The NIST Cloud Computing Security Reference Architecture provides a case study that walks readers through steps an agency follows using the cloud-adapted Risk Management Framework while deploying a typical application to the cloud—migrating existing email, calendar and document-sharing systems as a unified, cloud-based messaging system.
The NIST Cloud Computing Security Reference Architecture was written by the NIST Cloud Computing Public Security Working Group to meet requirements set out in one of the priority action plans identified in the U.S. Government Cloud Computing Technology Roadmap.
*NIST Cloud Computing Reference Architecture, NIST Special Publication 500-292, is available at www.nist.gov/customcf/get_pdf.cfm?pub_id=909505.
**NIST Cloud Computing Security Reference Architecture, NIST Special Publication 500-299, is available at collaborate.nist.gov/twiki-cloud-computing/pub/CloudComputing/CloudSecurity/NIST_Security_Reference_Architecture_2013.05.15_v1.0.pdf.
***Guide for Applying the Risk Management Framework to Federal Information Systems, NIST Special Publication 800-37, is available at csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf.