Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cybersecurity Blueprints

Similar presentations

Presentation on theme: "Cybersecurity Blueprints"— Presentation transcript:

1 Cybersecurity Blueprints
for Cloud Computing Donna F Dodson Division Chief, Computer Security Division Acting Director, National Cybersecurity Center of Excellence

2 Background The U.S. economy and U.S. citizens are heavily reliant on information technology (IT) No sector today could function without IT Energy, supply chain, finance, ecommerce, transportation, health care Although considerable progress has been made in improving cybersecurity capabilities to protect IT, there is much yet to be done Determine how to mitigate new threats and secure new technologies Cybersecurity needs to become more standards-based to further improve quality and efficiency. Cybersecurity also needs to become easier for people to adopt and use These changes would significantly reduce the cost of security implementation and management, as well as the economic impact of cybersecurity incidents

3 NIST Responsibilities for Cybersecurity
NIST is responsible for developing standards and guidelines, including minimum requirements, that provide adequate information security for all agency operations and assets in furtherance of its statutory responsibilities under the Federal Information Security Management Act (FISMA) of 2002, Public Law , but such standards and guidelines shall not apply to national security systems. Under FISMA NIST shall “conduct research, as needed, to determine the nature and extent of information security vulnerabilities and techniques for providing cost-effective information security.” NIST develops guidelines consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency Information Systems, as analyzed in A-130, Appendix IV: Analysis of Key Sections. Supplemental information is provided in A-130, Appendix III. In accordance with the Cyber Security Research and Development Act, The National Institute of Standards and Technology develops, and revises as necessary, checklists setting forth settings and option selections that minimize the security risks associated with each computer hardware or software system that is, or is likely to become, widely used within the Federal Government. Homeland Security Presidential Directive 7; “The Department of Commerce will work with private sector, research, academic, and government organizations to improve technology for cyber systems and promote other critical infrastructure efforts, including using its authority under the Defense Production Act to assure the timely availability of industrial products, materials, and services to meet homeland security requirements.” Homeland Security Presidential Directive 12: “The Secretary of Commerce shall promulgate in accordance with applicable law a Federal standard for secure and reliable forms of identification (the "Standard")”

4 Computer Security Division
Core Focus Area Research, Development, and Specification Security Mechanisms (e.g. protocols, cryptographic, access control, auditing/logging) Security Mechanism Applications Confidentiality Integrity Availability Authentication Non-Repudiation Secure System and Component configuration Assessment and assurance of security properties of products and systems

5 Delivery Mechanisms Standards – FIPS, Internal Consensus, National Consensus Guidelines – NIST SPs and IRs Journal and Conference Papers Reference Materials Workshops and Conferences Consortia and Forums Training Reference Implementations and Demonstrations Tests and Tools Standards Development Organization Participation

6 Community Engagement Industry Academia International
Accessing Expertise and Leveraging Resources Coordinating Standards and Initiatives Academia Representative Institutions and Consortia International Formal Standards Groups Federal, State, and Local Government Interdepartmental Department of Commerce State and Local Governments n ●

7 Delivery Mechanisms Standards – FIPS, Internal Consensus, National Consensus Guidelines – NIST SPs and IRs Journal and Conference Papers Reference Materials Workshops and Conferences Consortia and Forums Training Reference Implementations and Demonstrations Tests and Tools Standards Development Organization Participation

8 NIST Work in Cyber Security
FISMA Phase II Continue to support the Joint Task Force Transformation Initiative (DoD, IC, NIST, CNSS) and support unified information security framework Continue support for risk management and information security publications Potential privacy and threat appendixes for SP , Revision 3 Work toward system and security engineering and application security guidelines US Government Configuration Baseline (USGCB) Standardized security configurations for operating systems and automated tools to test the configurations, improving security and saving IT security management resources Security Automation and Vulnerability Management Continue to develop tools and specifications that address situational awareness, conformity and vulnerability management compliance etc

9 NIST Work in Cyber Security
Virtualization Support for cloud special publication and standards activities to support security, portability and interoperability Key Management Foster the requirements of large-scale key management frameworks and designing key management systems Support transitioning of cryptographic algorithms and key sizes Next Generation Cryptography Open competition for new Hash algorithm Developing new, light weight, quantum resistant encryption for use in current and new technologies New modes of operation © Lisa F. Young/

10 NIST Work in Cyber Security
Usability of Security Performing groundwork research to define factors that enable usability in the area of multifactor authentication and developing a framework for determining metrics that are critical to the success of usability Identity Management Systems Standards development work in biometrics, smart cards, identity management, and privacy framework. R&D: Personal Identity Verification, Match-On-Card, ontology for identity credentials, development of a workbench ID Credential Interoperability Infrastructure support Continued support for Health IT, Smart Grid and Voting Standards Development Organizations IETF ANSI IEEE ISO © Peto Zvonar | © Graeme Dawes |

11 Federal Cloud Computing Strategy
Federal IT programs have a wide range of security requirements among them: The Federal Information Security Management Act (FISMA) requirements that include but are not limited to compliance with with Federal Information Processing Standards agency specific policies Authorization to Operate requirements Vulnerability and security event monitoring, logging and reporting It is essential that the decision to apply a specific cloud computing model support mission capability considers the above requirements

12 NIST Cloud Computing Program
Accelerate the Federal government’s adoption of cloud computing Build a USG Cloud Computing Technology Roadmap which focuses on the highest priority USG cloud computing security, interoperability and portability requirements Lead efforts to develop standards and guidelines in close consultation and collaboration with standards bodies, the private sector, and other stakeholders

13 NIST Cloud Computing Special Publications
SP Guidelines on Security and Privacy SP Definition of Cloud Computing SP CC Synopsis & Recommendations SP CC Standards Roadmap SP CC Reference Architecture SP USG CC Technology Roadmap Draft

14 The NIST Cloud Definition Framework
Hybrid Clouds Deployment Models Community Cloud Private Cloud Public Cloud Service Models Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) Resource Pooling Broad Network Access Rapid Elasticity Measured Service On Demand Self-Service Essential Characteristics Cloud diagram idea inspired by Maria Spinola Low Cost Software Virtualization Service Orientation Advanced Security Massive Scale Resilient Computing Homogeneity Geographic Distribution Common Characteristics Based upon original chart created by Alex Dowbor -

15 Draft NIST CC Reference Architect
Cloud Consumer Cloud Provider Cloud Orchestration Cloud Service Management Service Layer SaaS Service Intermediation Business Support Cloud Auditor PaaS IaaS Provisioning/ Configuration Service Aggregation Security Audit Resource Abstraction and Control Layer Privacy Impact Audit Physical Resource Layer Portability/ Interoperability Service Arbitrage Hardware Performance Audit Facility Cloud Carrier Cross Cutting Concerns: Security, Privacy, etc

16 Cloud Security Standards
ISO/IEC JTC 1 Subcommittee 27 Cybersecurity Responsible for cloud computing security standards Early development stages ISO/IEC – Guidelines on information security controls for the use of cloud computing services based on ISO/IEC US International Committee for Information Technical Standards Technical Committee Cyber Security 1 (CS 1) U.S. Technical Advisory Group to SC 27 Chaired by NIST

17 FEDRAMP Maintains Security Baseline including Controls & Continuous Monitoring Requirements Maintains Assessment Criteria Maintains Active Inventory of Approved Systems Ongoing A&A (Continuous Monitoring) Provisional Authorization Joint Authorization Board reviews assessment packages and grants provisional authorizations Agencies issue ATOs using a risk-based framework Independent Assessment CSP must retain an independent assessor from FedRAMP accredited list of 3PAOs DHS – CyberScope Data Feeds DHS – US CERT Incident Response and Threat Notifications FedRAMP PMO – POA&Ms Consistency and Quality Trustworthy & Re-useable Near Real-Time Assurance

18 National Cybersecurity Center of Excellence (NCCoE)
Foster the rapid adoption and broad deployment of integrated cybersecurity tools and techniques that enhance consumer confidence in U.S. information systems Disseminate new principles and mechanics underlying security standards, metrics, and best practices for secure and privacy-preserving information technologies Develop and test methods for composing, monitoring, and measuring the security posture of computer and enterprise systems Achieve broad adoption of practical, affordable, and useful cybersecurity capabilities across the full range of commercial and government sectors

19 NCCoE Use Case: Secure Cloud Policy Enforcement
Planning Phase Implementation Phase Business Engagement & Problem Statement Use Case IT Industry Components Selection Implement in Operational Environment

20 For Additional Information
Computer Security Resource Center NIST Cloud Computing Program National Cybersecurity Center of Excellence

Download ppt "Cybersecurity Blueprints"

Similar presentations

Ads by Google