Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cybersecurity Blueprints for Cloud Computing Donna F Dodson Division Chief, Computer Security Division Acting Director, National Cybersecurity Center of.

Similar presentations


Presentation on theme: "Cybersecurity Blueprints for Cloud Computing Donna F Dodson Division Chief, Computer Security Division Acting Director, National Cybersecurity Center of."— Presentation transcript:

1 Cybersecurity Blueprints for Cloud Computing Donna F Dodson Division Chief, Computer Security Division Acting Director, National Cybersecurity Center of Excellence

2  The U.S. economy and U.S. citizens are heavily reliant on information technology (IT) ◦ No sector today could function without IT ◦ Energy, supply chain, finance, ecommerce, transportation, health care  Although considerable progress has been made in improving cybersecurity capabilities to protect IT, there is much yet to be done ◦ Determine how to mitigate new threats and secure new technologies  Cybersecurity needs to become more standards-based to further improve quality and efficiency. Cybersecurity also needs to become easier for people to adopt and use ◦ These changes would significantly reduce the cost of security implementation and management, as well as the economic impact of cybersecurity incidents

3  NIST is responsible for developing standards and guidelines, including minimum requirements, that provide adequate information security for all agency operations and assets in furtherance of its statutory responsibilities under the Federal Information Security Management Act (FISMA) of 2002, Public Law , but such standards and guidelines shall not apply to national security systems.  Under FISMA NIST shall “conduct research, as needed, to determine the nature and extent of information security vulnerabilities and techniques for providing cost-effective information security.”  NIST develops guidelines consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency Information Systems, as analyzed in A-130, Appendix IV: Analysis of Key Sections. Supplemental information is provided in A-130, Appendix III.  In accordance with the Cyber Security Research and Development Act, The National Institute of Standards and Technology develops, and revises as necessary, checklists setting forth settings and option selections that minimize the security risks associated with each computer hardware or software system that is, or is likely to become, widely used within the Federal Government.  Homeland Security Presidential Directive 7; “The Department of Commerce will work with private sector, research, academic, and government organizations to improve technology for cyber systems and promote other critical infrastructure efforts, including using its authority under the Defense Production Act to assure the timely availability of industrial products, materials, and services to meet homeland security requirements.”  Homeland Security Presidential Directive 12: “The Secretary of Commerce shall promulgate in accordance with applicable law a Federal standard for secure and reliable forms of identification (the "Standard")”

4 Computer Security Division Core Focus Area  Research, Development, and Specification ◦ Security Mechanisms (e.g. protocols, cryptographic, access control, auditing/logging) ◦ Security Mechanism Applications  Confidentiality  Integrity  Availability  Authentication  Non-Repudiation  Secure System and Component configuration  Assessment and assurance of security properties of products and systems

5  Standards – FIPS, Internal Consensus, National Consensus  Guidelines – NIST SPs and IRs  Journal and Conference Papers  Reference Materials  Workshops and Conferences  Consortia and Forums  Training  Reference Implementations and Demonstrations  Tests and Tools  Standards Development Organization Participation

6 Industry - Accessing Expertise and Leveraging Resources - Coordinating Standards and Initiatives Academia - Accessing Expertise and Leveraging Resources - Representative Institutions and Consortia International - Formal Standards Groups - Accessing Expertise and Leveraging Resources Federal, State, and Local Government - Interdepartmental - Department of Commerce - State and Local Governments n ●

7  Standards – FIPS, Internal Consensus, National Consensus  Guidelines – NIST SPs and IRs  Journal and Conference Papers  Reference Materials  Workshops and Conferences  Consortia and Forums  Training  Reference Implementations and Demonstrations  Tests and Tools  Standards Development Organization Participation

8  FISMA Phase II ◦ Continue to support the Joint Task Force Transformation Initiative (DoD, IC, NIST, CNSS) and support unified information security framework ◦ Continue support for risk management and information security publications ◦ Potential privacy and threat appendixes for SP , Revision 3 ◦ Work toward system and security engineering and application security guidelines  US Government Configuration Baseline (USGCB) ◦ Standardized security configurations for operating systems and automated tools to test the configurations, improving security and saving IT security management resources  Security Automation and Vulnerability Management ◦ Continue to develop tools and specifications that address situational awareness, conformity and vulnerability management compliance etc NIST Work in Cyber Security

9  Virtualization ◦ Support for cloud special publication and standards activities to support security, portability and interoperability  Key Management ◦ Foster the requirements of large-scale key management frameworks and designing key management systems ◦ Support transitioning of cryptographic algorithms and key sizes  Next Generation Cryptography ◦ Open competition for new Hash algorithm ◦ Developing new, light weight, quantum resistant encryption for use in current and new technologies ◦ New modes of operation © Lisa F. Young/Dreamstime.com NIST Work in Cyber Security

10  Usability of Security ◦ Performing groundwork research to define factors that enable usability in the area of multifactor authentication and developing a framework for determining metrics that are critical to the success of usability  Identity Management Systems ◦ Standards development work in biometrics, smart cards, identity management, and privacy framework. ◦ R&D: Personal Identity Verification, Match-On-Card, ontology for identity credentials, development of a workbench ◦ ID Credential Interoperability  Infrastructure support ◦ Continued support for Health IT, Smart Grid and Voting  Standards Development Organizations ◦ IETF ANSI ◦ IEEE ISO © Peto Zvonar | Dreamstime.com © Graeme Dawes | Dreamstime.com NIST Work in Cyber Security

11  Federal IT programs have a wide range of security requirements among them: ◦ The Federal Information Security Management Act (FISMA) requirements that include but are not limited to compliance with with Federal Information Processing Standards agency specific policies ◦ Authorization to Operate requirements ◦ Vulnerability and security event monitoring, logging and reporting  It is essential that the decision to apply a specific cloud computing model support mission capability considers the above requirements

12  Accelerate the Federal government’s adoption of cloud computing ◦ Build a USG Cloud Computing Technology Roadmap which focuses on the highest priority USG cloud computing security, interoperability and portability requirements ◦ Lead efforts to develop standards and guidelines in close consultation and collaboration with standards bodies, the private sector, and other stakeholders

13 SP Guidelines on Security and Privacy SP Definition of Cloud Computing SP CC Synopsis & Recommendations SP CC Standards Roadmap SP CC Reference Architecture SP USG CC Technology Roadmap Draft

14 The NIST Cloud Definition Framework 14 CommunityCloud Private Cloud Public Cloud Hybrid Clouds Deployment Models Service Models Essential Characteristics Common Characteristics Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) Resource Pooling Broad Network AccessRapid Elasticity Measured Service On Demand Self-Service Low Cost Software VirtualizationService Orientation Advanced Security Homogeneity Massive ScaleResilient Computing Geographic Distribution Based upon original chart created by Alex Dowbor -

15 Draft NIST CC Reference Architect 15 Cloud Provider Cloud Service Management Cloud Carrier Cloud Auditor Cloud Consumer Provisioning/ Configuration Provisioning/ Configuration Portability/ Interoperability Portability/ Interoperability Security Audit Security Audit Privacy Impact Audit Performance Audit Business Support Business Support Physical Resource Layer Hardware Facility Resource Abstraction and Control Layer Service Layer IaaS SaaS PaaS Cloud Orchestration Cross Cutting Concerns: Security, Privacy, etc Service Intermediation Service Aggregation Service Arbitrage

16  ISO/IEC JTC 1 Subcommittee 27 Cybersecurity  Responsible for cloud computing security standards  Early development stages  ISO/IEC – Guidelines on information security controls for the use of cloud computing services based on ISO/IEC  US International Committee for Information Technical Standards Technical Committee Cyber Security 1 (CS 1)  U.S. Technical Advisory Group to SC 27  Chaired by NIST Cloud Security Standards 16

17 FEDRAMP 17 Maintains Security Baseline including Controls & Continuous Monitoring Requirements Maintains Assessment Criteria Maintains Active Inventory of Approved Systems Ongoing A&A (Continuous Monitoring) Ongoing A&A (Continuous Monitoring) Provisional Authorization Joint Authorization Board reviews assessment packages and grants provisional authorizations Agencies issue ATOs using a risk-based framework Joint Authorization Board reviews assessment packages and grants provisional authorizations Agencies issue ATOs using a risk-based framework Independent Assessment CSP must retain an independent assessor from FedRAMP accredited list of 3PAOs DHS – CyberScope Data Feeds DHS – US CERT Incident Response and Threat Notifications FedRAMP PMO – POA&Ms Consistency and Quality Trustworthy & Re-useable Near Real-Time Assurance

18 National Cybersecurity Center of Excellence (NCCoE)  Foster the rapid adoption and broad deployment of integrated cybersecurity tools and techniques that enhance consumer confidence in U.S. information systems ◦ Disseminate new principles and mechanics underlying security standards, metrics, and best practices for secure and privacy-preserving information technologies ◦ Develop and test methods for composing, monitoring, and measuring the security posture of computer and enterprise systems ◦ Achieve broad adoption of practical, affordable, and useful cybersecurity capabilities across the full range of commercial and government sectors

19 Business Engagement & Problem Statement Use Case IT Industry Components Selection Implement in Operational Environment Planning Phase Implementation Phase

20 For Additional Information Computer Security Resource Center NIST Cloud Computing Program National Cybersecurity Center of Excellence


Download ppt "Cybersecurity Blueprints for Cloud Computing Donna F Dodson Division Chief, Computer Security Division Acting Director, National Cybersecurity Center of."

Similar presentations


Ads by Google