Jawaharlal Nehru technology Cloud Computing Recommendation Report Compare between different formal Cloud definition? Based on stale and standards? (include

Jawaharlal Nehru technology Cloud Computing Recommendation Report Compare between different formal Cloud definition? Based on stale and standards? (include the NIST definitions)write briefly on Cloud Computing Recommendations suggested by NIST.What are the Key Security and Privacy Issues?Note: You can refer the attached three documents as reference. Follow APA 7 format for references and in text citations. Special Publication 800-144
Guidelines on
Security and Privacy
in Public Cloud Computing
Wayne Jansen
Timothy Grance
NIST Special Publication 800-144
Guidelines on Security and Privacy in
Public Cloud Computing
Wayne Jansen
Timothy Grance
C O M P U T E R
S E C U R I T Y
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
Gaithersburg, MD 20899-8930
December 2011
U.S. Department of Commerce
Rebecca M. Blank, Acting Secretary
National Institute of Standards and Technology
Patrick D. Gallagher, Under Secretary of Commerce for
Standards and Technology and Director
ii
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National Institute of Standards and
Technology (NIST) promotes the U.S. economy and public welfare by providing technical
leadership for the Nation’s measurement and standards infrastructure. ITL develops tests,
test methods, reference data, proof of concept implementations, and technical analysis to
advance the development and productive use of information technology.
ITL’s
responsibilities include the development of technical, physical, administrative, and
management standards and guidelines for the cost-effective security and privacy of sensitive
unclassified information in Federal computer systems. This Special Publication discusses
ITL’s research, guidance, and outreach efforts in computer security, and its collaborative
activities with industry, government, and academic organizations.
National Institute of Standards and Technology Special Publication 800-144
80 pages (December 2011)
Certain commercial entities, equipment, or materials may be identified in this
document in order to describe an experimental procedure or concept adequately.
Such identification is not intended to imply recommendation or endorsement by the
National Institute of Standards and Technology, nor is it intended to imply that the
entities, materials, or equipment are necessarily the best available for the purpose.
iii
Abstract
Cloud computing can and does mean different things to different people. The common
characteristics most interpretations share are on-demand scalability of highly available and
reliable pooled computing resources, secure access to metered services from nearly anywhere,
and displacement of data and services from inside to outside the organization. While aspects of
these characteristics have been realized to a certain extent, cloud computing remains a work in
progress. This publication provides an overview of the security and privacy challenges pertinent
to public cloud computing and points out considerations organizations should take when
outsourcing data, applications, and infrastructure to a public cloud environment.
Keywords: Cloud Computing; Computer Security and Privacy; Information Technology
Outsourcing
Acknowledgements
The authors, Wayne Jansen of Booz Allen Hamilton and Tim Grance of NIST, wish to thank
colleagues who reviewed drafts of this document and contributed to its technical content, as well
as the individuals who reviewed the public-release draft of this document and provided
comments during the review period. In particular, Erika McCallister of NIST offered insight on
the subject of privacy as it relates to cloud computing, and Tom Karygiannis and Ramaswamy
Chandramouli, also from NIST, provided input on cloud security in early drafts. Thanks also go
to Kevin Mills and Lee Badger, who assisted with our internal review process. Key
improvements to this document would not have been possible without the feedback and valuable
suggestions of all these individuals.
iv
Table of Contents
Executive Summary …………………………………………………………………………………………………..vi
1.
Introduction……………………………………………………………………………………………………….. 1
1.1
1.2
1.3
1.4
2.
Background ……………………………………………………………………………………………………….. 3
2.1
2.2
2.3
3.
Service Agreements ……………………………………………………………………………………… 7
The Security and Privacy Upside …………………………………………………………………….. 8
The Security and Privacy Downside ………………………………………………………………..10
Key Security and Privacy Issues …………………………………………………………………………14
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
4.10
5.
Deployment Models ………………………………………………………………………………………. 3
Service Models …………………………………………………………………………………………….. 4
Outsourcing and Accountability ………………………………………………………………………. 6
Public Cloud Services ………………………………………………………………………………………… 7
3.1
3.2
3.3
4.
Authority ……………………………………………………………………………………………………… 1
Purpose and Scope ………………………………………………………………………………………. 1
Audience …………………………………………………………………………………………………….. 1
Document Structure ………………………………………………………………………………………. 2
Governance …………………………………………………………………………………………………14
Compliance …………………………………………………………………………………………………15
Trust …………………………………………………………………………………………………………..18
Architecture …………………………………………………………………………………………………22
Identity and Access Management ……………………………………………………………………25
Software Isolation …………………………………………………………………………………………27
Data Protection …………………………………………………………………………………………….29
Availability …………………………………………………………………………………………………..31
Incident Response ………………………………………………………………………………………..33
Summary of Recommendations ………………………………………………………………………35
Public Cloud Outsourcing …………………………………………………………………………………..37
5.1
5.2
5.3
5.4
5.5
General Concerns ………………………………………………………………………………………..39
Preliminary Activities……………………………………………………………………………………..42
Initiating and Coincident Activities……………………………………………………………………48
Concluding Activities……………………………………………………………………………………..50
Summary of Recommendations ………………………………………………………………………51
6.
Conclusion ………………………………………………………………………………………………………..52
7.
References ………………………………………………………………………………………………………..53
Appendix A—Acronyms ……………………………………………………………………………………………69
Appendix B—Online Resources ………………………………………………………………………………..70
v
Executive Summary
Cloud computing has been defined by NIST as a model for enabling convenient, on-demand
network access to a shared pool of configurable computing resources (e.g., networks, servers,
storage, applications, and services) that can be rapidly provisioned and released with minimal
management effort or cloud provider interaction [Mel11]. Cloud computing technologies can be
implemented in a wide variety of architectures, under different service and deployment models,
and can coexist with other technologies and software design approaches. The security challenges
cloud computing presents are formidable, including those faced by public clouds whose
infrastructure and computational resources are owned and operated by an outside party that
delivers services to the general public via a multi-tenant platform.
The emergence of cloud computing promises to have far-reaching effects on the systems and
networks of federal agencies and other organizations. Many of the features that make cloud
computing attractive, however, can also be at odds with traditional security models and controls.
The primary purpose of this report is to provide an overview of public cloud computing and the
security and privacy considerations involved. More specifically, this document describes the
threats, technology risks, and safeguards surrounding public cloud environments, and their
treatment. This document does not prescribe or recommend any specific cloud computing
service, service arrangement, service agreement, service provider, or deployment model. Each
organization is instead expected to apply the guidelines provided when performing its own
analysis of its requirements, and to assess, select, engage, and oversee the public cloud services
that can best fulfill those requirements.
The key guidelines from the report are summarized and listed below and are recommended to
federal departments and agencies.
Carefully plan the security and privacy aspects of cloud computing solutions before
engaging them.
Public cloud computing represents a significant paradigm shift from the conventional norms of
an organizational data center to a deperimeterized infrastructure open to use by potential
adversaries. As with any emerging information technology area, cloud computing should be
approached carefully with due consideration to the sensitivity of data. Planning helps to ensure
that the computing environment is as secure as possible and in compliance with all relevant
organizational policies and that privacy is maintained. It also helps to ensure that the agency
derives full benefit from information technology spending.
The security objectives of an organization are a key factor for decisions about outsourcing
information technology services and, in particular, for decisions about transitioning
organizational data, applications, and other resources to a public cloud computing environment.
Organizations should take a risk-based approach in analyzing available security and privacy
options and deciding about placing organizational functions into a cloud environment. The
information technology governance practices of the organizations that pertain to the policies,
procedures, and standards used for application development and service provisioning, as well as
the design, implementation, testing, use, and monitoring of deployed or engaged services, should
be extended to cloud computing environments.
vi
To maximize effectiveness and minimize costs, security and privacy must be considered
throughout the system lifecycle from the initial planning stage forward. Attempting to address
security and privacy issues after implementation and deployment is not only much more difficult
and expensive, but also exposes the organization to unnecessary risk.
Understand the public cloud computing environment offered by the cloud provider.
The responsibilities of both the organization and the cloud provider vary depending on the
service model. Organizations consuming cloud services must understand the delineation of
responsibilities over the computing environment and the implications for security and privacy.
Assurances furnished by the cloud provider to support security or privacy claims, or by a
certification and compliance review entity paid by the cloud provider, should be verified
whenever possible through independent assessment by the organization.
Understanding the policies, procedures, and technical controls used by a cloud provider is a
prerequisite to assessing the security and privacy risks involved. It is also important to
comprehend the technologies used to provision services and the implications for security and
privacy of the system. Details about the system architecture of a cloud can be analyzed and used
to formulate a complete picture of the protection afforded by the security and privacy controls,
which improves the ability of the organization to assess and manage risk accurately, including
mitigating risk by employing appropriate techniques and procedures for the continuous
monitoring of the security state of the system.
Ensure that a cloud computing solution satisfies organizational security and privacy
requirements.
Public cloud providers’ default offerings generally do not reflect a specific organization’s
security and privacy needs. From a risk perspective, determining the suitability of cloud services
requires an understanding of the context in which the organization operates and the
consequences from the plausible threats it faces. Adjustments to the cloud computing
environment may be warranted to meet an organization’s requirements. Organizations should
require that any selected public cloud computing solution is configured, deployed, and managed
to meet their security, privacy, and other requirements.
Non-negotiable service agreements in which the terms of service are prescribed completely by
the cloud provider are generally the norm in public cloud computing. Negotiated service
agreements are also possible. Similar to traditional information technology outsourcing contracts
used by agencies, negotiated agreements can address an organization’s concerns about security
and privacy details, such as the vetting of employees, data ownership and exit rights, breach
notification, isolation of tenant applications, data encryption and segregation, tracking and
reporting service effectiveness, compliance with laws and regulations, and the use of validated
products meeting federal or national standards (e.g., Federal Information Processing Standard
140). A negotiated agreement can also document the assurances the cloud provider must furnish
to corroborate that organizational requirements are being met.
Critical data and applications may require an agency to undertake a negotiated service agreement
in order to use a public cloud. Points of negotiation can negatively affect the economies of scale
vii
that a non-negotiable service agreement brings to public cloud computing, however, making a
negotiated agreement less cost effective. As an alternative, the organization may be able to
employ compensating controls to work around identified shortcomings in the public cloud
service. Other alternatives include cloud computing environments with a more suitable
deployment model, such as an internal private cloud, which can potentially offer an organization
greater oversight and authority over security and privacy, and better limit the types of tenants
that share platform resources, reducing exposure in the event of a failure or configuration error in
a control.
With the growing number of cloud providers and range of services from which to choose,
organizations must exercise due diligence when selecting and moving functions to the cloud.
Decision making about services and service arrangements entails striking a balance between
benefits in cost and productivity versus drawbacks in risk and liability. While the sensitivity of
data handled by government organizations and the current state of the art make the likelihood of
outsourcing all information technology services to a public cloud low, it should be possible for
most government organizations to deploy some of their information technology services to a
public cloud, provided that all requisite risk mitigations are taken.
Ensure that the client-side computing environment meets organizational security and privacy
requirements for cloud computing.
Cloud computing encompasses both a server and a client side. With emphasis typically placed
on the former, the latter can be easily overlooked. Services from different cloud providers, as
well as cloud-based applications developed by the organization, can impose more exacting
demands on the client, which may have implications for security and privacy that need to be
taken into consideration.
Because of their ubiquity, Web browsers are a key element for client-side access to cloud
computing services. Clients may also entail small lightweight applications that run on desktop
and mobile devices to access services. The various available plug-ins and extensions for Web
browsers are notorious for their security problems. Many browser add-ons also do not provide
automatic updates, increasing the persistence of any existing vulnerabilities. Similar problems
exist for other types of clients.
Maintaining physical and logical security over clients can be troublesome, especially with
embedded mobile devices such as smart phones. Their size and portability can result in the loss
of physical control. Built-in security mechanisms often go unused or can be overcome or
circumvented without difficulty by a knowledgeable party to gain control over the device.
Moreover, cloud applications are often delivered to them through custom-built native
applications (i.e., apps) rather than a Web browser.
The growing availability and use of social media, personal Webmail, and other publicly available
sites are a concern, since they increasingly serve as avenues for social engineering attacks that
can negatively impact the security of the client, its underlying platform, and cloud services
accessed. Having a backdoor Trojan, keystroke logger, or other type of malware running on a
client device undermines the security and privacy of public cloud services as well as other
Internet-facing public services accessed. As part of the overall cloud computing security
viii
architecture, organizations should review existing security and privacy measures and employ
additional ones, if necessary, to secure the client side.
Maintain accountability over the privacy and security of data and applications implemented
and deployed in public cloud computing environments.
Organizations should employ appropriate security management practices and controls over cloud
computing. Strong management practices are essential for operating and maintaining a secure
cloud computing solution. Security and privacy practices entail monitoring the organization’s
information system assets and assessing the implementation of policies, standards, procedures,
controls, and guidelines that are used to establish and preserve the confidentiality, integrity, and
availability of information system resources.
The organization should collect and analyze available data about the state of the system regularly
and as often as needed to manage security and privacy risks, as appropriate for each level of the
organization (i.e., governance level, mission or business process level, and information systems
level) [Dem10]. Continuous monitoring of information security requires maintaining ongoing
awareness of privacy and security controls, vulnerabilities, and threats to support risk
management decisions. The goal is to conduct ongoing monitoring of the security of an
organization’s networks, information, and systems, and to res…
Purchase answer to see full
attachment